Hi all,
I am trying to set up a cluster for yubikey OTP validation using radius. I followed this:
https://developers.yubico.com/yubikey-v ... ation.htmlNow, I have two servers with two YubiHSMs which are in the same pool. Here is my ykval-config.php on both:
Code:
<?php
$baseParams = array ();
$baseParams['__YKVAL_DB_DSN__'] = "mysql:dbname=ykval;host=127.0.0.1";
$baseParams['__YKVAL_DB_USER__'] = 'ykval_verifier';
$baseParams['__YKVAL_DB_PW__'] = 'Pa$$W0RD';
$baseParams['__YKVAL_DB_OPTIONS__'] = array();
$baseParams['__YKRESYNC_IPS__'] = array("192.168.1.12", "192.168.1.20");
$baseParams['__YKVAL_SYNC_POOL__'] = array("http://first-yk-server.local/wsapi/2.0/sync", "http://second-yk-server.local/wsapi/2.0/sync");
$baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] = array("192.168.1.12", "192.168.1.20");
$baseParams['__YKVAL_SYNC_INTERVAL__'] = 10;
$baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__'] = 30;
$baseParams['__YKVAL_SYNC_OLD_LIMIT__'] = 10;
$baseParams['__YKVAL_SYNC_FAST_LEVEL__'] = 1;
$baseParams['__YKVAL_SYNC_SECURE_LEVEL__'] = 40;
$baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] = 30;
$baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'] = 1;
function otp2ksmurls ($otp, $client) {
return array(
"http://127.0.0.1:8002/wsapi/decrypt?otp=$otp",
);
}
?>
This is what happens if I fire up ykval-queue:
Code:
# ykval-queue
PHP Notice: Undefined index: in /usr/share/yubikey-val/ykval-synclib.php on line 332
PHP Notice: Undefined offset: 1 in /usr/share/yubikey-val/ykval-synclib.php on line 589
PHP Notice: Undefined index: local_counter in /usr/share/yubikey-val/ykval-synclib.php on line 592
PHP Notice: Undefined index: local_use in /usr/share/yubikey-val/ykval-synclib.php on line 593
PHP Notice: Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 355
PHP Notice: Undefined index: modified in /usr/share/yubikey-val/ykval-synclib.php on line 156
PHP Notice: Undefined index: nonce in /usr/share/yubikey-val/ykval-synclib.php on line 157
PHP Notice: Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 158
PHP Notice: Undefined index: yk_high in /usr/share/yubikey-val/ykval-synclib.php on line 161
PHP Notice: Undefined index: yk_low in /usr/share/yubikey-val/ykval-synclib.php on line 162
PHP Notice: Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 271
PHP Notice: Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 249
PHP Notice: Undefined index: in /usr/share/yubikey-val/ykval-synclib.php on line 424
And this:
Code:
PHP Notice: Undefined index: �U� in /usr/share/yubikey-val/ykval-synclib.php on line 332
PHP Notice: Undefined offset: 1 in /usr/share/yubikey-val/ykval-synclib.php on line 589
PHP Notice: Undefined index: local_counter in /usr/share/yubikey-val/ykval-synclib.php on line 592
PHP Notice: Undefined index: local_use in /usr/share/yubikey-val/ykval-synclib.php on line 593
PHP Notice: Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 355
PHP Notice: Undefined index: modified in /usr/share/yubikey-val/ykval-synclib.php on line 156
PHP Notice: Undefined index: nonce in /usr/share/yubikey-val/ykval-synclib.php on line 157
PHP Notice: Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 158
PHP Notice: Undefined index: yk_high in /usr/share/yubikey-val/ykval-synclib.php on line 161
PHP Notice: Undefined index: yk_low in /usr/share/yubikey-val/ykval-synclib.php on line 162
PHP Notice: Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 271
PHP Notice: Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 249
PHP Notice: Undefined index: �U� in /usr/share/yubikey-val/ykval-synclib.php on line 424
PHP Warning: curl_close() expects parameter 1 to be resource, array given in /usr/share/yubikey-val/ykval-synclib.php on line 447
Some strange unicode characters are appearing here.
And I noticed bogus entry in db which is probably causing all this:
Code:
mysql> SELECT * from yubikeys WHERE yk_publicname = "";
+--------+------------+----------+---------------+------------+--------+--------+---------+------------------+-------+
| active | created | modified | yk_publicname | yk_counter | yk_use | yk_low | yk_high | nonce | notes |
+--------+------------+----------+---------------+------------+--------+--------+---------+------------------+-------+
| 1 | 1461087547 | -1 | | -1 | -1 | -1 | -1 | 0000000000000000 | |
+--------+------------+----------+---------------+------------+--------+--------+---------+------------------+-------+
1 row in set (0.00 sec)
I can delete it but it comes back as long as ykval-queue is running.
Finally here is my /var/log/messages on the host that has problems (second.yk-server.local in my config):
Code:
LOG_INFO:ykval-queue:synclib:server=http://first-yk-server.local/wsapi/2.0/sync, server_nonce=<SERVER_NONCE_HERE>, info=yk_publicname=cccccc<6morechars>&yk_counter=50&yk_use=0&yk_high=169&yk_low=788&nonce=<NONCE_HERE>,local_counter=49&local_use=0
LOG_INFO:ykval-queue:synclib:database not updated modified=1461087576 nonce=<NONCE_HERE> yk_publicname=cccccc<6morechars> yk_counter=52 yk_use=0 yk_high=188 yk_low=11100
LOG_NOTICE:ykval-queue:synclib:Discovered new identity
LOG_NOTICE:ykval-queue:synclib:params for yk_publicname not found in database
LOG_NOTICE:ykval-queue:synclib:Local server out of sync compared to counters at validation request time.
LOG_WARNING:ykval-queue:synclib:Local server out of sync compared to current local counters. Local server updated.
LOG_ERR:ykval-queue:synclib:Remote server has higher counters than OTP. This response would have marked the OTP as invalid.
I had to censor my nonce/yk_publicname..
Anyway does anyone know what is causing this and what can I do to debug this more?
I tried dropping yubikeys and queue tables but same problem starts to appear again. Here is my queue table on second server:
Code:
mysql> select * from queue;
+--------+------------+----------------------------------+----------------------------------------------+---------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
| queued | modified | server_nonce | otp | server | info |
+--------+------------+----------------------------------+----------------------------------------------+---------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
| NULL | 1461087545 | 7e259894650a75f053b41df688c674ad | cccccc<THE_REST_OF_OTP> | http://first-yk-server.local/wsapi/2.0/sync | yk_publicname=cccccc<6morechars>&yk_counter=50&yk_use=0&yk_high=169&yk_low=788&nonce=<NONCE>,local_counter=49&local_use=0 |
| NULL | 1461087571 | 37b4701d86ef6c66d5e0ff6ad6288a13 | cccccc<THE_REST_OF_OTP> | http://first-yk-server.local/wsapi/2.0/sync | yk_publicname=cccccc<6morechars>&yk_counter=52&yk_use=0&yk_high=188&yk_low=11100&nonce=<NONCE>,local_counter=51&local_use=0 |
+--------+------------+----------------------------------+----------------------------------------------+---------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
Login
FAQ
Search
