Yubico Forum https://forum.yubico.com/ |
|
Multiple validation servers (and more) https://forum.yubico.com/viewtopic.php?f=3&t=581 |
Page 1 of 1 |
Author: | jsajdak [ Fri Oct 15, 2010 10:32 pm ] |
Post subject: | Multiple validation servers (and more) |
Hello, I've spent the last day or so setting up a test environment in which I have created a validation server, ksm server and configured a couple debian boxes to use two factor authentication to our own servers. We are interested in managing our own keys and validation and will have need for redundancy. I've managed to reprogram the second slot on the yubikey I'm testing with and successfully import the keys to the KSM server. Things are great...so here comes some questions for which I have not been able to find any answers: 1. How do you set up a server to use multiple validation endpoints for authentication? I'm using the the pam_yubico.so module in the sshd config. I've gotten the two-factor authentication working just fine. I've tried adding multiple references to this module using different urls, but ultimately this will not work if both are set to "required". (Eventually I'm going make this module required in addition to the standard password for two factor it's in sufficient status just for testing.) Here's the line in /etc/pam.d/sshd Code: auth sufficient pam_yubico.so id=1 authfile=/etc/.yubikey_mappings url=http://myserver.com/wsapi/2.0/verify?id=%d&nonce=ajighnguemciwjnghiuejd&otp=%s debug 2. I'd like to test the https side of things on the validation server, but I think I'm running into certificate trust issues on the request coming from the server I'm trying to authenticate from because I'm using a locally issued certificate. Is there a way around this during testing? 3. Is there a sync process for KSM servers like there is for the validation servers? Or what is the correct process to keep the key servers synchronized? Just import the same keys to each? I hope my questions make sense and I'm not being too much of a dimwit. |
Author: | jsajdak [ Wed Oct 20, 2010 4:04 am ] |
Post subject: | Re: Multiple validation servers (and more) |
Upon further review, I'm gonna go ahead and answer my own questions... 1. I think I'll have to put a load balancer of some sort in front of the validators. If you were writing your own authentication module you could build in the failovers I suppose, but I'm not. 2. Not worth the trouble. I'll just run on http until I get my house in order and then get a commercial certificate. 3. The answer is no. I did find another article on Yubico indicating that you need to copy the keys manually between KSM's. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |