| Yubico Forum https://forum.yubico.com/ |
|
| [Question]Self hosted validation server https://forum.yubico.com/viewtopic.php?f=35&t=2691 |
Page 1 of 1 |
| Author: | valgenova [ Wed Aug 23, 2017 5:19 am ] |
| Post subject: | [Question]Self hosted validation server |
Hi, Im trying to setup a self hosted validation server or yubikey-val and yubikey-ksm, both server are separated, I have followed the steps in this url https://developers.yubico.com/yubikey-v ... ation.html, as well as https://developers.yubico.com/yubikey-ksm/ I have also installed ykclient on a separate server to test, verify and decrypt my servers. I have generated the client keys and put in the yubikey-val server mysql with database of ykval. When I try to test using the ykclient and verify or ykclient --url "http://10.1.11.6/wsapi/2.0/verify" --apikey my_apikey= 2 my_otpkey --debug Verification output (1): Yubikey OTP was bad (BAD_OTP) My questions are: 1. trying to search the net for any documentation about this self hosted server, with separated server for both ykval and ykksm, if there is, can you point me to that url? 2. there is a setting in yubikey-val ykval-config.php "http://127.0.0.1:80/wsapi/decrypt?otp=$otp" do I need to change this 127.0.0.1 to the ip address of my ykksm server? 3. is there any other config I need to edit for this self-hosted separated validation server and ykksm server to work? Thank you in advance. valgenova |
|
| Author: | valgenova [ Tue Sep 19, 2017 7:56 am ] |
| Post subject: | Re: [Question]Self hosted validation server |
Hi, Still troubleshooting the problem, to add for the troubleshooting When I run this command on the ykksm server to test wget -O - 'http://localhost/wsapi/decrypt?otp=mykeyfkgknthctdkdkrleficdrlhvlbjlgter' error on the /var/log/apache2/ykksm-error.log [Tue Sep 19 02:53:15.328215 2017] [:error] [pid 1465] [client 127.0.0.1:56256] PHP Fatal error: Call to undefined function mcrypt_module_open() in /usr/share/yubikey-ksm/ykksm-utils.php on line 48 I have php5-mcrypt installed. Thank you in advance. valgenova |
|
| Author: | valgenova [ Wed Sep 20, 2017 5:19 am ] |
| Post subject: | Re: [Question]Self hosted validation server |
Hi, Searching the net around to fix the mcrypt error Quote: PHP Fatal error: Call to undefined function mcrypt_module_open() in /usr/share/yubikey-ksm/ykksm-utils.php on line 48 I have enabled the php5-mcrypt by editing the /etc/php5/apache2/php.ini add the line extension=mcrypt.so, then restart apache2. Then test the ykksm server again via Quote: curl 'http://localhost/wsapi/decrypt?otp=myyubicootpjtgtbtirtuhfchrhulentjbdhglulhdn' -v Then got this response ERR Corrupt OTP which the ykksm docs is the correct response, and the logs are Quote: Sep 19 23:24:48 auth-ksm ykksm[3533]: UID error: myyubicootpjtgtbtirtuhfchrhulentjbdhglulhdn f56e9c3d8737839e9b850b7394bb50d9: f56e9c3d8737 vs d3f0fc27cd93 What I need to do now is troubleshoot the ykval server, when I run Quote: wget -q -O - 'http://localhost/wsapi/2.0/verify?id=1&nonce=asdmalksdmlkasmdlkasmdlakmsdaasklmdlak&otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh' I should get a status=NO_SUCH_CLIENT, im getting status=BAD_OTP, I have already generated some clients on the database Thanks in advance valgenova |
|
| Author: | valgenova [ Mon Sep 25, 2017 8:41 am ] |
| Post subject: | Re: [Question]Self hosted validation server |
Hi, Just a question, if I want to host a self validation server, do I really need to personalize my yubikey, or use the ykpersonalize tool. I tested my yubikey using dropbox, and the yubikey works fine, also I tried the pam.d login my yubikey using the api.yubico.com to validate or verify also works fine, im trying to configure a self-hosted validation server and I'm getting this error. Quote: Sep 19 23:24:48 auth-ksm ykksm[3533]: UID error: myyubicootpjtgtbtirtuhfchrhulentjbdhglulhdn f56e9c3d8737839e9b850b7394bb50d9: f56e9c3d8737 vs d3f0fc27cd93 The only step I did not do is to personalize the yubikey Again my question is, do I have to personalize my yubikey in order for my ykksm to work? Thank you in advance valgenova |
|
| Author: | valgenova [ Tue Sep 26, 2017 5:48 am ] |
| Post subject: | Re: [Question]Self hosted validation server |
Hi, After installing a personalization tool in windows,personalize my slot2, then input it in the ykksm database. I was able to test via wget on the localhost. Also test connection via ykclient and I get a SUCCESS OTP Then I configure a VE container, setup pam.d and ssh for two step authentication, and test loging in via ssh, and I was able to login, logs from ykksm server also logs this Quote: Sep 26 00:36:02 auth-ksm ykksm[2090]: SUCCESS OTP myyubikeykeys PT myrandomlogs OK counter=0001 low=d301 high=b8 use=0b If I got free time, will write a doc on what steps I made to make this self hosted validation server, and will share it here Thank you valgenova |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|