Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 6:59 pm

View unanswered posts | View active topics


Board index » Yubico Software » Server Side Software

All times are UTC + 1 hour




Post new topic Reply to topic  Page 1 of 1
  [ 9 posts ] 
  Print view Previous topic | Next topic 
Author Message
aurelien
 Post subject: setup yubiphpbase
PostPosted: Wed Apr 22, 2009 11:21 am 
Offline

Joined: Mon Apr 20, 2009 1:57 pm
Posts: 3
Hi
I'm reading this tutorial :
http://code.google.com/p/yubiphpbase/wiki/SetUp
but I have some questions :
In the part "Set up the database" there is :
Quote:
* Use your admin email in the following INSERT statement. The API secret is base64-encoded and is generated by running "db/utils.php".

INSERT INTO `clients` VALUES (1,1,1,'1970-01-01 00:00:00','your_email@your_email_domain.com','571dm......T983eDqhuOplnHk8=',NULL)

Do I just need to put the mail adress or complete all the table?
How can I use utils.php ? because when I copy it to its parent directory, the file doesn't work...
It needs the file config.php and I don't know what I have to put in :
Quote:
$aesParams['__ADM_KEY_SECRET__'] = '.....enter yours.....';

Quote:
$aesParams['__ENC_KEY_SECRET__'] = '.....enter yours.....';

Then a wsapi/common.php is recquired, I put files of yubikey-val-server-php in a wsapi folder
And another problem :
lots of functions used by yubiphpbase/appinclude are redifined in the common.php :cry:

and a last question : what is kms???
Top
 Profile  
Reply with quote  

Share On:
Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

network-marvels
 Post subject: Re: setup yubiphpbase
PostPosted: Wed Apr 22, 2009 11:37 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
We are working on the code restructuring and it will be finished soon. We will update you as soon as we finish it.
Top
 Profile  
Reply with quote  
network-marvels
 Post subject: Re: setup yubiphpbase
PostPosted: Mon Apr 27, 2009 1:16 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
We apologize for the delay !
We have completed the code restructuring task and released a new PHP based YMS and validation server.
Please visit the following link for more information:

http://www.yubico.com/developers/srv/

Feel free to write back to us in case you face any problems.
Top
 Profile  
Reply with quote  
aurelien
 Post subject: Re: setup yubiphpbase
PostPosted: Mon Apr 27, 2009 3:47 pm 
Offline

Joined: Mon Apr 20, 2009 1:57 pm
Posts: 3
ok thanks :)

I have some doubts about the file config.php :

Quote:
// OTP from your admin key you are to use to log in to KMS
// Eg. $otp = 'gklhtdkvrbfnbuicngergckgdfvfrbfjfhgiffghcithv';
$otp = '...enter yours...';

Do I just need to press my yubikey?

Quote:
// This is the AES secret inside your key
// Eg. $aesParams['__ADM_KEY_SECRET__'] = '7Bs1Rl4Itr2+ZmbyO/KCWQ==';
$aesParams['__ADM_KEY_SECRET__'] = '.....enter yours.....';

I don't know what it is :(

Quote:
// Make up a random secret to encrypt data in DB in b64 format
// Eg. $aesParams['__ENC_KEY_SECRET__'] = 'gklftrkvbvcbfhdafbedtjerrbbcgkuk';
$aesParams['__ENC_KEY_SECRET__'] = '.....enter yours.....';


Do I press the yubikey again?


Edit :
When I try to run the utils.php I obtain nothing...
Top
 Profile  
Reply with quote  
network-marvels
 Post subject: Re: setup yubiphpbase
PostPosted: Tue Apr 28, 2009 4:13 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Please follow the below mentioned steps to install and configure the YMS server:

    1) Download the following projects from Google code:

      a) yms
      b) yubico-php-lib
      c) yubikey-ksm
      d) yubikey-val-server-php
      e) yubiphpbase

    2) Install and configure the "yubikey-ksm" project as per the installation instructions provided on the wiki link

    3) Go to the "yubiphpbase" project and perform following steps:

      a) Copy the "config.php.sample" file to "config.php"

      b) Populate the "config.php" file as follows:

      We are assuming following parameters for hosting a Yubico Validation Server and assuming the the "yubikey-ksm" project is installed properly and admin YubiKey is inserted into the "yubikey-ksm" database.

        1) Pin for two factor authentication : 12345
        2) Random Secret: YubicoYubikey (Base64 encoded output: WXViaWNvWXViaWtleQ==)
        3) MySQL Database Server hostname: sql.test.com
        4) MySQL User name : yubico
        5) MySQL User password: test123
        6) MySQL Database name: yubikey
        7) Root Email Address: admin@test.com
        8) Apache http document root: /var/www/html

      The content of yubiphpbase config.php based on above parameters would be:

      Code:
      <?php
      /******************************************************
       *
       *      Customize EVERY parameter for your environment
       *
       ******************************************************/

      //// AES secrets
      //
      $aesParams = array ();

      /******* Erase this section after installation *******/
      *

      // OTP from your admin key you are to use to log in to KMS
      // Eg. $otp = 'gklhtdkvrbfnbuicngergckgdfvfrbfjfhgiffghcithv';
      $otp = 'vrkvfefuitvfiuibirllecjgbbnfhhirchithtvfrrbd';

      // Admin PIN as the 2nd factor of auth
      //Eg. $pin = '12345678';
      $pin = '12345';

      // This is the AES secret inside your key
      // Eg. $aesParams['__ADM_KEY_SECRET__'] = '7Bs1Rl4Itr2+ZmbyO/KCWQ==';
      $aesParams['__ADM_KEY_SECRET__'] = '.....enter yours.....';

      *
      ********** End of section to erase after installation *******/

      // Make up a random secret to encrypt data in DB in b64 format
      // Eg. $aesParams['__ENC_KEY_SECRET__'] = 'gklftrkvbvcbfhdafbedtjerrbbcgkuk';
      $aesParams['__ENC_KEY_SECRET__'] = 'WXViaWNvWXViaWtleQ==';

      //// DB, email and web related
      //
      $baseParams = array ();
      $baseParams['__DB_HOST__'] = 'sql.test.com';   
      $baseParams['__DB_USER__'] = 'yubico';
      $baseParams['__DB_PW__'] = 'test123';
      $baseParams['__DB_NAME__'] = 'yubikey';

      // Eg. $baseParams['__ROOT_EMAIL__'] = 'support@yubico.com'; 
      $baseParams['__ROOT_EMAIL__'] = 'admin@test.com';

      $baseParams['__ORDER_URL__'] = 'http://yubico.com/products/order/';
      $baseParams['__DOMAIN__'] = 'localhost';

      // Eg. $baseParams['__DOC_ROOT__'] = '/apache/htdocs/'
      $baseParams['__DOC_ROOT__'] = '/var/www/html';

      //// Validation server
      //

      $valParams = array ();
      $valParams['__VAL_URL__'] = 'http://localhost/yubikey-val-server-php/verify.php?id=';

      //// HTML related
      //
      $headParams = array ();
      $headParams['__SHORTCUT_ICON_URL__'] = 'http://localhost/kms/images/favicon.ico';

      //// KMS admin activation welcome letter
      //
      $letterParams = array ();
      $letterParams['__KMS_URL__'] = 'http://localhost/yms';

      ?>



      c) run install.php file as follows:
      Code:
      #  php install.php

      This will populate the yubikey database.

      d) Open "appinclude.php" and change "$devMode" to "true" from "false"

      e) Open "yubi_lib.php" and change the followings:

        1) From line 87, change $url to "$url = "http://localhost/yubikey-val-server-php/verify.php?id=""
        2) From line 113, change $id to 1


    4) Go to the "yubikey-val-server-php" project and perform following steps:

      a) Copy config.php.sample to config.php

      b) Populate the "config.php" file as follows:
      Code:
      <?php                                                             # -*- php -*-

      //// DB
      //
      $baseParams = array ();
      $baseParams['__DB_HOST__'] = 'sql.test.com';
      $baseParams['__DB_USER__'] = 'yubico';
      $baseParams['__DB_PW__'] = 'test123';
      $baseParams['__DB_NAME__'] = 'yubikey';

      // otp2ksmurls: Return array of YK-KSM URLs for decrypting OTP for
      // CLIENT.  The URLs must be fully qualified, i.e., contain the OTP
      // itself.
      function otp2ksmurls ($otp, $client) {
        if ($client == 1) {
          return array("http://localhost/yubikey-ksm/ykksm-decrypt.php?otp=$otp");
        }

        if (preg_match ("/^dteffujehknh/", $otp)) {
          return array("http://localhost/yubikey-ksm/ykksm-decrypt.php?otp=$otp");
        }

        return array(
                     "http://localhost/yubikey-ksm/ykksm-decrypt.php?otp=$otp",
                     "http://localhost/yubikey-ksm/ykksm-decrypt.php?otp=$otp",
                     );
      }

      ?>



    5) Try to login to the YMS server using the following url:
    http://localhost/yms

We hope this helps !

Feel free to write back to us in case you face any problems.
Top
 Profile  
Reply with quote  
zeroxten
 Post subject: Re: setup yubiphpbase
PostPosted: Fri Dec 04, 2009 5:25 pm 
Offline

Joined: Fri Oct 30, 2009 6:25 pm
Posts: 8
One day. One day I shall get this working! Even if it kills me.

Specifically, it suggests above that one should install yubikey-ksm as per instructions on code.google.com project.

These instructions refer to:
Code:
The database needs to be initialized as follows:

lyra:~/yubikey-ksm# mysql < ykksm-db.sql
lyra:~/yubikey-ksm#


which will in turn create a "ykksm" database:

Code:
fscott@yubikey:~/yubikey-ksm$ head ykksm-db.sql
-- drop database ykksm;
create database ykksm;
use ykksm;

create table yubikeys (
  id int not null auto_increment,

  -- identities:
  serialNr int not null,
  publicName varchar(16) unique not null,


According to the instructions above, we then start using a database called 'yubikey'.

This means that either
    1) We have two databases: ykksm and yubikey
    2) Or we have to edit ykksm-db.sql and change the database name
    3) Or there is a typo in the instructions and the database name 'yubikey' should actually be 'ykksm'

Please clarify which is correct.

Thanks
Top
 Profile  
Reply with quote  
network-marvels
 Post subject: Re: setup yubiphpbase
PostPosted: Mon Dec 07, 2009 11:07 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
For installing the YMS server or the Yubico OTP validation server we need two databases. One is "yubikey" and the other is "ykksm". The "ykksm" database is used for storing the AES Keys for the YubiKeys and is accessed only by the "yubikey-ksm" module. The "yubikey" database is shared between the YMS server and the Yubico OTP validation server. The "yubikey" database stores the counter related information which is used by the Yubico OTP validation server for validating the YubiKey.

The normal flow of OTP validation process is as follows:

    1) We install the YMS Server, Yubico OTP validation server and the yubikey-ksm module

    2) We insert the admin YubiKey information, i.e. AES Key, Public ID and Private ID into the yubikey-ksm module database (ykksm)

    3) We then configure the YMS server and populate the database using the instructions given earlier in this post

    4) We then access the YMS server interface and provide the OTP from our admin YubiKey

    5) The OTP is sent to the Yubico OTP validation server

    6) The Yubico OTP validation server forwards that OTP to the yubikey-ksm module

    7) The yubikey-ksm module, retrieves the AES Key of the YubiKey (by using the first 12 characters of the OTP aka Public ID of the YubiKey). if the AES Key is found in the database, the yubikey-ksm module decrypts the OTP using the retrieved AES Key from the "ykksm" database or it sends error message to the Yubico OTP validation server. If the OTP is successfully decrypted, the yubikey-ksm module sends back the decrypted OTP which consists of different counter values to the Yubico OTP validation server otherwise sends error message.

    8) The Yubico OTP validation server receives the OTP decryption results from the yubikey-ksm module. If it receives the decrypted OTP, it compares the different counter values against the values stored in the "yubikey" database. If the counter values are satisfying the OTP validation criteria, the Yubico OTP validation server sends OK status to the YMS server otherwise it sends the error message. Also, if an error message is received from the yubikey-ksm module, the OTP validation server forwards that error message to the YMS server

    9) Depending on the OTP validation result received from the Yubico OTP validation server, the YMS server grants/denies access to it's interface.


We hope this helps!
Top
 Profile  
Reply with quote  
zeroxten
 Post subject: Re: setup yubiphpbase
PostPosted: Mon Dec 07, 2009 11:35 am 
Offline

Joined: Fri Oct 30, 2009 6:25 pm
Posts: 8
Many thanks for the update!

Hopefully I'll get time this afternoon to try it out.
Top
 Profile  
Reply with quote  
zeroxten
 Post subject: Re: setup yubiphpbase
PostPosted: Mon Dec 28, 2009 3:56 pm 
Offline

Joined: Fri Oct 30, 2009 6:25 pm
Posts: 8
Got it all working eventually... had to make a couple of minor changes to pam_yubico.c to allow for 16 char public ids and ldap v3. Now just a question of how to integrate it with SSH and Kerberos :)
Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 9 posts ] 

Board index » Yubico Software » Server Side Software

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group