Yubico Forum
https://forum.yubico.com/

YK-val sync works only one way. Can someone help?
https://forum.yubico.com/viewtopic.php?f=5&t=2285		 Page 1 of 1
Author:  JanMichaelVincent [ Tue Apr 19, 2016 7:01 pm ]
Post subject:  YK-val sync works only one way. Can someone help?
Hi all,
I am trying to set up a cluster for yubikey OTP validation using radius. I followed this: https://developers.yubico.com/yubikey-v ... ation.html

Now, I have two servers with two YubiHSMs which are in the same pool. Here is my ykval-config.php on both:

Code:
<?php
$baseParams = array ();
$baseParams['__YKVAL_DB_DSN__'] = "mysql:dbname=ykval;host=127.0.0.1";
$baseParams['__YKVAL_DB_USER__'] = 'ykval_verifier';
$baseParams['__YKVAL_DB_PW__'] = 'Pa$$W0RD';
$baseParams['__YKVAL_DB_OPTIONS__'] = array();

$baseParams['__YKRESYNC_IPS__'] = array("192.168.1.12", "192.168.1.20");
$baseParams['__YKVAL_SYNC_POOL__'] = array("http://first-yk-server.local/wsapi/2.0/sync", "http://second-yk-server.local/wsapi/2.0/sync");

$baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] = array("192.168.1.12", "192.168.1.20");

$baseParams['__YKVAL_SYNC_INTERVAL__'] = 10;
$baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__'] = 30;
$baseParams['__YKVAL_SYNC_OLD_LIMIT__'] = 10;

$baseParams['__YKVAL_SYNC_FAST_LEVEL__'] = 1;
$baseParams['__YKVAL_SYNC_SECURE_LEVEL__'] = 40;
$baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] = 30;
$baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'] = 1;

function otp2ksmurls ($otp, $client) {

  return array(
               "http://127.0.0.1:8002/wsapi/decrypt?otp=$otp",
               );
}

?>


This is what happens if I fire up ykval-queue:

Code:
# ykval-queue
PHP Notice:  Undefined index:  in /usr/share/yubikey-val/ykval-synclib.php on line 332
PHP Notice:  Undefined offset: 1 in /usr/share/yubikey-val/ykval-synclib.php on line 589
PHP Notice:  Undefined index: local_counter in /usr/share/yubikey-val/ykval-synclib.php on line 592
PHP Notice:  Undefined index: local_use in /usr/share/yubikey-val/ykval-synclib.php on line 593
PHP Notice:  Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 355
PHP Notice:  Undefined index: modified in /usr/share/yubikey-val/ykval-synclib.php on line 156
PHP Notice:  Undefined index: nonce in /usr/share/yubikey-val/ykval-synclib.php on line 157
PHP Notice:  Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 158
PHP Notice:  Undefined index: yk_high in /usr/share/yubikey-val/ykval-synclib.php on line 161
PHP Notice:  Undefined index: yk_low in /usr/share/yubikey-val/ykval-synclib.php on line 162
PHP Notice:  Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 271
PHP Notice:  Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 249
PHP Notice:  Undefined index:  in /usr/share/yubikey-val/ykval-synclib.php on line 424


And this:

Code:
PHP Notice:  Undefined index: �U� in /usr/share/yubikey-val/ykval-synclib.php on line 332
PHP Notice:  Undefined offset: 1 in /usr/share/yubikey-val/ykval-synclib.php on line 589
PHP Notice:  Undefined index: local_counter in /usr/share/yubikey-val/ykval-synclib.php on line 592
PHP Notice:  Undefined index: local_use in /usr/share/yubikey-val/ykval-synclib.php on line 593
PHP Notice:  Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 355
PHP Notice:  Undefined index: modified in /usr/share/yubikey-val/ykval-synclib.php on line 156
PHP Notice:  Undefined index: nonce in /usr/share/yubikey-val/ykval-synclib.php on line 157
PHP Notice:  Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 158
PHP Notice:  Undefined index: yk_high in /usr/share/yubikey-val/ykval-synclib.php on line 161
PHP Notice:  Undefined index: yk_low in /usr/share/yubikey-val/ykval-synclib.php on line 162
PHP Notice:  Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 271
PHP Notice:  Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 249
PHP Notice:  Undefined index: �U� in /usr/share/yubikey-val/ykval-synclib.php on line 424
PHP Warning:  curl_close() expects parameter 1 to be resource, array given in /usr/share/yubikey-val/ykval-synclib.php on line 447


Some strange unicode characters are appearing here.

And I noticed bogus entry in db which is probably causing all this:

Code:
mysql> SELECT * from yubikeys WHERE yk_publicname = "";
+--------+------------+----------+---------------+------------+--------+--------+---------+------------------+-------+
| active | created    | modified | yk_publicname | yk_counter | yk_use | yk_low | yk_high | nonce            | notes |
+--------+------------+----------+---------------+------------+--------+--------+---------+------------------+-------+
|      1 | 1461087547 |       -1 |               |         -1 |     -1 |     -1 |      -1 | 0000000000000000 |       |
+--------+------------+----------+---------------+------------+--------+--------+---------+------------------+-------+
1 row in set (0.00 sec)


I can delete it but it comes back as long as ykval-queue is running.

Finally here is my /var/log/messages on the host that has problems (second.yk-server.local in my config):

Code:
LOG_INFO:ykval-queue:synclib:server=http://first-yk-server.local/wsapi/2.0/sync, server_nonce=<SERVER_NONCE_HERE>, info=yk_publicname=cccccc<6morechars>&yk_counter=50&yk_use=0&yk_high=169&yk_low=788&nonce=<NONCE_HERE>,local_counter=49&local_use=0
LOG_INFO:ykval-queue:synclib:database not updated modified=1461087576 nonce=<NONCE_HERE> yk_publicname=cccccc<6morechars> yk_counter=52 yk_use=0 yk_high=188 yk_low=11100
LOG_NOTICE:ykval-queue:synclib:Discovered new identity
LOG_NOTICE:ykval-queue:synclib:params for yk_publicname  not found in database
LOG_NOTICE:ykval-queue:synclib:Local server out of sync compared to counters at validation request time.
LOG_WARNING:ykval-queue:synclib:Local server out of sync compared to current local counters. Local server updated.
LOG_ERR:ykval-queue:synclib:Remote server has higher counters than OTP. This response would have marked the OTP as invalid.


I had to censor my nonce/yk_publicname..

Anyway does anyone know what is causing this and what can I do to debug this more?

I tried dropping yubikeys and queue tables but same problem starts to appear again. Here is my queue table on second server:

Code:
mysql> select * from queue;
+--------+------------+----------------------------------+----------------------------------------------+---------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
| queued | modified   | server_nonce                     | otp                                          | server                                | info                                                                                                                                                 |
+--------+------------+----------------------------------+----------------------------------------------+---------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
|   NULL | 1461087545 | 7e259894650a75f053b41df688c674ad | cccccc<THE_REST_OF_OTP> | http://first-yk-server.local/wsapi/2.0/sync | yk_publicname=cccccc<6morechars>&yk_counter=50&yk_use=0&yk_high=169&yk_low=788&nonce=<NONCE>,local_counter=49&local_use=0   |
|   NULL | 1461087571 | 37b4701d86ef6c66d5e0ff6ad6288a13 | cccccc<THE_REST_OF_OTP> | http://first-yk-server.local/wsapi/2.0/sync | yk_publicname=cccccc<6morechars>&yk_counter=52&yk_use=0&yk_high=188&yk_low=11100&nonce=<NONCE>,local_counter=51&local_use=0 |
+--------+------------+----------------------------------+----------------------------------------------+---------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
Author:  Tom2 [ Fri Apr 22, 2016 12:20 pm ]
Post subject:  Re: YK-val sync works only one way. Can someone help?
Ideally you should use our yubikey-val package, on ubuntu 14.04 preferably.

I think that should solve you issue.
Author:  JanMichaelVincent [ Fri Apr 22, 2016 11:59 pm ]
Post subject:  Re: YK-val sync works only one way. Can someone help?
I am on CentOS 6 using latest yubikey-val from git.
As long as queue table is empty no errors. As soon as entry appears there I get errors. Here's mysql debug log on second-yk-server.local:

Code:
160422 15:57:36       3 Query   select distinct server from queue WHERE queued < 1461365846 or queued is null
          3 Query   select * from queue WHERE (queued < 1461365846 or queued is null) and server='http://first-yk-server.local/wsapi/2.0/sync' LIMIT 1000
          3 Query   UPDATE yubikeys SET  modified='1461363170', yk_counter='313', yk_use='0', yk_low='17484', yk_high='90', nonce='<<NONCE>>' WHERE yk_publicname = 'cccccc<<6CHARS>>' and (313>yk_counter or (313=yk_counter and 0>yk_use))
          3 Query   SELECT * FROM yubikeys WHERE yk_publicname is NULL LIMIT 1
          3 Query   INSERT INTO yubikeys (active,created,modified,yk_counter,yk_use,yk_low,yk_high,nonce,notes) VALUES ('1','1461365856','-1','-1','-1','-1','-1','0000000000000000','')
          3 Query   SELECT * FROM yubikeys WHERE yk_publicname is NULL LIMIT 1
          3 Query   DELETE FROM queue WHERE modified = '' and server_nonce = '' and server = ''


And these are coming in every second even if bogus entry is there. Any workaround for CentOS and git?
Author:  JanMichaelVincent [ Tue May 03, 2016 5:50 pm ]
Post subject:  Re: YK-val sync works only one way. Can someone help?
Just to close the loop, new git version of synclib fixes this issue.
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/