Yubico Forum https://forum.yubico.com/ |
|
YK-val sync works only one way. Can someone help? https://forum.yubico.com/viewtopic.php?f=5&t=2285 |
Page 1 of 1 |
Author: | JanMichaelVincent [ Tue Apr 19, 2016 7:01 pm ] |
Post subject: | YK-val sync works only one way. Can someone help? |
Hi all, I am trying to set up a cluster for yubikey OTP validation using radius. I followed this: https://developers.yubico.com/yubikey-v ... ation.html Now, I have two servers with two YubiHSMs which are in the same pool. Here is my ykval-config.php on both: Code: <?php $baseParams = array (); $baseParams['__YKVAL_DB_DSN__'] = "mysql:dbname=ykval;host=127.0.0.1"; $baseParams['__YKVAL_DB_USER__'] = 'ykval_verifier'; $baseParams['__YKVAL_DB_PW__'] = 'Pa$$W0RD'; $baseParams['__YKVAL_DB_OPTIONS__'] = array(); $baseParams['__YKRESYNC_IPS__'] = array("192.168.1.12", "192.168.1.20"); $baseParams['__YKVAL_SYNC_POOL__'] = array("http://first-yk-server.local/wsapi/2.0/sync", "http://second-yk-server.local/wsapi/2.0/sync"); $baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] = array("192.168.1.12", "192.168.1.20"); $baseParams['__YKVAL_SYNC_INTERVAL__'] = 10; $baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__'] = 30; $baseParams['__YKVAL_SYNC_OLD_LIMIT__'] = 10; $baseParams['__YKVAL_SYNC_FAST_LEVEL__'] = 1; $baseParams['__YKVAL_SYNC_SECURE_LEVEL__'] = 40; $baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] = 30; $baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'] = 1; function otp2ksmurls ($otp, $client) { return array( "http://127.0.0.1:8002/wsapi/decrypt?otp=$otp", ); } ?> This is what happens if I fire up ykval-queue: Code: # ykval-queue PHP Notice: Undefined index: in /usr/share/yubikey-val/ykval-synclib.php on line 332 PHP Notice: Undefined offset: 1 in /usr/share/yubikey-val/ykval-synclib.php on line 589 PHP Notice: Undefined index: local_counter in /usr/share/yubikey-val/ykval-synclib.php on line 592 PHP Notice: Undefined index: local_use in /usr/share/yubikey-val/ykval-synclib.php on line 593 PHP Notice: Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 355 PHP Notice: Undefined index: modified in /usr/share/yubikey-val/ykval-synclib.php on line 156 PHP Notice: Undefined index: nonce in /usr/share/yubikey-val/ykval-synclib.php on line 157 PHP Notice: Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 158 PHP Notice: Undefined index: yk_high in /usr/share/yubikey-val/ykval-synclib.php on line 161 PHP Notice: Undefined index: yk_low in /usr/share/yubikey-val/ykval-synclib.php on line 162 PHP Notice: Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 271 PHP Notice: Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 249 PHP Notice: Undefined index: in /usr/share/yubikey-val/ykval-synclib.php on line 424 And this: Code: PHP Notice: Undefined index: �U� in /usr/share/yubikey-val/ykval-synclib.php on line 332 PHP Notice: Undefined offset: 1 in /usr/share/yubikey-val/ykval-synclib.php on line 589 PHP Notice: Undefined index: local_counter in /usr/share/yubikey-val/ykval-synclib.php on line 592 PHP Notice: Undefined index: local_use in /usr/share/yubikey-val/ykval-synclib.php on line 593 PHP Notice: Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 355 PHP Notice: Undefined index: modified in /usr/share/yubikey-val/ykval-synclib.php on line 156 PHP Notice: Undefined index: nonce in /usr/share/yubikey-val/ykval-synclib.php on line 157 PHP Notice: Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 158 PHP Notice: Undefined index: yk_high in /usr/share/yubikey-val/ykval-synclib.php on line 161 PHP Notice: Undefined index: yk_low in /usr/share/yubikey-val/ykval-synclib.php on line 162 PHP Notice: Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 271 PHP Notice: Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 249 PHP Notice: Undefined index: �U� in /usr/share/yubikey-val/ykval-synclib.php on line 424 PHP Warning: curl_close() expects parameter 1 to be resource, array given in /usr/share/yubikey-val/ykval-synclib.php on line 447 Some strange unicode characters are appearing here. And I noticed bogus entry in db which is probably causing all this: Code: mysql> SELECT * from yubikeys WHERE yk_publicname = ""; +--------+------------+----------+---------------+------------+--------+--------+---------+------------------+-------+ | active | created | modified | yk_publicname | yk_counter | yk_use | yk_low | yk_high | nonce | notes | +--------+------------+----------+---------------+------------+--------+--------+---------+------------------+-------+ | 1 | 1461087547 | -1 | | -1 | -1 | -1 | -1 | 0000000000000000 | | +--------+------------+----------+---------------+------------+--------+--------+---------+------------------+-------+ 1 row in set (0.00 sec) I can delete it but it comes back as long as ykval-queue is running. Finally here is my /var/log/messages on the host that has problems (second.yk-server.local in my config): Code: LOG_INFO:ykval-queue:synclib:server=http://first-yk-server.local/wsapi/2.0/sync, server_nonce=<SERVER_NONCE_HERE>, info=yk_publicname=cccccc<6morechars>&yk_counter=50&yk_use=0&yk_high=169&yk_low=788&nonce=<NONCE_HERE>,local_counter=49&local_use=0 LOG_INFO:ykval-queue:synclib:database not updated modified=1461087576 nonce=<NONCE_HERE> yk_publicname=cccccc<6morechars> yk_counter=52 yk_use=0 yk_high=188 yk_low=11100 LOG_NOTICE:ykval-queue:synclib:Discovered new identity LOG_NOTICE:ykval-queue:synclib:params for yk_publicname not found in database LOG_NOTICE:ykval-queue:synclib:Local server out of sync compared to counters at validation request time. LOG_WARNING:ykval-queue:synclib:Local server out of sync compared to current local counters. Local server updated. LOG_ERR:ykval-queue:synclib:Remote server has higher counters than OTP. This response would have marked the OTP as invalid. I had to censor my nonce/yk_publicname.. Anyway does anyone know what is causing this and what can I do to debug this more? I tried dropping yubikeys and queue tables but same problem starts to appear again. Here is my queue table on second server: Code: mysql> select * from queue;
+--------+------------+----------------------------------+----------------------------------------------+---------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | queued | modified | server_nonce | otp | server | info | +--------+------------+----------------------------------+----------------------------------------------+---------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | NULL | 1461087545 | 7e259894650a75f053b41df688c674ad | cccccc<THE_REST_OF_OTP> | http://first-yk-server.local/wsapi/2.0/sync | yk_publicname=cccccc<6morechars>&yk_counter=50&yk_use=0&yk_high=169&yk_low=788&nonce=<NONCE>,local_counter=49&local_use=0 | | NULL | 1461087571 | 37b4701d86ef6c66d5e0ff6ad6288a13 | cccccc<THE_REST_OF_OTP> | http://first-yk-server.local/wsapi/2.0/sync | yk_publicname=cccccc<6morechars>&yk_counter=52&yk_use=0&yk_high=188&yk_low=11100&nonce=<NONCE>,local_counter=51&local_use=0 | +--------+------------+----------------------------------+----------------------------------------------+---------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ 2 rows in set (0.00 sec) |
Author: | Tom2 [ Fri Apr 22, 2016 12:20 pm ] |
Post subject: | Re: YK-val sync works only one way. Can someone help? |
Ideally you should use our yubikey-val package, on ubuntu 14.04 preferably. I think that should solve you issue. |
Author: | JanMichaelVincent [ Fri Apr 22, 2016 11:59 pm ] |
Post subject: | Re: YK-val sync works only one way. Can someone help? |
I am on CentOS 6 using latest yubikey-val from git. As long as queue table is empty no errors. As soon as entry appears there I get errors. Here's mysql debug log on second-yk-server.local: Code: 160422 15:57:36 3 Query select distinct server from queue WHERE queued < 1461365846 or queued is null 3 Query select * from queue WHERE (queued < 1461365846 or queued is null) and server='http://first-yk-server.local/wsapi/2.0/sync' LIMIT 1000 3 Query UPDATE yubikeys SET modified='1461363170', yk_counter='313', yk_use='0', yk_low='17484', yk_high='90', nonce='<<NONCE>>' WHERE yk_publicname = 'cccccc<<6CHARS>>' and (313>yk_counter or (313=yk_counter and 0>yk_use)) 3 Query SELECT * FROM yubikeys WHERE yk_publicname is NULL LIMIT 1 3 Query INSERT INTO yubikeys (active,created,modified,yk_counter,yk_use,yk_low,yk_high,nonce,notes) VALUES ('1','1461365856','-1','-1','-1','-1','-1','0000000000000000','') 3 Query SELECT * FROM yubikeys WHERE yk_publicname is NULL LIMIT 1 3 Query DELETE FROM queue WHERE modified = '' and server_nonce = '' and server = '' And these are coming in every second even if bogus entry is there. Any workaround for CentOS and git? |
Author: | JanMichaelVincent [ Tue May 03, 2016 5:50 pm ] |
Post subject: | Re: YK-val sync works only one way. Can someone help? |
Just to close the loop, new git version of synclib fixes this issue. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |