Yubico Forum

Requirements: Ubuntu Server 12.04, YubiX software stack, OpenVPN, VMWare (or VirtualBox), Yubikey
Description: This how to walks you through the process of setting up a YubiX VM with an OpenVPN access server.
Attached File: yubix_vm_howto_v2c.pdf

Folks:

One of the struggles I had in getting started with YubiX was not having one document that walked me through the installation, setup, and testing of the YubiKey and the YubiX software. This how-to attempts to address that issue by providing detailed steps to setup, configure, and test a virtual machine that provides the following functions:

A YubiKey authorization infrastructure (yubiauth)
A YubiKey local key store (yubiksm)
A YubiKey One Time Password (OTP) validation server (yubval) - optionally you can use the YubiKey Cloud Validation
A freeRADIUS infrastructure
An OpenVPN Access Server

This how-to walks you through the steps necessary to build this VM, including building the base operating system, installing the YubiX and OpenVPN software, and then configuring and testing it all. You have the choice of using the YubiKey cloud OTP validation service, or configuring the VM to perform the validation locally.

Hopefully this will be useful to folks. Comments, suggestions and updates are welcome. Contact me through the forum, or you can email me at my forum handle at gmail dot com.

-j505

Thanks for this guide.

_________________
-Tom

This helps tremendously and is very thorough , however I have a VPN client already so I'm not sure what i can and cant rule out of your tut.
But you've pointed me in a better direction then any Yubix tutorials so i have to say thank you for putting this together.
Do any Yubix tutorials even exist?

rcota:
re: existing VPN client - i am trying to understand your question a bit better so i can give you a useful answer. when you say you have a vpn client already, do you mean the client AND the server? like for instance are you using a juniper VPN server, which delivers a java client? to my way of thinking the VPN client and server are pretty much a matched pair. as long as the VPN server can be configured to use RADIUS, and the VPN client will pass a long enough password (the static password + the yubikey OTP), then everything should be able to work ok. sections 4.3 and 6 will be different for the specific VPN server.

i have used the YubiX VM with an external hardware VPN server, so if that is of interest to folks i can write up an addendum to the document.

as for yubikey's documentation - well, i cant say - except i found it lacking as well, so i wrote my own :}

jerichod505.

This is very useful, thank you.

I've a question. Page 15 states:



Where do you get that from? Is it from "gpg --list-keys"? If so, is it from the line that begins with "pub", or the one that begins with "sub"?

_________________
Florin Andrei
http://florin.myip.org/

its going to be the pub. and even easier its just above that the "gpg: key 4AFCB3D9 marked as ultimately trusted public and secret key created and signed." for example

What is the rationale for using GPG as an intermediate step?

I went into the DB and did a "SELECT * FROM ykksm.yubikeys" and the information there was more or less the same as what's in the keyXXXX.txt file. So, presumably, one could do an "INSERT INTO ykksm.yubikeys VALUES ..." directly from the .txt file.

Is GPG meant to be just a separate, secure data store for the key stuff? (kind of like a secure backup)

_________________
Florin Andrei
http://florin.myip.org/

i believe it is the method for encrypting the data. its the step that adds encryption to the file.
Theres got to be a tool or Gui method to do this for several hundred yubi keys, for now Im just looking on a successful 1!

folks: after upgrading to the latest version of python-yubiauth on this VM i found that apache would not start.

I received and 'Invalid command '<IfVersion' ' error when apache tried to start.

please see the link below for a discussion on how I fixed this:
viewtopic.php?f=31&t=1455#p5597

let me know if anybody else has this same issue - i need to update the howto to reflect turning the mod_version on in apache if that is the case.

--j505.

I am not able o download this doc.