Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:21 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Thu Jul 10, 2014 4:06 pm 
Offline

Joined: Wed Jun 04, 2014 3:29 am
Posts: 7
Requirements: Ubuntu Server 12.04, YubiX software stack, OpenVPN, VMWare (or VirtualBox), Yubikey
Description: This how to walks you through the process of setting up a YubiX VM with an OpenVPN access server.
Attached File: yubix_vm_howto_v2c.pdf

Folks:

One of the struggles I had in getting started with YubiX was not having one document that walked me through the installation, setup, and testing of the YubiKey and the YubiX software. This how-to attempts to address that issue by providing detailed steps to setup, configure, and test a virtual machine that provides the following functions:
    A YubiKey authorization infrastructure (yubiauth)
    A YubiKey local key store (yubiksm)
    A YubiKey One Time Password (OTP) validation server (yubval) - optionally you can use the YubiKey Cloud Validation
    A freeRADIUS infrastructure
    An OpenVPN Access Server

This how-to walks you through the steps necessary to build this VM, including building the base operating system, installing the YubiX and OpenVPN software, and then configuring and testing it all. You have the choice of using the YubiKey cloud OTP validation service, or configuring the VM to perform the validation locally.

Hopefully this will be useful to folks. Comments, suggestions and updates are welcome. Contact me through the forum, or you can email me at my forum handle at gmail dot com.

-j505


Attachments:
yubix_vm_howto_v2c.pdf [934.5 KiB]
Downloaded 621 times
Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Jul 14, 2014 8:35 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Thanks for this guide.

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 28, 2014 11:39 pm 
Offline

Joined: Thu Aug 28, 2014 9:08 pm
Posts: 7
This helps tremendously and is very thorough , however I have a VPN client already so I'm not sure what i can and cant rule out of your tut.
But you've pointed me in a better direction then any Yubix tutorials so i have to say thank you for putting this together.
Do any Yubix tutorials even exist?


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 02, 2014 6:42 pm 
Offline

Joined: Wed Jun 04, 2014 3:29 am
Posts: 7
rcota:
re: existing VPN client - i am trying to understand your question a bit better so i can give you a useful answer. when you say you have a vpn client already, do you mean the client AND the server? like for instance are you using a juniper VPN server, which delivers a java client? to my way of thinking the VPN client and server are pretty much a matched pair. as long as the VPN server can be configured to use RADIUS, and the VPN client will pass a long enough password (the static password + the yubikey OTP), then everything should be able to work ok. sections 4.3 and 6 will be different for the specific VPN server.

i have used the YubiX VM with an external hardware VPN server, so if that is of interest to folks i can write up an addendum to the document.

as for yubikey's documentation - well, i cant say - except i found it lacking as well, so i wrote my own :}

jerichod505.


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 03, 2014 2:56 am 
Offline

Joined: Thu Aug 28, 2014 9:24 pm
Posts: 23
Location: California
This is very useful, thank you.

I've a question. Page 15 states:

Quote:
To make the encrypted version, run the gpg utility with the options shown below. Note that '16405BDA' is the ID of the ksm key we made a few steps prior.


Where do you get that from? Is it from "gpg --list-keys"? If so, is it from the line that begins with "pub", or the one that begins with "sub"?

_________________
Florin Andrei
http://florin.myip.org/


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 03, 2014 3:26 pm 
Offline

Joined: Thu Aug 28, 2014 9:08 pm
Posts: 7
its going to be the pub. and even easier its just above that the "gpg: key 4AFCB3D9 marked as ultimately trusted public and secret key created and signed." for example


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 03, 2014 6:48 pm 
Offline

Joined: Thu Aug 28, 2014 9:24 pm
Posts: 23
Location: California
What is the rationale for using GPG as an intermediate step?

I went into the DB and did a "SELECT * FROM ykksm.yubikeys" and the information there was more or less the same as what's in the keyXXXX.txt file. So, presumably, one could do an "INSERT INTO ykksm.yubikeys VALUES ..." directly from the .txt file.

Is GPG meant to be just a separate, secure data store for the key stuff? (kind of like a secure backup)

_________________
Florin Andrei
http://florin.myip.org/


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 03, 2014 8:42 pm 
Offline

Joined: Thu Aug 28, 2014 9:08 pm
Posts: 7
i believe it is the method for encrypting the data. its the step that adds encryption to the file.
Theres got to be a tool or Gui method to do this for several hundred yubi keys, for now Im just looking on a successful 1!


Top
 Profile  
Reply with quote  
PostPosted: Sat Sep 27, 2014 12:57 am 
Offline

Joined: Wed Jun 04, 2014 3:29 am
Posts: 7
folks: after upgrading to the latest version of python-yubiauth on this VM i found that apache would not start.

I received and 'Invalid command '<IfVersion' ' error when apache tried to start.

please see the link below for a discussion on how I fixed this:
viewtopic.php?f=31&t=1455#p5597

let me know if anybody else has this same issue - i need to update the howto to reflect turning the mod_version on in apache if that is the case.

--j505.


Top
 Profile  
Reply with quote  
PostPosted: Thu Apr 02, 2015 6:41 pm 
Offline

Joined: Thu Apr 02, 2015 6:11 pm
Posts: 1
I am not able o download this doc.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group