Simple and secure YubiKey OTP validation server
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src
tools
.gitignore
LICENSE
README.old
README.rst

README.rst

Yet Another YubiKey OTP Validation Server

Several other implementations are available. Some of them are not secure enough:

Official implementation is written in PHP (sigh...), and I don't know Go enough to audit digintLab's implementation:

This is a complete rewrite of YubiServe because the original project seems not to be designed with security in mind. Copy-and-paste programming made code reviews nearly impossible, there is no protection against SQL injection, etc.

This fork was given a new name to make it easy for people to differentiate from the original project.

Usage

Create a new database:

$ ./tools/dbcreate.py ./yubikeys.sqlite3

Plug and flash the YubiKeys (keys are also written to the database):

$ ./tools/flash.py gbush ./yubikeys.sqlite3
$ ./tools/flash.py bobama ./yubikeys.sqlite3

Add a new API key (here, the API key name is developers):

$ ./tools/dbconf.py -aa developers ./yubikeys.sqlite3

Run the server:

$ ./src/yubiserve.py --db ./yubikeys.sqlite3

That's it. The servers wanting to make use of two factor authentication need to be configured. The following paragraph shows an example for OpenSSH.

OpenSSH configuration example

Here's a summary of Yubico's documentation.

Get information about users and API on the machine hosting yubikeys.sqlite3:

$ ./tools/dbconf.py -yl ./yubikeys.sqlite3
2 keys into database:
[Nickname]              >> [PublicID]            >> [Active]
gbush                   >> ibhdhehrhkhuifhv      >> 1
bobama                  >> ibibhdhvhdhbhthb      >> 1

$ ./tools/dbconf.py -al ./yubikeys.sqlite3
1 keys into database:
[Id]    >> [Keyname]            >> [Secret]
1       >> developers           >> ckFsWU5scVNXRjVZc3lJUmpIVzU=

On the OpenSSH machine, add users to /etc/yubimap:

$ cat /etc/yubimap
barack:ibibhdhvhdhbhthb
george:ibhdhehrhkhuifhv

Configure PAM to use YubiKey authentication (take care of API id and API key values):

$ head /etc/pam.d/sshd | grep include
#@include common-auth
@include yubi-auth

$ cat /etc/pam.d/yubi-auth
auth       required     pam_yubico.so authfile=/etc/yubimap id=1 key=ckFsWU5scVNXRjVZc3lJUmpIVzU= url=http://yubikeyval.local:8000/wsapi/2.0/verify?id=%d&otp=%s mode=client token_id_length=16

Configure OpenSSH:

$ tail -4 /etc/ssh/sshd_config
ChallengeResponseAuthentication  no
Match User george,barack
    PasswordAuthentication       yes
    AuthenticationMethods        publickey,password

TODO

OATH/HOTP is not supported at present.

Original author

  • Alessio Periloso <mail at periloso.it>