2014-08-14 13:25:48 +02:00
|
|
|
== Introduction
|
2014-08-11 15:52:11 +02:00
|
|
|
|
|
|
|
|
The YK-VAL server has an optional interface that can be used to
|
|
|
|
|
enable/disable validation of particular YubiKeys from a remote server.
|
|
|
|
|
This document explains how to configure and set up that service.
|
|
|
|
|
|
|
|
|
|
Currently authorization is based on IP address of client, which may
|
|
|
|
|
not be secure unless you take additional pre-cautions.
|
|
|
|
|
|
2014-08-14 13:25:48 +02:00
|
|
|
== Installation
|
2014-08-11 15:52:11 +02:00
|
|
|
|
2014-10-29 15:08:12 +01:00
|
|
|
[source, sh]
|
|
|
|
|
----
|
|
|
|
|
user@val:~/yubikey-val$ sudo make revoke
|
|
|
|
|
user@val:~/yubikey-val$
|
|
|
|
|
----
|
2014-08-11 15:52:11 +02:00
|
|
|
|
2014-08-14 13:25:48 +02:00
|
|
|
== Configuration
|
2014-08-11 15:52:11 +02:00
|
|
|
|
|
|
|
|
Add the following to your /etc/yubico/val/ykval-config.php:
|
|
|
|
|
|
2014-10-29 15:08:12 +01:00
|
|
|
[source, php]
|
|
|
|
|
----
|
|
|
|
|
# For the revoke service.
|
|
|
|
|
$baseParams['__YKREV_IPS__'] = array('10.0.0.1', '2000:1:2:3::4');
|
|
|
|
|
----
|
2014-08-11 15:52:11 +02:00
|
|
|
|
|
|
|
|
Obviously you need to modify the IP address.
|
|
|
|
|
|
|
|
|
|
You also need to grant additional rights to the database, for MySQL:
|
|
|
|
|
|
2014-10-29 15:08:12 +01:00
|
|
|
[source, sh]
|
|
|
|
|
----
|
|
|
|
|
user@val:~$ mysql --silent ykval
|
|
|
|
|
mysql> GRANT UPDATE(active) ON ykval.yubikeys to 'ykval_verifier'@'localhost'; \
|
|
|
|
|
FLUSH PRIVILEGES;
|
|
|
|
|
mysql> \q
|
|
|
|
|
user@val:~$
|
|
|
|
|
----
|
2014-08-11 15:52:11 +02:00
|
|
|
|
|
|
|
|
For PostgreSQL this should already be working, through this command:
|
|
|
|
|
|
2014-10-29 15:08:12 +01:00
|
|
|
[source, sh]
|
|
|
|
|
----
|
|
|
|
|
postgres@val:~$ psql ykval -q
|
|
|
|
|
ykval=# GRANT UPDATE ON yubikeys TO ykval_verifier;
|
|
|
|
|
ykval=# \q
|
|
|
|
|
postgres@val:~$
|
|
|
|
|
----
|
2014-08-11 15:52:11 +02:00
|
|
|
|
2014-08-14 13:25:48 +02:00
|
|
|
== Testing
|
2014-08-11 15:52:11 +02:00
|
|
|
|
|
|
|
|
Test the installation like this:
|
2014-10-29 15:08:12 +01:00
|
|
|
|
|
|
|
|
[source, sh]
|
|
|
|
|
----
|
|
|
|
|
user@revoke:~$ wget -q -O - 'http://api.example.com/wsapi/revoke?yk=dteffujehknh&do=enable'
|
|
|
|
|
OK Processed dteffujehknh with enable
|
|
|
|
|
user@revoke:~$
|
|
|
|
|
----
|
2014-08-11 15:52:11 +02:00
|
|
|
|
|
|
|
|
Use 'disable' instead of 'enable' to test disabling of the YubiKey.
|
|
|
|
|
|
2014-08-14 13:25:48 +02:00
|
|
|
== The End
|
2014-08-11 15:52:11 +02:00
|
|
|
|
|
|
|
|
You now have the YK-VAL Revocation Service up and running.
|
