mirror of
https://github.com/Yubico/yubikey-val.git
synced 2024-12-01 15:24:16 +01:00
601 lines
18 KiB
Plaintext
601 lines
18 KiB
Plaintext
== Introduction
|
|
|
|
This document describes how to get one instance of the Yubikey
|
|
Validation Server (YK-VAL) up and running.
|
|
|
|
The purpose of the Yubikey validation server is to validate Yubikey
|
|
OTPs. The validation server is written in PHP, and thus needs a web
|
|
server and a database. We will use Apache and MySQL, but with small
|
|
modifications it should be possible to use with other implementations
|
|
too (e.g., lighttpd and PostgreSQL).
|
|
|
|
The validation server needs to talk to a Yubikey Key Storage Module
|
|
(YK-KSM) to work. Thus, you either need to arrange for access to a
|
|
remote YK-KSM and get the URL to it, or install your own YK-KSM.
|
|
|
|
Currently there are two recommended implementations of a YK-KSM. If
|
|
you have a YubiHSM hardware dongle and want improve security, we
|
|
recommend using
|
|
https://developers.yubico.com/python-pyhsm/[Python-PyHSM].
|
|
|
|
Otherwise we recommend the "soft"
|
|
https://developers.yubico.com/yubikey-ksm/[YK-KSM]
|
|
|
|
The YK-KSM can be on the same machine as the validation server, but
|
|
for improved security we recommend to use different machines for the
|
|
validation server and the KSM.
|
|
|
|
The OTP validation service is delivered through web service API.
|
|
There's no web-based HTML form interface involved. The protocol is
|
|
defined at: http://www.yubico.com/developers/api/
|
|
|
|
For redundancy it is possible to set up multiple instances of the
|
|
YubiKey Validation Server. The intent is that clients should be able
|
|
to continue validate OTPs even if one of the servers are down. This
|
|
is reflected in the configuration of a YK-VAL by having a "sync pool"
|
|
concept. The sync pool of a particular YK-VAL instance is a list of
|
|
URLs that the local server will synchronize the OTP with, depending on
|
|
client request. Normally if you have 5 servers, each server will have
|
|
a list of the 4 other servers in its sync pool -- however it IS
|
|
possible to deviate from this if for some reason it is not possible to
|
|
reach one particular server from one of the servers. For simplicity,
|
|
we strongly recommend you to list non-local servers in each sync pool
|
|
though.
|
|
|
|
== Installation
|
|
|
|
This following steps applies to any GNU/Linux-like system, although it
|
|
was written for Debian GNU/Linux. If you do not know which OS to use,
|
|
we recommend a default choice of Ubuntu 12.04 LTS since it is a
|
|
well-known distribution that comes with 5 years of security support.
|
|
Install the OS following its manual and enable automatic security
|
|
upgrades if prompted.
|
|
|
|
=== Step 1: YK-VAL Installation
|
|
|
|
First you should download and install the latest YK-VAL release:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo apt-get install git make
|
|
...
|
|
user@val:~$ git clone https://github.com/Yubico/yubikey-val.git
|
|
...
|
|
user@val:~$ cd yubikey-val
|
|
user@val:~/yubikey-val$ sudo make install
|
|
----
|
|
|
|
The rest of this documentation will assume you have YK-VAL available
|
|
in the default installation targets. You can override the paths, see
|
|
the Makefile.
|
|
|
|
=== Step 2: Install web server and PHP
|
|
|
|
You also need to install a web server with PHP5, php5-curl and php-pear.
|
|
|
|
[source, sh]
|
|
user@val:~$ sudo apt-get install apache2 php5 php5-curl php-pear
|
|
|
|
Any web server with PHP support should work.
|
|
|
|
=== Step 3: Database installation
|
|
|
|
Any SQL database with PHP support should work. We give examples for
|
|
MySQL and PostgreSQL here. Note that you need to chose between either
|
|
PostgreSQL or MySQL here.
|
|
|
|
==== Step 3A: MySQL Installation
|
|
|
|
Install the required packages:
|
|
|
|
[source, sh]
|
|
user@val:~$ sudo apt-get install mysql-server php5-mysql
|
|
|
|
The installation asks you for a MySQL "root" password, and I recommend
|
|
to specify one. To avoid having to specify a password when using the
|
|
'mysql' tool interactively, you can store the password in ~/.my.cnf,
|
|
see /usr/share/doc/mysql-server-5.0/README.Debian.gz. For example:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ cat > .my.cnf
|
|
[client]
|
|
user = root
|
|
password = YOURPASSWORD
|
|
user@val:~$ chmod go-r .my.cnf
|
|
user@val:~$
|
|
----
|
|
|
|
Note the 'chmod' to protect your password from non-root users.
|
|
|
|
The database needs to be initialized as follows:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ echo 'create database ykval' | mysql
|
|
user@val:~$ mysql ykval < /usr/share/doc/yubikey-val/ykval-db.sql
|
|
user@val:~$
|
|
----
|
|
|
|
You also need to create a database user for the verifier interface,
|
|
normally called 'ykval_verifier':
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ mysql --silent ykval
|
|
mysql> CREATE USER 'ykval_verifier'@'localhost'; \
|
|
GRANT SELECT,INSERT,UPDATE(modified, yk_counter, yk_low, yk_high, yk_use, nonce) ON ykval.yubikeys TO 'ykval_verifier'@'localhost'; \
|
|
GRANT SELECT(id, secret, active) ON ykval.clients TO 'ykval_verifier'@'localhost'; \
|
|
GRANT SELECT,INSERT,UPDATE,DELETE ON ykval.queue TO 'ykval_verifier'@'localhost'; \
|
|
SET PASSWORD FOR 'ykval_verifier'@'localhost' = PASSWORD('yourpassword'); \
|
|
FLUSH PRIVILEGES;
|
|
mysql> \q
|
|
user@val:~$
|
|
----
|
|
|
|
==== Step 3B: PostgreSQL Installation
|
|
|
|
Install the required packages:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo apt-get install postgresql php5-pgsql
|
|
...
|
|
user@val:~$
|
|
----
|
|
|
|
The database needs to be initialized as follows:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo su postgres
|
|
postgres@val:~$ createdb ykval
|
|
postgres@val:~$ psql ykval < /usr/share/doc/yubikey-val/ykval-db.sql
|
|
postgres@val:~$
|
|
----
|
|
|
|
You also need to create a database user for the verifier interface,
|
|
normally called 'ykval_verifier':
|
|
|
|
[source, sh]
|
|
----
|
|
postgres@val:~$ psql ykval -q
|
|
ykval=# CREATE USER ykval_verifier PASSWORD 'yourpassword';
|
|
ykval=# GRANT SELECT,INSERT,UPDATE ON yubikeys TO ykval_verifier;
|
|
ykval=# GRANT SELECT ON clients TO ykval_verifier;
|
|
ykval=# GRANT SELECT, INSERT, UPDATE, DELETE ON queue TO ykval_verifier;
|
|
ykval=# \q
|
|
postgres@val:~$
|
|
----
|
|
|
|
Don't forget to switch back to your normal user
|
|
|
|
[source, sh]
|
|
----
|
|
postgres@val:~$ exit
|
|
user@val:~$
|
|
----
|
|
|
|
During installation and debugging it may be useful to watch the
|
|
database log entries:
|
|
|
|
[source, sh]
|
|
user@val:~$ sudo tail -F /var/log/postgresql/postgresql-*-main.log &
|
|
|
|
=== Step 4: Setup Verify OTP Interface
|
|
|
|
The interface to verify OTPs is implemented using a PHP script. You
|
|
can place the script under any URL, but we recommend serving it as
|
|
'http://ykval.example.org/wsapi/verify'. The simplest way to setup
|
|
the symlinks is to invoke 'make symlink' in your YK-VAL source tree.
|
|
Like this:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~/yubikey-val$ sudo make symlink
|
|
install -d /var/www/wsapi/2.0
|
|
ln -sf /usr/share/yubikey-val/ykval-verify.php /var/www/wsapi/2.0/verify.php
|
|
ln -sf /usr/share/yubikey-val/ykval-sync.php /var/www/wsapi/2.0/sync.php
|
|
user@val:~/yubikey-val$
|
|
----
|
|
|
|
If you want to do it manually, you can invoke the above commands
|
|
manually.
|
|
|
|
=== Step 5: Include path configuration
|
|
|
|
Set the include path for the queue daemon by creating a file
|
|
/etc/default/ykval-queue with the following content:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo sh -c 'cat > /etc/default/ykval-queue'
|
|
DAEMON_ARGS="/etc/yubico/val:/usr/share/yubikey-val"
|
|
user@val:~$
|
|
----
|
|
|
|
You also need to set the include path for the PHP scripts running via
|
|
Apache, using a .htaccess file:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo sh -c 'cat > /var/www/wsapi/2.0/.htaccess'
|
|
RewriteEngine on
|
|
RewriteRule ^([^/\.\?]+)(\?.*)?$ $1.php$2 [L]
|
|
<IfModule mod_php5.c>
|
|
php_value include_path ".:/etc/yubico/val:/usr/share/yubikey-val"
|
|
</IfModule>
|
|
user@val:~$ sudo ln -s 2.0/.htaccess /var/www/wsapi/.htaccess
|
|
user@val:~$
|
|
----
|
|
|
|
The .htaccess file also sets up rewriting from the non-.PHP suffix URL
|
|
name to the right script.
|
|
|
|
The paths are the default, if you installed the YK-VAL in some other
|
|
place you need to modify the paths.
|
|
|
|
=== Step 6: YK-VAL Configuration
|
|
|
|
You also need to create a ykval-config.php script. An example file is
|
|
included in YK-VAL package as ykval-config.php
|
|
|
|
A template is typically installed in /etc/yubico/val/ykval-config.php-template.
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo cp /etc/yubico/val/ykval-config.php-template /etc/yubico/val/ykval-config.php
|
|
user@val:~$ sudo emacs -nw /etc/yubico/val/ykval-config.php
|
|
----
|
|
|
|
Be careful about the user permissions and ownership so that unrelated
|
|
users on the system cannot read the database password.
|
|
|
|
You will typically need to modify the DSN (`__YKVAL_DB_DSN__`), database
|
|
passwords (`__YKVAL_DB_PW__`), the sync pool lists (`__YKVAL_SYNC_POOL__`
|
|
and `__YKVAL_ALLOWED_SYNC_POOL__`), and the YK-KSM URLs inside the
|
|
otp2ksmurls function.
|
|
|
|
An example DSN for a MySQL setup:
|
|
|
|
[source, php]
|
|
$baseParams['__YKVAL_DB_DSN__'] = "mysql:dbname=ykval;host=127.0.0.1";
|
|
|
|
An example DSN for a PostgreSQL setup:
|
|
|
|
[source, php]
|
|
$baseParams['__YKVAL_DB_DSN__'] = "pgsql:dbname=ykval;host=127.0.0.1";
|
|
|
|
We recommend to add the hosts in YKVAL_SYNC_POOL as entries in '/etc/hosts' to avoid network delays caused by DNS-lookups. For example:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo sh -c 'cat >> /etc/hosts'
|
|
1.2.3.4 api1.example.com
|
|
2.3.4.5 api2.example.com
|
|
user@val:~$
|
|
----
|
|
|
|
To improve database performance you can use persistent database connection so that each request doesn't require a new connection to be setup. To enable this modify `__YKVAL_DB_OPTIONS__` as follows:
|
|
|
|
[source, php]
|
|
$baseParams['__YKVAL_DB_OPTIONS__'] = array(PDO::ATTR_PERSISTENT => true);
|
|
|
|
=== Step 7: Apache configuration
|
|
|
|
Create an apache web configuration file for the normal HTTP interface
|
|
like this:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo sh -c 'cat > /etc/apache2/sites-available/ykval.conf'
|
|
<VirtualHost *:80>
|
|
ServerName api.example.com
|
|
ServerAdmin support@example.com
|
|
|
|
DocumentRoot /var/www/
|
|
<Directory />
|
|
Options FollowSymLinks
|
|
AllowOverride None
|
|
</Directory>
|
|
<Directory /var/www/>
|
|
Options FollowSymLinks
|
|
AllowOverride All
|
|
Order allow,deny
|
|
allow from all
|
|
</Directory>
|
|
|
|
ErrorLog /var/log/apache2/ykval-error.log
|
|
LogLevel warn
|
|
|
|
CustomLog /var/log/apache2/ykval-access.log "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\""
|
|
ServerSignature On
|
|
|
|
</VirtualHost>
|
|
user@val:~$
|
|
----
|
|
|
|
HTTPS is strictly speaking not required, but we strongly recommend it.
|
|
|
|
You need to install a TLS stack for Apache, there are two popular
|
|
options here: mod_gnutls and mod_ssl. We'll explain how to install
|
|
both, but you will need to decide which one to use.
|
|
|
|
You will need to create a key/certificate for your server using normal
|
|
tools like GnuTLS "certtool". A small howto for !GoDaddy is available
|
|
from
|
|
http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4062.
|
|
|
|
==== Step 7A: HTTPS via mod_gnutls
|
|
|
|
First install and enable the mod_gnutls module:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo apt-get install libapache2-mod-gnutls
|
|
user@val:~$ sudo a2enmod gnutls
|
|
Enabling module gnutls.
|
|
Run '/etc/init.d/apache2 restart' to activate new configuration!
|
|
user@val:~$
|
|
----
|
|
|
|
You will need to place the private key in
|
|
/etc/ssl/private/api.example.com-key.pem and the certificate chain in
|
|
/etc/ssl/private/api.example.com-chain.pem.
|
|
|
|
Create Apache web configuration files:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo sh -c 'cat > /etc/apache2/sites-available/ykval-ssl.conf'
|
|
Listen 443
|
|
<VirtualHost *:443>
|
|
ServerName api.example.com
|
|
ServerAdmin support@example.com
|
|
|
|
GnuTLSEnable on
|
|
GnuTLSCertificateFile /etc/ssl/private/api.example.com-chain.pem
|
|
GnuTLSKeyFile /etc/ssl/private/api.example.com-key.pem
|
|
GnuTLSPriorities NORMAL
|
|
|
|
DocumentRoot /var/www/
|
|
<Directory />
|
|
Options FollowSymLinks
|
|
AllowOverride None
|
|
</Directory>
|
|
<Directory /var/www/>
|
|
Options FollowSymLinks
|
|
AllowOverride All
|
|
Order allow,deny
|
|
allow from all
|
|
</Directory>
|
|
|
|
ErrorLog /var/log/apache2/ykval-ssl-error.log
|
|
LogLevel warn
|
|
|
|
CustomLog /var/log/apache2/ykval-ssl-access.log "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\""
|
|
ServerSignature On
|
|
|
|
</VirtualHost>
|
|
user@val:~$
|
|
----
|
|
|
|
==== Step 7B: HTTPS via mod_ssl
|
|
|
|
The mod_ssl module is typically installed by default, but you need to
|
|
enable it.
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo a2enmod ssl
|
|
Enabling module ssl.
|
|
Run '/etc/init.d/apache2 restart' to activate new configuration!
|
|
user@val:~$
|
|
----
|
|
|
|
You will need to place the private key in
|
|
/etc/ssl/private/api.example.com-key.pem and the certificate chain in
|
|
/etc/ssl/private/api.example.com-chain.pem.
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo sh -c 'cat > /etc/apache2/sites-available/ykval-ssl.conf'
|
|
<VirtualHost *:443>
|
|
ServerName api.example.com
|
|
ServerAdmin support@example.com
|
|
|
|
SSLEngine on
|
|
SSLCertificateFile /etc/ssl/private/api.example.com-chain.pem
|
|
SSLCertificateChainFile /etc/ssl/private/api.example.com-chain.pem
|
|
SSLCertificateKeyFile /etc/ssl/private/api.example.com-key.pem
|
|
|
|
DocumentRoot /var/www/
|
|
<Directory />
|
|
Options FollowSymLinks
|
|
AllowOverride None
|
|
</Directory>
|
|
<Directory /var/www/>
|
|
Options FollowSymLinks
|
|
AllowOverride All
|
|
Order allow,deny
|
|
allow from all
|
|
</Directory>
|
|
|
|
ErrorLog /var/log/apache2/ykval-ssl-error.log
|
|
LogLevel warn
|
|
|
|
CustomLog /var/log/apache2/ykval-ssl-access.log "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\""
|
|
ServerSignature On
|
|
|
|
</VirtualHost>
|
|
user@val:~$
|
|
----
|
|
|
|
==== Common Apache Configuration
|
|
|
|
This step is the same for both mod_gnutls and mod_ssl.
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo a2enmod rewrite
|
|
Enabling module rewrite.
|
|
Run '/etc/init.d/apache2 restart' to activate new configuration!
|
|
user@val:~$ sudo a2dissite default
|
|
Site default disabled.
|
|
Run '/etc/init.d/apache2 reload' to activate new configuration!
|
|
user@val:~$ sudo a2ensite ykval ykval-ssl
|
|
Enabling site ykval.
|
|
Enabling site ykval-ssl.
|
|
Run '/etc/init.d/apache2 reload' to activate new configuration!
|
|
user@val:~$ sudo /etc/init.d/apache2 restart
|
|
user@val:~$
|
|
----
|
|
|
|
=== Step 8: Logging
|
|
|
|
The PHP interface uses syslog for logging of incoming requests. The
|
|
facility is LOG_LOCAL0. To place these messages in a separate file,
|
|
you can add the following to /etc/syslog.conf, or if you use rsyslog,
|
|
create a file /etc/rsyslog.d/ykval.conf with this content:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo sh -c 'cat > /etc/rsyslog.d/ykval.conf'
|
|
local0.* -/var/log/ykval.log
|
|
user@val:~$ sudo /etc/init.d/rsyslog restart
|
|
...
|
|
user@val:~$
|
|
----
|
|
|
|
The '-' before the filename avoids syncing the file after each write,
|
|
which is recommended for performance.
|
|
|
|
The log file can grow large quickly, so it is a good idea to setup
|
|
rotation of log files. Here is an example that rotates the log file
|
|
weekly. Create a file /etc/logrotate.d/ykval like this:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ sudo sh -c 'cat > /etc/logrotate.d/ykval'
|
|
/var/log/ykval.log {
|
|
weekly
|
|
dateext
|
|
compress
|
|
missingok
|
|
rotate 9999
|
|
notifempty
|
|
postrotate
|
|
invoke-rc.d rsyslog reload > /dev/null
|
|
endscript
|
|
}
|
|
user@val:~$
|
|
----
|
|
|
|
You may want to modify the default /etc/logrotate.d/apache2, useful
|
|
things to add are 'dateext' and 'compress' and change 'rotate' to
|
|
something large if you want to retain logs.
|
|
|
|
=== Step 8.1: Fix default log (optional)
|
|
|
|
Unfortunately, most default syslog configuration, including the
|
|
syslog.conf configuration file on Debian, will also log all entries to
|
|
/var/log/syslog and/or /var/log/messages.
|
|
|
|
I am not aware of any way to avoid this without modifying these other
|
|
rules. To avoid YK-VAL log entries in these other files, you must
|
|
modify the default rules. For example, edit the following lines of
|
|
/etc/rsyslog.conf (or /etc/syslog.conf if you don't use rsyslog):
|
|
|
|
[source, sh]
|
|
----
|
|
*.=debug;\
|
|
auth,authpriv.none;\
|
|
news.none;mail.none -/var/log/debug
|
|
*.*;auth,authpriv.none -/var/log/syslog
|
|
*.=info;*.=notice;*.=warn;\
|
|
auth,authpriv.none;\
|
|
cron,daemon.none;\
|
|
mail,news.none -/var/log/messages
|
|
----
|
|
|
|
Change them into:
|
|
|
|
[source, sh]
|
|
----
|
|
*.=debug;\
|
|
auth,authpriv.none;\
|
|
news.none;mail.none;local0.none -/var/log/debug
|
|
*.*;auth,authpriv.none,local0.none -/var/log/syslog
|
|
*.=info;*.=notice;*.=warn;\
|
|
auth,authpriv.none;\
|
|
cron,daemon.none;\
|
|
local0.none;\
|
|
mail,news.none -/var/log/messages
|
|
----
|
|
|
|
Idempotent commands to speed this up:
|
|
|
|
[source, sh]
|
|
----
|
|
user@host:~$ sudo perl -pi -e 's/;auth,authpriv.none/;auth,local0.none,authpriv.none/' /etc/rsyslog.conf
|
|
user@host:~$ sudo perl -pi -e 's/news.none;mail.none/news.none;local0.none;mail.none/' /etc/rsyslog.conf
|
|
user@host:~$ sudo perl -pi -e 's/cron,daemon.none/cron,daemon.none;local0.none/' /etc/rsyslog.conf
|
|
user@host:~$ sudo /etc/init.d/rsyslog restart
|
|
----
|
|
|
|
=== Step 9: Start Sync Daemon
|
|
|
|
When using yubikey-val in a sync pool, you need to have the ykval-queue
|
|
daemon running to ensure that data is synchronized between the servers in
|
|
the pool. The easiest way of running this is to simply invoke ykval-queue
|
|
in a shell:
|
|
|
|
[source, sh]
|
|
user@val:~$ sudo ykval-queue
|
|
|
|
However, the recommended approach is to automate running this process in
|
|
the background, by use of an init script or similar. Instructions on doing
|
|
so vary depending on your operating system.
|
|
|
|
=== Step 10: Sync data from an existing server (optional)
|
|
|
|
If you're adding a new server to an existing pool, you can synchronize all
|
|
YubiKey counter data from one of the existing servers. To do so, the server
|
|
you want to sync from needs to be configured to allow it. Do this by editing
|
|
/etc/yubico/val/ykval-config.php on the existing server, adding the new
|
|
servers IP address to the `__YKRESYNC_IPS__` setting. You'll most likely want
|
|
to add the IP to the `__YKVAL_ALLOWED_SYNC_POOL__` setting as well. You also
|
|
need to edit this file on the new server, adding the existing server(s) IP
|
|
address(es) to `__YKVAL_ALLOWED_SYNC_POOL__`.
|
|
|
|
Once these permissions have been configured, you can initiate the full sync
|
|
by running the following command from the new server:
|
|
|
|
[source, sh]
|
|
user@val:~$ ykval-synchronize http://<IP or hostname of existing server>/wsapi/2.0/resync all
|
|
|
|
=== Step 11: Test it
|
|
|
|
You can test the service by requesting a URL. Using wget, for example:
|
|
|
|
[source, sh]
|
|
----
|
|
user@val:~$ wget -q -O - 'http://localhost/wsapi/2.0/verify?id=1&nonce=asdmalksdmlkasmdlkasmdlakmsdaasklmdlak&otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
|
|
h=/QVWkl5VlcX+Or1A2b3vOeoLEwI=
|
|
t=2010-05-17T14:48:15Z0355
|
|
otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh
|
|
nonce=asdmalksdmlkasmdlkasmdlakmsdaasklmdlak
|
|
status=NO_SUCH_CLIENT
|
|
|
|
user@val:~$
|
|
----
|
|
|
|
Naturally, you will need to import client keys into the database for
|
|
the verify function to work properly.
|
|
|
|
=== The End
|
|
|
|
You now have a YK-VAL up and running. See
|
|
https://developers.yubico.com/yubikey-ksm/Server_Hardening.html on how to
|
|
improve security of your system.
|