1
0
mirror of https://github.com/Yubico/yubikey-val.git synced 2024-12-03 21:24:18 +01:00
yubikey-val/doc/Revocation_Service.adoc
2014-10-29 15:25:37 +01:00

67 lines
1.5 KiB
Plaintext

== Introduction
The YK-VAL server has an optional interface that can be used to
enable/disable validation of particular YubiKeys from a remote server.
This document explains how to configure and set up that service.
Currently authorization is based on IP address of client, which may
not be secure unless you take additional pre-cautions.
== Installation
[source, sh]
----
user@val:~/yubikey-val$ sudo make revoke
user@val:~/yubikey-val$
----
== Configuration
Add the following to your /etc/yubico/val/ykval-config.php:
[source, php]
----
# For the revoke service.
$baseParams['__YKREV_IPS__'] = array('10.0.0.1', '2000:1:2:3::4');
----
Obviously you need to modify the IP address.
You also need to grant additional rights to the database, for MySQL:
[source, sh]
----
user@val:~$ mysql --silent ykval
mysql> GRANT UPDATE(active) ON ykval.yubikeys to 'ykval_verifier'@'localhost'; \
FLUSH PRIVILEGES;
mysql> \q
user@val:~$
----
For PostgreSQL this should already be working, through this command:
[source, sh]
----
postgres@val:~$ psql ykval -q
ykval=# GRANT UPDATE ON yubikeys TO ykval_verifier;
ykval=# \q
postgres@val:~$
----
== Testing
Test the installation like this:
[source, sh]
----
user@revoke:~$ wget -q -O - 'http://api.example.com/wsapi/revoke?yk=dteffujehknh&do=enable'
OK Processed dteffujehknh with enable
user@revoke:~$
----
Use 'disable' instead of 'enable' to test disabling of the YubiKey.
== The End
You now have the YK-VAL Revocation Service up and running.