.\" Copyright (c) 2011 Yubico AB
.\" See the file COPYING for license statement.
.\"
.de URL
\\$2 \(laURL: \\$1 \(ra\\$3
..
.if \n[.g] .mso www.tmac
.TH yhsm-validation-server "1" "December 2011" "python-pyhsm"

.SH NAME
yhsm-validation-server \(hy Credential validation server utilizing YubiHSM

.SH SYNOPSIS
.B yhsm-validation-server
[\fImode\fR]

.SH DESCRIPTION
This is a validation server using the YubiHSM for cryptographic operations.

It is primarily built to validate YubiKey OTPs (\fInot\fR stored in the YubiHSM
internal database), but it can also validate OATH token codes and legacy passwords.

.SH OPTIONS
.PP
.TP
\fB\-D\fR, \fB\-\-device\fR
device file name (default: /dev/ttyACM0)
.TP
\fB\-v\fR, \fB\-\-verbose\fR
enable verbose operation
.TP
\fB\-\-debug\fR
enable debug printout, including all data sent to/from YubiHSM
.TP
\fB\-\-U\fR, \fB\-\-serve-url\fR base
base of URL for validation web service (default: /yhsm/validate?)
.TP
\fB\-\-port\fR num
port to listen on (default: 8003)
.TP
\fB\-\-addr\fR addr
address to bind to (default: 127.0.0.1)
.TP
\fB\-\-hmac-kh\fR kh
key handle to use for HMAC\(hySHA\(hy1. Examples : "1", "0xabcd".
.TP
\fB\-\-hotp-window\fR num
number of OATH counter values to try (default: 5)
.TP
\fB\-\-db-file\fR fn
db file holding AEADs (see \fIyhsm-init-oath-token\fR\|(1)) (default: /var/yubico/yhsm-validation-server.db)
.TP
\fB\-\-clients-file\fR fn
text file with mode OTP validation client shared secrets (see \fIyhsm-init-oath-token\fR\|(1)) (default: /var/yubico/yhsm-validation-server.db)
.TP
\fB\-\-pid-file\fR fn
write process id of server to this file

.SH "MODES"
.TP
\fB\-\-otp\fR
Validate YubiKey OTP against entry in the YubiHSM internal database.
Response should be compatible with those of
.URL "http://code.google.com/p/yubikey-val-server-php/" "yubikey-val-server-php" "."
.TP
\fB\-\-short-otp\fR
Validate YubiKey OTP against entry in the YubiHSM internal database.
Returns a single line with the decrypted information from the OTP, compatible with
.URL "http://code.google.com/p/yubikey-ksm/" "yubikey-ksm" "."
.TP
\fB\-\-hotp\fR
Validate codes using the OATH HOTP algorithm, performing the HMAC\(hySHA\(hy1 inside the YubiHSM.
.TP
\fB\-\-pwhash\fR
Validate that a string (a PBKDF2 hash of a password for example) matches the one in an AEAD.
Can be used to protect legacy passwords within an AEAD only readable to a YubiHSM, but
still recoverable if you know the AEAD key (since you put it in the YubiHSM).


.\"\fB\-\-oath\fR
.\"\fBNot implemented yet.\fR
.\"Validate an OATH code using HMAC\(hySHA\(hy1 in the YubiHSM. The OATH counter
.\"database must be initialized using \fIyhsm-init-oath-token\fR\|(1) first.


.SH "CLIENTS FILE"

This file holds HMAC\(hySHA\(hy1 secrets shared between the validation client and server.

An example file, with a single entry for id 4711 would be :
.in +4n
.nf

# hash-style comments and blank lines are ignored
4711,grF5BERXEXPPpww1/TBvFg==

# end
.fi
.in

.SH "EXIT STATUS"
.IX Header "EXIT STATUS"
.IP "\fB0\fR" 4
.IX Item "0"
YubiHSM keystore successfully unlocked
.IP "\fB1\fR" 4
.IX Item "1"
Failed to unlock keystore
.IP "\fB255\fR" 4
.IX Item "255"
Client ID not found in internal database

.SH "BUGS"
Report python-pyhsm/yhsm-validation-server bugs in
.URL "https://github.com/Yubico/python-pyhsm/issues/" "the issue tracker"

.SH "SEE ALSO"
The
.URL "https://github.com/Yubico/python-pyhsm/" "python-yubico home page"
.PP
YubiHSMs can be obtained from
.URL "http://www.yubico.com/" "Yubico" "."