NAME¶
yhsm-validation-server ‐ Credential validation server utilizing YubiHSM
SYNOPSIS¶
yhsm-validation-server [
mode]
DESCRIPTION¶
This is a validation server using the YubiHSM for cryptographic operations.
It is primarily built to validate YubiKey OTPs (
not stored in the
YubiHSM internal database), but it can also validate OATH token codes and
legacy passwords.
OPTIONS¶
- -D, --device
- device file name (default: /dev/ttyACM0)
- -v, --verbose
- enable verbose operation
- --debug
- enable debug printout, including all data sent to/from
YubiHSM
- --U, --serve-url base
- base of URL for validation web service (default:
/yhsm/validate?)
- --port num
- port to listen on (default: 8003)
- --addr addr
- address to bind to (default: 127.0.0.1)
- --hmac-kh kh
- key handle to use for HMAC‐SHA‐1. Examples :
"1", "0xabcd".
- --hotp-window num
- number of OATH counter values to try (default: 5)
- --db-file fn
- db file holding AEADs (see yhsm-init-oath-token(1))
(default: /var/yubico/yhsm-validation-server.db)
- --clients-file fn
- text file with mode OTP validation client shared secrets
(see yhsm-init-oath-token(1)) (default:
/var/yubico/yhsm-validation-server.db)
- --pid-file fn
- write process id of server to this file
MODES¶
- --otp
- Validate YubiKey OTP against entry in the YubiHSM internal
database. Response should be compatible with those of
yubikey-val-server-php ⟨URL:
http://code.google.com/p/yubikey-val-server-php/ ⟩.
- --short-otp
- Validate YubiKey OTP against entry in the YubiHSM internal
database. Returns a single line with the decrypted information from the
OTP, compatible with yubikey-ksm ⟨URL:
http://code.google.com/p/yubikey-ksm/ ⟩.
- --hotp
- Validate codes using the OATH HOTP algorithm, performing
the HMAC‐SHA‐1 inside the YubiHSM.
- --pwhash
- Validate that a string (a PBKDF2 hash of a password for
example) matches the one in an AEAD. Can be used to protect legacy
passwords within an AEAD only readable to a YubiHSM, but still recoverable
if you know the AEAD key (since you put it in the YubiHSM).
CLIENTS FILE¶
This file holds HMAC‐SHA‐1 secrets shared between the validation
client and server.
An example file, with a single entry for id 4711 would be :
# hash-style comments and blank lines are ignored
4711,grF5BERXEXPPpww1/TBvFg==
# end
EXIT STATUS¶
- 0
- YubiHSM keystore successfully unlocked
- 1
- Failed to unlock keystore
- 255
- Client ID not found in internal database
BUGS¶
Report python-pyhsm/yhsm-validation-server bugs in the issue tracker
⟨URL:
https://github.com/Yubico/python-pyhsm/issues/ ⟩
SEE ALSO¶
The python-yubico home page ⟨URL:
https://github.com/Yubico/python-pyhsm/
⟩
YubiHSMs can be obtained from Yubico ⟨URL:
http://www.yubico.com/
⟩.