NAME¶
yhsm-yubikey-ksm ‐ Decrypt YubiKey OTPs using an attached YubiHSM
SYNOPSIS¶
yhsm-yubikey-ksm --key-handles ... [
options]
DESCRIPTION¶
This is a small network server with a REST-like API that decodes YubiKey OTPs.
It can be used as a decryption backend (Key Storage Module) to a validation
service such as the YubiCloud.
The AES keys of the YubiKeys must be present as AEAD files decryptable to the
attached YubiHSM. Such AEADs can for example be created using
yhsm-import-keys(1).
Note that this daemon is single threaded ‐ it will only handle a single
request at once. A request timeout is therefor most important.
OPTIONS¶
- -D, --device
- device file name (default: /dev/ttyACM0)
- -v, --verbose
- enable verbose operation
- --debug
- enable debug printout, including all data sent to/from
YubiHSM
- --U, --serve-url base
- base of URL for decrypt web service (default:
/yhsm/validate?)
- --port num
- port to listen on (default: 8002)
- --addr addr
- address to bind to (default: 127.0.0.1)
- --key-handles kh, --key-handle kh
- key handles to use for decoding OTPs. Examples :
"1", "0xabcd".
- --aead-dir dir, -B dir
- base directory for AEADs (default:
/var/cache/yubikey-ksm/aeads)
- --reqtimeout num
- number of seconds before a request times out (default:
5)
- --pid-file fn
- write process id of server to this file
BUGS¶
Report python-pyhsm/yhsm-yubikey-ksm bugs in the issue tracker ⟨URL:
https://github.com/Yubico/python-pyhsm/issues/ ⟩
SEE ALSO¶
The python-yubico home page ⟨URL:
https://github.com/Yubico/python-pyhsm/
⟩
YubiHSMs can be obtained from Yubico ⟨URL:
http://www.yubico.com/
⟩.
