CUIコマンド Tips

CUIコマンドは各ディストリビューションやインストールの仕方によって入っているかどうかが変わってくる。 案外複雑なので注意

ykinfo: デバイスの基本情報を得る

$ ykinfo -V
1.16.3

$ ykinfo -h
Usage: ykinfo [options]

Options :

        -s        Get serial in decimal from YubiKey
        -m        Get serial in modhex from YubiKey
        -H        Get serial in hex from YubiKey
        -v        Get version from YubiKey
        -t        Get touchlevel from YubiKey
        -1        Check if slot 1 is programmed
        -2        Check if slot 2 is programmed
        -p        Get programming sequence from YubiKey
        -i        Get vendor id of YubiKey
        -I        Get product id of YubiKey
        -a        Get all information above

        -q        Only output information from YubiKey

        -V        Get the tool version
        -h        help (this text)

$ ykinfo -s -m -H -v -t -p
serial: XXXXXX
serial_hex: XXXXXX
serial_modhex: xxxxxx
version: 3.1.2
touch_level: yyyy
programming_sequence: Z

ykparse: Yubico OTP を解析する

$ ykparse 449723ac82339a0f62eee90aba32d5bf cccccccccccdtdinchvvlgntchdrcnefdlhgnbggrhdu
warning: overlong token, ignoring prefix: cccccccccccd
Input:
  token: tdinchvvlgntchdrcnefdlhgnbggrhdu
          d2 7b 06 ff a5 bd 06 2c 0b 34 2a 65 b1 55 c6 2e
  aeskey: 449723ac82339a0f62eee90aba32d5bf
          44 97 23 ac 82 33 9a 0f 62 ee e9 0a ba 32 d5 bf
Output:
          a3 ee 9c 06 07 57 07 00 a2 fe ee 05 c4 75 e4 1c

Struct:
  uid: a3 ee 9c 06 07 57
  counter: 7 (0x0007)
  timestamp (low): 65186 (0xfea2)
  timestamp (high): 238 (0xee)
  session use: 5 (0x05)
  random: 30148 (0x75c4)
  crc: 7396 (0x1ce4)

Derived:
  cleaned counter: 7 (0x0007)
  modhex uid: leuukrchcigi
  triggered by caps lock: no
  crc: F0B8
  crc check: ok

ykgenerate: OTPを生成する

$ ykgenerate -h
Usage: ykgenerate <aeskey> <yk_internalname> <yk_counter> <yk_low> <yk_high> <yk_use>
 AESKEY:                Hex encoded AES-key.
 YK_INTERNALNAME:       Hex encoded yk_internalname (48 bit).
 YK_COUNTER:            Hex encoded counter (16 bit).
 YK_LOW:                Hex encoded timestamp low (16 bit).
 YK_HIGH:               Hex encoded timestamp high (8bit).
 YK_USE:                Hex encoded use (8 bit).

ykpersonalize: 書き換える

$ ykpersonalize -1 -ofixed=cccccccccccc -a00000000000000000000000000000000
Firmware version 3.1.2 Touch level 1538 Program sequence 2

Configuration data to be written to key configuration 1:

fixed: m:cccccccccccc
uid: 000000000000
key: h:00000000000000000000000000000000
acc_code: h:000000000000
ticket_flags: APPEND_CR
config_flags:
extended_flags:

Commit? (y/n) [n]: y

$ ykpersonalize -v
Firmware version 3.1.2 Touch level 1538 Program sequence 2
A slot must be chosen with -1 or -2.

$ ykpersonalize -h
Usage: ykpersonalize [options]
-u        update configuration without overwriting.  This is only available
          in YubiKey 2.3 and later.  EXTFLAG_ALLOW_UPDATE will be set by
          default
-1        change the first configuration.  This is the default and
          is normally used for true OTP generation.
          In this configuration, TKTFLAG_APPEND_CR is set by default.
-2        change the second configuration.  This is for Yubikey II only
          and is then normally used for static key generation.
          In this configuration, TKTFLAG_APPEND_CR, CFGFLAG_STATIC_TICKET,
          CFGFLAG_STRONG_PW1, CFGFLAG_STRONG_PW2 and CFGFLAG_MAN_UPDATE
          are set by default.
-x        swap the configuration in slot 1 and 2.  This is for YubiKey 2.3
          and newer only
-z        delete the configuration in slot 1 or 2.
-sFILE    save configuration to FILE instead of key.
          (if FILE is -, send to stdout)
-iFILE    read configuration from FILE. (only valid for -fycfg)
          (if FILE is -, read from stdin)
-fformat  set the data format for -s and -i valid values are ycfg or legacy.
-a[XXX..] The AES secret key as a 32 (or 40 for OATH-HOTP/HMAC CHAL-RESP)
          char hex value (not modhex) (none to prompt for key on stdin)
          If -a is not used a random key will be generated.
-cXXX..   A 12 char hex value (not modhex) to use as access code for programming
          (this does NOT SET the access code, that's done with -oaccess=)
-nXXX..   Write NDEF URI to YubiKey NEO, must be used with -1 or -2
-tXXX..   Write NDEF text to YubiKey NEO, must be used with -1 or -2
-mMODE    Set the USB device configuration of the YubiKey NEO.
          See the manpage for details
-S0605..  Set the scanmap to use with the YubiKey. Must be 45 unique bytes,
          in hex.  Use with no argument to reset to the default. This is for
          YubiKey 3.0 and newer only
-oOPTION  change configuration option.  Possible OPTION arguments are:
          fixed=xxxxxxxxxxx   The public identity of key, in MODHEX.
                              This is 0-16 characters long.
          uid=xxxxxx          The uid part of the generated ticket, in HEX.
                              MUST be 12 characters long.
          access=xxxxxxxxxxx  New access code to set, in HEX.
                              MUST be 12 characters long.
          oath-imf=IMF        OATH Initial Moving Factor to use.
          oath-id[=h:OOTT...] OATH Token Identifier (none for serial-based)

          Ticket flags for all firmware versions:
          [-]tab-first           set/clear TAB_FIRST
          [-]append-tab1         set/clear APPEND_TAB1
          [-]append-tab2         set/clear APPEND_TAB2
          [-]append-delay1       set/clear APPEND_DELAY1
          [-]append-delay2       set/clear APPEND_DELAY2
          [-]append-cr           set/clear APPEND_CR

          Ticket flags for firmware version 2.0 and above:
          [-]protect-cfg2        set/clear PROTECT_CFG2

          Ticket flags for firmware version 2.1 and above:
          [-]oath-hotp           set/clear OATH_HOTP

          Ticket flags for firmware version 2.2 and above:
          [-]chal-resp           set/clear CHAL_RESP

          Configuration flags for all firmware versions:
          [-]send-ref            set/clear SEND_REF
          [-]pacing-10ms         set/clear PACING_10MS
          [-]pacing-20ms         set/clear PACING_20MS
          [-]static-ticket       set/clear STATIC_TICKET

          Configuration flags for firmware version 1.x only:
          [-]ticket-first        set/clear TICKET_FIRST
          [-]allow-hidtrig       set/clear ALLOW_HIDTRIG

          Configuration flags for firmware version 2.0 and above:
          [-]short-ticket        set/clear SHORT_TICKET
          [-]strong-pw1          set/clear STRONG_PW1
          [-]strong-pw2          set/clear STRONG_PW2
          [-]man-update          set/clear MAN_UPDATE

          Configuration flags for firmware version 2.1 and above:
          [-]oath-hotp8          set/clear OATH_HOTP8
          [-]oath-fixed-modhex1  set/clear OATH_FIXED_MODHEX1
          [-]oath-fixed-modhex2  set/clear OATH_FIXED_MODHEX2
          [-]oath-fixed-modhex   set/clear OATH_MODHEX

          Configuration flags for firmware version 2.2 and above:
          [-]chal-yubico         set/clear CHAL_YUBICO
          [-]chal-hmac           set/clear CHAL_HMAC
          [-]hmac-lt64           set/clear HMAC_LT64
          [-]chal-btn-trig       set/clear CHAL_BTN_TRIG

          Extended flags for firmware version 2.2 and above:
          [-]serial-btn-visible  set/clear SERIAL_BTN_VISIBLE
          [-]serial-usb-visible  set/clear SERIAL_USB_VISIBLE
          [-]serial-api-visible  set/clear SERIAL_API_VISIBLE

          Extended flags for firmware version 2.3 and above:
          [-]use-numeric-keypad  set/clear USE_NUMERIC_KEYPAD
          [-]fast-trig           set/clear FAST_TRIG
          [-]allow-update        set/clear ALLOW_UPDATE
          [-]dormant             set/clear DORMANT

          Extended flags for firmware version 2.4/3.1 and above:
          [-]led-inv             set/clear LED_INV

-y        always commit (do not prompt)

-d        dry-run (don't write anything to key)

-v        verbose
-V        tool version
-h        help (this text)

ykclient: Validation Server とやりとりする

(新しい場合 (2015-01-24時点) == yubico-c-client を直接 make install した場合)
$ ykclient --version
2.14
$ ykclient --help
Usage: ykclient [OPTION]... CLIENTID YUBIKEYOTP
Validate the YUBIKEYOTP one-time-password against the YubiCloud
using CLIENTID as the client identifier.

Mandatory arguments to long options are mandatory for short options too.
    --help         Display this help screen
    --version      Display version information

    --debug        Print debugging information
    --url URL      Validation service URL, for example,
                   "http://api.yubico.com/wsapi/verify"
    --ca CADIR     Path to directory containing Certificate Authoritity,
                   e.g., "/usr/local/etc/CERTS"
    --apikey Key   API key for HMAC validation of request/response

Exit status is 0 on success, 1 if there is a hard failure, 2 if the
OTP was replayed, 3 for other soft OTP-related failures.

Report bugs at <https://github.com/Yubico/yubico-c-client>.

$ ykclient --debug --url "http://127.0.0.1/wsapi/2.0/verify" 2 cccccccccccdutfiljtbignbgckhgdtfigbdricugdrv

(古い場合)
$ ykclient
Usage: ykclient [options] <client_id> <yubikey_otp>
  client_id: your client id integer
  yubikey_otp: One-time password generated by yubikey

  Options :
    --url URL           Validation service URL (eg: "http://api.yubico.com/wsapi/verify?id=%%d&otp=%%s")
    --apikey Key                API key for HMAC validation of request/response

(urlに注意)
$ ykclient --url "http://127.0.0.1/wsapi/2.0/verify?id=%d&otp=%s" 2 cccccccccccdutfiljtbignbgckhgdtfigbdricugdrv

ykchalresp

yk-ksm関連

ykksm-gen-keys

$ ykksm-gen-keys --urandom 1 1
# ykksm 1
# serialnr,identity,internaluid,aeskey,lockpw,created,accessed[,progflags]
1,cccccccccccb,d66b6cb7dd52,f0dd6b763127511211b44a1ab2b8fd5f,ca552fdf17ff,2015-01-29T00:02:57,
# the end

Tips

非rootからCUIツールを使う on CentOS 6

(/etc/udev/rules.d/70-yubikey.rules)

ACTION=="add|change", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050",\
  GROUP="wheel", \
  ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", \
  RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"

$ sudo udevadm control --reload-rules

YubiKey Personalization と関連ソフトウェアプロジェクト

YubiKey Validation Server

Validation Server (yk-val)とKSMの関係について

It is not the job of the KSM (or YubiHSM) to ensure that the OTP has
not been seen before - that is done by the validation server (using
the database) :

     O            +----------+
    /|\           |Validation|     +-----+   +---------+
     |  -- OTP--> |  server  | --> | KSM +---| YubiHSM |
    / \           +----------+     +-----+   +---------+
                        |
    user             +--+--+
                     | DB  |
                     +-----+

This server talks to a KSM service for decrypting the OTPs,
to avoid storing any AES keys on the validation server.
One implementation of this service is the YubiKey-KSM,
and another implementation using the YubiHSM hardware is PyHSM.

The YK-KSM can be on the same machine as the validation server,
but for improved security we recommend to use different machines
for the validation server and the KSM.

YK-KSM on CentOS 6.6

インストール

$ sudo yum install git make httpd php php-curl perl-Digest-SHA
$ sudo chkconfig httpd on
$ git clone git://developers.yubico.com/yubikey-ksm.git
$ cd yubikey-ksm
(Makefileのwwwdataを"apache"へ変更)
$ sudo make install
help2man -N --name='Print checksum of important database fields.  Useful for quickly determining whether several KSMs are in sync.' --version-string=1 ./ykksm-checksum > ykksm-checksum.1
help2man -N --name='Tool to export keys to the YKKSM-KEYPROV format.' --version-string=1 ./ykksm-export > ykksm-export.1
help2man -N --name='Tool to generate keys on the YKKSM-KEYPROV format.' --version-string=1 ./ykksm-gen-keys > ykksm-gen-keys.1
help2man -N --name='Tool to import key data on the YKKSM-KEYPROV format.' --version-string=1 ./ykksm-import > ykksm-import.1
install -D --mode 640 .htaccess /usr/share/yubikey-ksm/.htaccess
install -D --mode 640 ykksm-decrypt.php /usr/share/yubikey-ksm/ykksm-decrypt.php
install -D --mode 640 ykksm-utils.php /usr/share/yubikey-ksm/ykksm-utils.php
install -D ykksm-gen-keys /usr/bin/ykksm-gen-keys
install -D ykksm-import /usr/bin/ykksm-import
install -D ykksm-export /usr/bin/ykksm-export
install -D ykksm-checksum /usr/bin/ykksm-checksum
install -D --backup --mode 640 --group apache ykksm-config.php /etc/yubico/ksm/ykksm-config.php
install -D ykksm-gen-keys.1 /usr/share/man/man1/ykksm-gen-keys.1
install -D ykksm-import.1 /usr/share/man/man1/ykksm-import.1
install -D ykksm-export.1 /usr/share/man/man1/ykksm-export.1
install -D ykksm-checksum.1 /usr/share/man/man1/ykksm-checksum.1
install -D ykksm-db.sql /usr/share/doc/yubikey-ksm/ykksm-db.sql
install -D Makefile /usr/share/doc/yubikey-ksm/ykksm.mk
install -D doc/Decryption_Protocol.adoc doc/Design_Goals.adoc doc/Generate_Keys.adoc doc/Generate_KSM_Key.adoc doc/Import_Keys_To_KSM.adoc doc/Installation.adoc doc/Key_Provisioning_Format.adoc doc/Server_Hardening.adoc doc/Sync_Monitor.adoc /usr/share/doc/yubikey-ksm/

MySQL DB の準備

$ sudo yum install mysql-server php-mysql php-mcrypt
$ sudo chkconfig mysqld on
$ sudo service mysqld start
$ sudo /usr/bin/mysql_secure_installation

(以下 ~/.my.cnf でユーザやパスワード等を適切に設定済と仮定している)

$ echo 'create database ykksm' | mysql
$ mysql ykksm < /usr/share/doc/yubikey-ksm/ykksm-db.sql
$ mysql --silent ykksm
mysql> GRANT SELECT ON ykksm.yubikeys TO 'ykksmreader'@'localhost' IDENTIFIED BY 'yourpassword';
mysql> GRANT INSERT ON ykksm.yubikeys TO 'ykksmimporter'@'localhost' IDENTIFIED BY 'otherpassword';
mysql> FLUSH PRIVILEGES;

(もしくは公式の方法)

mysql> CREATE USER 'ykksmreader';
mysql> GRANT SELECT ON ykksm.yubikeys TO 'ykksmreader'@'localhost';
mysql> SET PASSWORD FOR 'ykksmreader'@'localhost' = PASSWORD('yourpassword');
mysql> CREATE USER 'ykksmimporter';
mysql> GRANT INSERT ON ykksm.yubikeys TO 'ykksmimporter'@'localhost';
mysql> SET PASSWORD FOR 'ykksmimporter'@'localhost' = PASSWORD('otherpassword');
mysql> FLUSH PRIVILEGES;
mysql> \q

$ mysql ykksm -e 'show tables from ykksm'
+-----------------+
| Tables_in_ykksm |
+-----------------+
| yubikeys        |
+-----------------+

$ mysql ykksm -e "show fields from yubikeys"
+--------------+-------------+------+-----+---------+-------+
| Field        | Type        | Null | Key | Default | Extra |
+--------------+-------------+------+-----+---------+-------+
| serialnr     | int(11)     | NO   |     | NULL    |       |
| publicname   | varchar(16) | NO   | PRI | NULL    |       |
| created      | varchar(24) | NO   |     | NULL    |       |
| internalname | varchar(12) | NO   |     | NULL    |       |
| aeskey       | varchar(32) | NO   |     | NULL    |       |
| lockcode     | varchar(12) | NO   |     | NULL    |       |
| creator      | varchar(8)  | NO   |     | NULL    |       |
| active       | tinyint(1)  | YES  |     | 1       |       |
| hardware     | tinyint(1)  | YES  |     | 1       |       |
+--------------+-------------+------+-----+---------+-------+

Apache経由でPHPスクリプトをデプロイ

$ sudo mkdir /var/www/html/wsapi
$ sudo ln -sf /usr/share/yubikey-ksm/.htaccess /var/www/html/wsapi/.htaccess
$ sudo ln -sf /usr/share/yubikey-ksm/ykksm-decrypt.php /var/www/html/wsapi/decrypt.php

$ sudo chgrp apache /usr/share/yubikey-ksm/*
$ sudo chgrp apache /usr/share/yubikey-ksm/.htaccess

(/etc/httpd/conf.d/wsapi.conf)

<Directory "/var/www/html/wsapi">
    AllowOverride All
</Directory>

$ sudo sh -c 'cat > /etc/php.d/ykksm.ini'
include_path = "/etc/yubico/ksm:/usr/share/yubikey-ksm"

log設定

(/etc/yubico/ksm/ykksm-config.php)

..
$logfacility = LOG_LOCAL0;
..

(/etc/rsyslog.d/ykval.conf)

$umask 0000
local0.* -/var/log/ykval.log

(/etc/logrotate.d/ykval)

/var/log/ykval.log {
  weekly
        dateext
  compress
  missingok
  rotate 9999
  notifempty
  postrotate
    invoke-rc.d rsyslog reload > /dev/null
        endscript
}

$ service rsyslog restart

一旦、動作テスト

(まだDBにYubiKeyが登録されていないのだから、このエラーは正しいことを言っている)
$ wget -q -O - 'http://localhost/wsapi/decrypt?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
ERR Unknown yubikey

(/var/log/ykval.log)
Jan 27 01:49:57 penguin ykksm[3822]: Unknown yubikey: dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh

(例えばもしDBがおかしい場合は以下のようになる)
$ wget -q -O - 'http://localhost/wsapi/decrypt?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
ERR Database error

(symlinkがされていない場合は結果も出て来ないかもしれない。例えばcurlを使うと状況が分かるかもしれない)
curl -v 'http://localhost/wsapi/decrypt?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
* About to connect() to localhost port 80 (#0)
*   Trying ::1... connected
* Connected to localhost (::1) port 80 (#0)
> GET /wsapi/decrypt?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: Wed, 28 Jan 2015 16:40:00 GMT
< Server: Apache/2.2.15 (CentOS)
< Content-Length: 290
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /wsapi/decrypt.php was not found on this server.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at localhost Port 80</address>
</body></html>
* Closing connection #0

秘密鍵の登録

$ ykksm-gen-keys 1 1  --urandom
# ykksm 1
# serialnr,identity,internaluid,aeskey,lockpw,created,accessed[,progflags]
1,cccccccccccd,a3ee9c060757,449723ac82339a0f62eee90aba32d5bf,b3b4733c944b,2015-01-22T15:23:39,
# the end

(これは ykksm-gen-keys で作成したデータ)
$ mysql -e 'select * from ykksm.yubikeys where publicname="cccccccccccd" \G'
*************************** 1. row ***************************
    serialnr: 1
  publicname: cccccccccccd
     created: 2015-01-22T15:23:39
internalname: a3ee9c060757
      aeskey: 449723ac82339a0f62eee90aba32d5bf
    lockcode: b3b4733c944b
     creator: XXXXXXXX
      active: 1
    hardware: 1

(一例)

mysql> INSERT INTO ykksm.yubikeys (serialnr, publicname, internalname, aeskey, active) VALUES (1, 'cccccccccccd', 'a3ee9c060757', '449723ac82339a0f62eee90aba32d5bf', 1);
Query OK, 1 row affected, 3 warnings (0.01 sec)

yubico_1.png

$ ykpersonalize -1 -ofixed=cccccccccccd -ouid=a3ee9c060757 -a449723ac82339a0f62eee90aba32d5bf
(fixed == publicname == public identity
  uid == private identity)

$ curl 'http://localhost/wsapi/decrypt?otp=cccccccccccddkhdlfhjbevtkcfhkedvtudgdkekivnk'
OK counter=0001 low=84c0 high=3b use=00
$ curl 'http://localhost/wsapi/decrypt?otp=cccccccccccdrnljbdgnvbcifhidhtttiiulrkunljcd'
OK counter=0001 low=85ca high=3b use=01

Jan 23 06:22:41 vagrant-centos65 ykksm[32236]: SUCCESS OTP cccccccccccddkhdlfhjbevtkcfhkedvtudgdkekivnk PT a3ee9c0607570100c0843b00ed9d16e7 OK counter=0001 low=84c0 high=3b use=00
Jan 23 06:23:14 vagrant-centos65 ykksm[32231]: SUCCESS OTP cccccccccccdrnljbdgnvbcifhidhtttiiulrkunljcd PT a3ee9c0607570100ca853b01d6ee968c OK counter=0001 low=85ca high=3b use=01

option: GPGによるKSM Key作成

$ sudo yum install rng-tools
$ sudo vim /etc/sysconfig/rngd
(EXTRAOPTIONS="-i -r /dev/urandom -o /dev/random -b")
$ sudo service rngd start

option: GPG秘密鍵の作成

YK-VAL on CentOS6.6

インストール

$ sudo make install
sudo make install
install -D --mode 644 ykval-verify.php /usr/share/yubikey-val/ykval-verify.php
install -D --mode 644 ykval-common.php /usr/share/yubikey-val/ykval-common.php
install -D --mode 644 ykval-synclib.php /usr/share/yubikey-val/ykval-synclib.php
install -D --mode 644 ykval-sync.php /usr/share/yubikey-val/ykval-sync.php
install -D --mode 644 ykval-resync.php /usr/share/yubikey-val/ykval-resync.php
install -D --mode 644 ykval-db.php /usr/share/yubikey-val/ykval-db.php
install -D --mode 644 ykval-db-pdo.php /usr/share/yubikey-val/ykval-db-pdo.php
install -D --mode 644 ykval-db-oci.php /usr/share/yubikey-val/ykval-db-oci.php
install -D --mode 644 ykval-log.php /usr/share/yubikey-val/ykval-log.php
install -D ykval-queue /usr/sbin/ykval-queue
install -D ykval-synchronize /usr/sbin/ykval-synchronize
install -D ykval-export /usr/sbin/ykval-export
install -D ykval-import /usr/sbin/ykval-import
install -D ykval-gen-clients /usr/sbin/ykval-gen-clients
install -D ykval-export-clients /usr/sbin/ykval-export-clients
install -D ykval-import-clients /usr/sbin/ykval-import-clients
install -D ykval-checksum-clients /usr/sbin/ykval-checksum-clients
install -D ykval-checksum-deactivated /usr/sbin/ykval-checksum-deactivated
install -D ykval-queue.1 /usr/share/man/man1/ykval-queue.1
install -D ykval-synchronize.1 /usr/share/man/man1/ykval-synchronize.1
install -D ykval-import.1 /usr/share/man/man1/ykval-import.1
install -D ykval-export.1 /usr/share/man/man1/ykval-export.1
install -D ykval-gen-clients.1 /usr/share/man/man1/ykval-gen-clients.1
install -D ykval-import-clients.1 /usr/share/man/man1/ykval-import-clients.1
install -D ykval-export-clients.1 /usr/share/man/man1/ykval-export-clients.1
install -D ykval-checksum-clients.1 /usr/share/man/man1/ykval-checksum-clients.1
install -D ykval-checksum-deactivated.1 /usr/share/man/man1/ykval-checksum-deactivated.1
install -D ykval-munin-ksmlatency.php /usr/share/munin/plugins/ykval_ksmlatency
install -D ykval-munin-vallatency.php /usr/share/munin/plugins/ykval_vallatency
install -D ykval-munin-queuelength.php /usr/share/munin/plugins/ykval_queuelength
install -D ykval-munin-responses.pl /usr/share/munin/plugins/ykval_responses
install -D ykval-munin-ksmresponses.pl /usr/share/munin/plugins/ykval_ksmresponses
install -D ykval-munin-yubikeystats.php /usr/share/munin/plugins/ykval_yubikeystats
install -D --backup --mode 640 --group apache ykval-config.php /etc/yubico/val/ykval-config.php
install -D --mode 644 ykval-db.sql /usr/share/doc/yubikey-val/ykval-db.sql
install -D --mode 644 ykval-db.oracle.sql /usr/share/doc/yubikey-val/ykval-db.oracle.sql
install -D --mode 644 doc/Generating_Clients.adoc doc/Getting_Started_Writing_Clients.adoc doc/Import_Export_Data.adoc doc/Installation.adoc doc/Make_Release.adoc doc/Munin_Probes.adoc doc/Revocation_Service.adoc doc/Server_Replication_Protocol.adoc doc/Sync_Monitor.adoc doc/Troubleshooting.adoc doc/Validation_Protocol_V2.0.adoc doc/Validation_Server_Algorithm.adoc doc/YubiKey_Info_Format.adoc /usr/share/doc/yubikey-val/

MySQL DB 準備

$ mysql -e 'create database ykval' 
$ mysql ykval < /usr/share/doc/yubikey-val/ykval-db.sql
$ mysql --silent ykval
mysql> CREATE USER 'ykval_verifier'@'localhost';
mysql> SET PASSWORD FOR 'ykval_verifier'@'localhost' = PASSWORD('yourpassword');

mysql> GRANT SELECT,INSERT,UPDATE(modified, yk_counter, yk_low, yk_high, yk_use, nonce) ON ykval.yubikeys TO 'ykval_verifier'@'localhost';
(注: 元のマニュアルではSELECTだけになってるが、INSERT権限がないと ykval-gen-clients は動作しないはず)
mysql> GRANT SELECT,INSERT ON ykval.clients TO 'ykval_verifier'@'localhost';
mysql> GRANT SELECT,INSERT,UPDATE,DELETE ON ykval.queue TO 'ykval_verifier'@'localhost';
mysql> FLUSH PRIVILEGES;
mysql> \q

Apache経由でPHPスクリプトをデプロイ

$ sudo mkdir /var/www/html/wsapi/2.0
$ sudo ln -sf /usr/share/yubikey-val/ykval-verify.php /var/www/html/wsapi/2.0/verify.php
$ sudo chgrp apache /usr/share/yubikey-val/*

(ここでは /etc/php.iniにykksmと一括設定する例を示す)

include_path = ".:/etc/yubico/ksm:/usr/share/yubikey-ksm:/etc/yubico/val:/usr/share/yubikey-val"

(/var/www/html/wsapi/2.0/.htaccess)

RewriteEngine on
RewriteRule ^([^/\.\?]+)(\?.*)?$ $1.php$2 [L]

KSMとの連携テスト

$ ykclient --version
2.14
$ ykclient --debug --url "http://localhost/wsapi/2.0/verify" 1 cccccccccccdutfiljtbignbgckhgdtfigbdricugdrv
Input:
  validation URL: http://localhost/wsapi/2.0/verify
  client id: 1
  token: cccccccccccdutfiljtbignbgckhgdtfigbdricugdrv
Verification output (5): Client identity does not exist (NO_SUCH_CLIENT)

$ sudo ykval-gen-clients --urandom 1
1,AaKqaW6cuV2rFA6GAyomvXphUec=
$ mysql -e 'select * from ykval.clients where id = 1 \G'
*************************** 1. row ***************************
     id: 1
 active: 1
created: 1422027800
 secret: AaKqaW6cuV2rFA6GAyomvXphUec=
  email:
  notes:
    otp:

(以下、ykclientの旧バージョンとは動作が異なるので注意)

$ ykclient --version
2.14
$ ykclient --debug --url "http://127.0.0.1/wsapi/2.0/verify" --apikey AaKqaW6cuV2rFA6GAyomvXphUec= 1 cccccccccccdutfiljtbignbgckhgdtfigbdricugdrv
Input:
  validation URL: http://127.0.0.1/wsapi/2.0/verify?id=%d&otp=%s
  client id: 1
  token: cccccccccccdutfiljtbignbgckhgdtfigbdricugdrv
  api key: AaKqaW6cuV2rFA6GAyomvXphUec=
Verification output (1): Yubikey OTP was bad (BAD_OTP)

$ curl 'http://localhost/wsapi/2.0/verify?id=1&nonce=asdmalksdmlkasmdlkasmdlakmsdaasklmdlak&otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
h=fnxCpEm9N9kE1kHjxTGnp/f+MUY=
t=2015-01-23T14:50:06Z0207
status=NO_SUCH_CLIENT

log

optional: ykval内のClientについて

TODO

$ sudo ln -sf /usr/share/yubikey-val/ykval-sync.php /var/www/html/wsapi/2.0/sync.php

Yubico OTPの仕様

主にOTP文字列の説明

The character representation may look a bit strange at first sight but is designed to cope with
various keyboard layouts causing potential ambiguities when decoded. USB keyboards send
their keystrokes by the means of “scan codes” rather than the actual character representation.
The translation to keystrokes is done by the computer. For the Yubikey, it is critical that the
same code is generated if it is inserted in a German computer having a QWERTZ, a French
with an AZERTY or an US one with a QWERTY layout. The “Modhex”, or Modified Hexadecimal
coding was invented by Yubico to just use the specific characters that don’t create any
ambiguities. The Modhex coding packs four bits of information in each keystroke. This gives
that a 128-bit OTP string requires 128 / 4 = 32 characters.

Mnemonic

Byte offset (Bytes)

Size (Bytes)

Description

uid

0

6

Private (secret) id

useCtr

6

2

Usage counter

tstp

8

3

Timestamp

sessionCtr

11

1

Session usage counter

rnd

12

2

Random number

crc

14

2

CRC16 checksum

function modhex2hex($m)
{
  return strtr ($m, "cbdefghijklnrtuv", "0123456789abcdef");
}

Dvorak使用時のYubiKeyの挙動について

(dvorakで入力された文字列を手動変換する例)
$ tr "axje.uidchtnmbrl'poygk,qf;" 'abcdefghijklmnopqrstuvwxyz'

YubiKey NEO マネージャ

OATH-HOTP

#   1. Token Type         See below
#   2. Username           User's username
#   3. PIN                User's PIN, or "-" if user has no PIN, or "+" to verify PIN via "OTPAuthPINAuthProvider"
#   4. Token Key          Secret key for the token algorithm (see RFC 4226)
#   5. Counter/Offset     Next expected counter value (event tokens) or counter offset (time tokens)
#   6. Failure counter    Number of consecutive wrong OTP's provided by this users (for "OTPAuthMaxOTPFailure")
#   7. Last OTP           The previous successfully used one-time password
#   8. Time of Last OTP   Local timestamp when the last OTP was generated (in the form 2009-06-12T17:52:32L)
#   9. Last IP address    IP address used during the most recent successful attempt
HOTP  username  -  9f97258d50e1b8d6e79c91528cd42c6787774b89 646432  0  320564  2015-01-27T01:24:58L 192.168.1.1
HOTP/E/8 test003       -       4a93f311fc518fb6d7c5b1b2f78ef629ea583fd4

hotp1.png

TOTP

TOTPのための Python 実装

Build Tips

Macでのビルド

yubico-c $ sudo make install
Password:
Making install in .
 build-aux/install-sh -c -d '/usr/local/lib'
 /bin/sh ./libtool   --mode=install /usr/bin/install -c   libyubikey.la '/usr/local/lib'
libtool: install: /usr/bin/install -c .libs/libyubikey.0.dylib /usr/local/lib/libyubikey.0.dylib
libtool: install: (cd /usr/local/lib && { ln -s -f libyubikey.0.dylib libyubikey.dylib || { rm -f libyubikey.dylib && ln -s libyubikey.0.dylib libyubikey.dylib; }; })
libtool: install: /usr/bin/install -c .libs/libyubikey.lai /usr/local/lib/libyubikey.la
libtool: install: /usr/bin/install -c .libs/libyubikey.a /usr/local/lib/libyubikey.a
libtool: install: chmod 644 /usr/local/lib/libyubikey.a
libtool: install: ranlib /usr/local/lib/libyubikey.a
 build-aux/install-sh -c -d '/usr/local/bin'
  /bin/sh ./libtool   --mode=install /usr/bin/install -c modhex ykparse ykgenerate '/usr/local/bin'
libtool: install: /usr/bin/install -c .libs/modhex /usr/local/bin/modhex
libtool: install: /usr/bin/install -c .libs/ykparse /usr/local/bin/ykparse
libtool: install: /usr/bin/install -c .libs/ykgenerate /usr/local/bin/ykgenerate
 build-aux/install-sh -c -d '/usr/local/include'
 /usr/bin/install -c -m 644 yubikey.h '/usr/local/include'
 build-aux/install-sh -c -d '/usr/local/share/man/man1'
 /usr/bin/install -c -m 644 modhex.1 ykparse.1 ykgenerate.1 '/usr/local/share/man/man1'
Making install in tests
make[2]: Nothing to be done for `install-exec-am'.
make[2]: Nothing to be done for `install-data-am'.

yubikey-personalization$ sudo make install
Making install in ykcore
make[2]: Nothing to be done for `install-exec-am'.
make[2]: Nothing to be done for `install-data-am'.
Making install in .
 build-aux/install-sh -c -d '/usr/local/lib'
 /bin/sh ./libtool   --mode=install /usr/bin/install -c   libykpers-1.la '/usr/local/lib'
libtool: install: /usr/bin/install -c .libs/libykpers-1.1.dylib /usr/local/lib/libykpers-1.1.dylib
libtool: install: (cd /usr/local/lib && { ln -s -f libykpers-1.1.dylib libykpers-1.dylib || { rm -f libykpers-1.dylib && ln -s libykpers-1.1.dylib libykpers-1.dylib; }; })
libtool: install: /usr/bin/install -c .libs/libykpers-1.lai /usr/local/lib/libykpers-1.la
libtool: install: /usr/bin/install -c .libs/libykpers-1.a /usr/local/lib/libykpers-1.a
libtool: install: chmod 644 /usr/local/lib/libykpers-1.a
libtool: install: ranlib /usr/local/lib/libykpers-1.a
 build-aux/install-sh -c -d '/usr/local/bin'
  /bin/sh ./libtool   --mode=install /usr/bin/install -c ykpersonalize ykchalresp ykinfo '/usr/local/bin'
libtool: install: /usr/bin/install -c .libs/ykpersonalize /usr/local/bin/ykpersonalize
libtool: install: /usr/bin/install -c .libs/ykchalresp /usr/local/bin/ykchalresp
libtool: install: /usr/bin/install -c .libs/ykinfo /usr/local/bin/ykinfo
 build-aux/install-sh -c -d '/usr/local/share/man/man1'
 /usr/bin/install -c -m 644 ykpersonalize.1 ykchalresp.1 ykinfo.1 '/usr/local/share/man/man1'
 build-aux/install-sh -c -d '/usr/local/lib/pkgconfig'
 /usr/bin/install -c -m 644 ykpers-1.pc '/usr/local/lib/pkgconfig'
 build-aux/install-sh -c -d '/usr/local/include/ykpers-1'
 /usr/bin/install -c -m 644 ykpers.h ykpers-version.h ykcore/ykstatus.h ykcore/ykcore.h ykcore/ykdef.h ykpbkdf2.h '/usr/local/include/ykpers-1'
Making install in tests
make[2]: Nothing to be done for `install-exec-am'.
make[2]: Nothing to be done for `install-data-am'.

Windows ビルド

Yubico Personalization on CentOS 6

$ autoconf --version
autoconf (GNU Autoconf) 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+/Autoconf: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>, <http://gnu.org/licenses/exceptions.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by David J. MacKenzie and Akim Demaille.


$ automake --version
automake (GNU automake) 1.15
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl-2.0.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Tom Tromey <tromey@redhat.com>
       and Alexandre Duret-Lutz <adl@gnu.org>.


$ libtool --version
ltmain.sh (GNU libtool) 2.2.6b
Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996

Copyright (C) 2008 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Misc

BadUSBに関連して: YubiKeyデバイスのFirmwareの安全性

YubiKey挿入時のログ on CentOS 6.6

Jan 25 03:08:05 kiosk kernel: usb 2-1: new full speed USB device number 5 using ohci_hcd
Jan 25 03:08:05 kiosk kernel: usb 2-1: New USB device found, idVendor=1050, idProduct=0110
Jan 25 03:08:05 kiosk kernel: usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Jan 25 03:08:05 kiosk kernel: usb 2-1: Product: Yubikey NEO OTP
Jan 25 03:08:05 kiosk kernel: usb 2-1: Manufacturer: Yubico
Jan 25 03:08:05 kiosk kernel: usb 2-1: configuration #1 chosen from 1 choice
Jan 25 03:08:05 kiosk kernel: input: Yubico Yubikey NEO OTP as /devices/pci0000:00/0000:00:06.0/usb2/2-1/2-1:1.0/input/input13
Jan 25 03:08:05 kiosk kernel: generic-usb 0003:1050:0110.0009: input,hidraw0: USB HID v1.10 Keyboard [Yubico Yubikey NEO OTP] on usb-0000:00:06.0-1/input0

udevadm info

$ udevadm info -a -p /devices/pci0000:00/0000:00:06.0/usb2/2-1/2-1:1.0/input/input13

Udevadm info starts with the device specified by the devpath and then
walks up the chain of parent devices. It prints for every device
found, all possible attributes in the udev rules key format.
A rule to match, can be composed by the attributes of the device
and the attributes from one single parent device.

  looking at device '/devices/pci0000:00/0000:00:06.0/usb2/2-1/2-1:1.0/input/input13':
    KERNEL=="input13"
    SUBSYSTEM=="input"
    DRIVER==""
    ATTR{name}=="Yubico Yubikey NEO OTP"
    ATTR{phys}=="usb-0000:00:06.0-1/input0"
    ATTR{uniq}==""
    ATTR{modalias}=="input:b0003v1050p0110e0110-e0,1,4,11,14,k77,7D,7E,7F,ram4,l0,1,2,3,4,sfw"
    ATTR{properties}=="0"

  looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2/2-1/2-1:1.0':
    KERNELS=="2-1:1.0"
    SUBSYSTEMS=="usb"
    DRIVERS=="usbhid"
    ATTRS{bInterfaceNumber}=="00"
    ATTRS{bAlternateSetting}==" 0"
    ATTRS{bNumEndpoints}=="01"
    ATTRS{bInterfaceClass}=="03"
    ATTRS{bInterfaceSubClass}=="01"
    ATTRS{bInterfaceProtocol}=="01"
    ATTRS{modalias}=="usb:v1050p0110d0318dc00dsc00dp00ic03isc01ip01"
    ATTRS{supports_autosuspend}=="1"

  looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2/2-1':
    KERNELS=="2-1"
    SUBSYSTEMS=="usb"
    DRIVERS=="usb"
    ATTRS{configuration}==""
    ATTRS{bNumInterfaces}==" 1"
    ATTRS{bConfigurationValue}=="1"
    ATTRS{bmAttributes}=="80"
    ATTRS{bMaxPower}==" 30mA"
    ATTRS{urbnum}=="16"
    ATTRS{idVendor}=="1050"
    ATTRS{idProduct}=="0110"
    ATTRS{bcdDevice}=="0318"
    ATTRS{bDeviceClass}=="00"
    ATTRS{bDeviceSubClass}=="00"
    ATTRS{bDeviceProtocol}=="00"
    ATTRS{bNumConfigurations}=="1"
    ATTRS{bMaxPacketSize0}=="64"
    ATTRS{speed}=="12"
    ATTRS{busnum}=="2"
    ATTRS{devnum}=="5"
    ATTRS{version}==" 2.00"
    ATTRS{maxchild}=="0"
    ATTRS{quirks}=="0x0"
    ATTRS{authorized}=="1"
    ATTRS{ltm_capable}=="no"
    ATTRS{manufacturer}=="Yubico"
    ATTRS{product}=="Yubikey NEO OTP"

  looking at parent device '/devices/pci0000:00/0000:00:06.0/usb2':
    KERNELS=="usb2"
    SUBSYSTEMS=="usb"
    DRIVERS=="usb"
    ATTRS{configuration}==""
    ATTRS{bNumInterfaces}==" 1"
    ATTRS{bConfigurationValue}=="1"
    ATTRS{bmAttributes}=="e0"
    ATTRS{bMaxPower}=="  0mA"
    ATTRS{urbnum}=="114"
    ATTRS{idVendor}=="1d6b"
    ATTRS{idProduct}=="0001"
    ATTRS{bcdDevice}=="0206"
    ATTRS{bDeviceClass}=="09"
    ATTRS{bDeviceSubClass}=="00"
    ATTRS{bDeviceProtocol}=="00"
    ATTRS{bNumConfigurations}=="1"
    ATTRS{bMaxPacketSize0}=="64"
    ATTRS{speed}=="12"
    ATTRS{busnum}=="2"
    ATTRS{devnum}=="1"
    ATTRS{version}==" 1.10"
    ATTRS{maxchild}=="8"
    ATTRS{quirks}=="0x0"
    ATTRS{authorized}=="1"
    ATTRS{ltm_capable}=="no"
    ATTRS{manufacturer}=="Linux 2.6.32-504.3.3.el6.x86_64 ohci_hcd"
    ATTRS{product}=="OHCI Host Controller"
    ATTRS{serial}=="0000:00:06.0"
    ATTRS{authorized_default}=="1"

  looking at parent device '/devices/pci0000:00/0000:00:06.0':
    KERNELS=="0000:00:06.0"
    SUBSYSTEMS=="pci"
    DRIVERS=="ohci_hcd"
    ATTRS{vendor}=="0x106b"
    ATTRS{device}=="0x003f"
    ATTRS{subsystem_vendor}=="0x0000"
    ATTRS{subsystem_device}=="0x0000"
    ATTRS{class}=="0x0c0310"
    ATTRS{irq}=="22"
    ATTRS{local_cpus}=="1"
    ATTRS{local_cpulist}=="0"
    ATTRS{modalias}=="pci:v0000106Bd0000003Fsv00000000sd00000000bc0Csc03i10"
    ATTRS{numa_node}=="-1"
    ATTRS{broken_parity_status}=="0"
    ATTRS{msi_bus}==""

  looking at parent device '/devices/pci0000:00':
    KERNELS=="pci0000:00"
    SUBSYSTEMS==""
    DRIVERS==""

Debian パッケージ

Package: libapache2-mod-authn-yubikey
Version: 1.0-1
Installed-Size: 104
Maintainer: Alexandre De Dommelin <adedommelin@tuxz.net>
Architecture: i386
Depends: libc6 (>= 2.1.3), libcurl3 (>= 7.16.2-1), apache2
Description-en: Yubikey authentication provider for Apache
 The mod_authn_yubikey module is an authentication provider
 for the Apache platform. It leverages the YubiKey which is
 a small token that acts as an authentication device.
 .
 The mod_authn_yubikey module provides one and two factor
 authentication for your website and is completely independent
 from the technlogy that implements your website (like CGI, JSP or PHP).
Homepage: http://www.coffeecrew.org/software/yubikey-apache-plugin/
Description-md5: ec971ffc709ebf419485de21ba141a74
Tag: role::shared-lib, security::authentication
Section: httpd
Priority: extra
Filename: pool/main/liba/libapache2-mod-authn-yubikey/libapache2-mod-authn-yubikey_1.0-1_i386.deb
Size: 18130
MD5sum: 96ec5bc8cf3ee1c7a4e6084bcc9fd72a
SHA1: 476a87e8bc5a38e0a1a98e5e7d585a922a5e9731
SHA256: 99706115c18fd9271ba04321499359befa92b640417a7db68ba5c17783670077

Package: libauth-yubikey-decrypter-perl
Version: 0.07-1
Installed-Size: 64
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Architecture: all
Depends: perl, libcrypt-rijndael-perl
Description-en: yubikey token output decryptor
 Auth::Yubikey_Decrypter is a Perl module to decrypt the AES output
 of Yubikey tokens.
 .
 Please note that this module does not perform authentication.
 It is a required component to decrypt the token first before
 authentication can be performed.
Homepage: http://search.cpan.org/dist/Auth-Yubikey_Decrypter/
Description-md5: 6b832fe63e5f80c5b4826f7c0c5c6d20
Tag: devel::lang:perl, devel::library, implemented-in::perl
Section: perl
Priority: optional
Filename: pool/main/liba/libauth-yubikey-decrypter-perl/libauth-yubikey-decrypter-perl_0.07-1_all.deb
Size: 7856
MD5sum: 8fda703dcf261c2e2a827f47234e3a51
SHA1: 7b5a79e30503e3fc91dacc8411f84e5014012592
SHA256: 0c9544690cb98e875c9afac83d18af2ace7e071b732b673ccb40020bd4eac215

Package: libauth-yubikey-webclient-perl
Version: 3.00-1
Installed-Size: 54
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Architecture: all
Depends: perl, libdigest-hmac-perl, liburi-perl, libwww-perl
Description-en: Perl module to authenticate Yubikey against the Yubico Web API
 Auth::Yubikey_WebClient is a Perl module to authenticate Yubikey against the
 public Yubico Web API.
Homepage: http://search.cpan.org/dist/Auth-Yubikey_WebClient/
Description-md5: 44aced25a2330d97c7c9e95b90a2d7ba
Tag: devel::lang:perl, devel::library, implemented-in::perl
Section: perl
Priority: optional
Filename: pool/main/liba/libauth-yubikey-webclient-perl/libauth-yubikey-webclient-perl_3.00-1_all.deb
Size: 9412
MD5sum: 38091d0ebd213dc7671f31c8b88bd703
SHA1: 52518b55b9358fdf16de24549c8ad612d2bfe017
SHA256: 3e50854a638eca60699b097d54b5ffa911b2ee7713f5de53aa5fbab100b3d802

Package: libyubikey-dev
Source: libyubikey
Version: 1.8-1
Installed-Size: 70
Maintainer: Tollef Fog Heen <tfheen@debian.org>
Architecture: i386
Depends: libc6 (>= 2.0), libyubikey0 (= 1.8-1)
Description-en: Yubikey OTP library development files
 Yubikeys are USB tokens that act like keyboards and generate one-time
 passwords.  The tokens are produced and sold by Yubico
 .
 This library is used for decrypting the one-time passwords into their
 various components.
 .
 This package contains the necessary files for developing using libyubikey.
Homepage: http://code.google.com/p/yubico-c/
Description-md5: 0df7e42a5e35ddbbca9a77f179ac2266
Tag: devel::library, role::devel-lib, security::authentication
Section: libdevel
Priority: optional
Filename: pool/main/liby/libyubikey/libyubikey-dev_1.8-1_i386.deb
Size: 15728
MD5sum: 2ad3a22c634c4a96dcb93b1a246bdf45
SHA1: 9b38d8e455297fdc051fbc8b38f9fdaa096b1d9a
SHA256: 5dd26f6a438c09b8ea571f295993d691a93bec5db86c1b6f4dfc1b12f26e52db

Package: libyubikey0
Source: libyubikey
Version: 1.8-1
Installed-Size: 41
Maintainer: Tollef Fog Heen <tfheen@debian.org>
Architecture: i386
Depends: libc6 (>= 2.1.3)
Description-en: Yubikey OTP handling library runtime
 Yubikeys are USB tokens that act like keyboards and generate one-time
 passwords.  The tokens are produced and sold by Yubico
 .
 This library is used for decrypting the one-time passwords into their
 various components.
 .
 This package contains the runtime library for libyubikey.
Homepage: http://code.google.com/p/yubico-c/
Description-md5: 573f649498eb60d855fe61657c26f822
Tag: role::shared-lib
Section: libs
Priority: optional
Filename: pool/main/liby/libyubikey/libyubikey0_1.8-1_i386.deb
Size: 9544
MD5sum: 949e60cc965240fb333d9427889f31b9
SHA1: 3a0a890456f7748984a68b365170b004eb73ec2a
SHA256: 89845ad91cf1e2489650dbef8d9504097aa15cf4e22480b2d0b546591720bbbc

Package: python-pyhsm
Version: 1.0.4-1
Installed-Size: 170
Maintainer: Yubico Open Source Maintainers <ossmaint@yubico.com>
Architecture: all
Provides: python2.7-pyhsm
Depends: python, python-support (>= 0.90.0), python-crypto, python-serial
Recommends: yhsm-tools
Suggests: python-argparse, yhsm-docs
Description-en: Python code for talking to a Yubico YubiHSM hardware
 YubiHSM is an easy to use and affordable crypto appliance
 that you connect to the USB port of a server. You can then
 store cryptographic keys on the YubiHSM and use them from the
 server without any possibility for an attacker to extract
 the crypto keys from the YubiHSM.
 .
 Supported operations include YubiKey OTP validation, AES ECB
 encrypt/decrypt/decrypt-compare, HMAC-SHA1 hashing (enabling OATH code
 validation), and Random number entropy generation.
 .
 This package contains the core Python code for interacting with the
 YubiHSM.
Homepage: https://github.com/Yubico/python-pyhsm
Description-md5: 8082ee8670b46c046900e8dc0244ec2e
Python-Version: 2.7
Section: python
Priority: optional
Filename: pool/main/p/python-pyhsm/python-pyhsm_1.0.4-1_all.deb
Size: 39658
MD5sum: f8549a551836714813ebda8a3e003bf0
SHA1: 90bbd6f40fda1651f154b72fca86bd9313a285f7
SHA256: e2b056563d40a3bf3f86308e34ebf3c2443b27224e589a3925d2261374ab5c5e

Package: yhsm-tools
Source: python-pyhsm
Version: 1.0.4-1
Installed-Size: 73
Maintainer: Yubico Open Source Maintainers <ossmaint@yubico.com>
Architecture: all
Depends: python, python-argparse, python-pyhsm (= 1.0.4-1)
Description-en: Common files for YubiHSM applications
 YubiHSM is an easy to use and affordable crypto appliance
 that you connect to the USB port of a server. You can then
 store cryptographic keys on the YubiHSM and use them from the
 server without any possibility for an attacker to extract
 the crypto keys from the YubiHSM.
 .
 Supported operations include YubiKey OTP validation, AES ECB
 encrypt/decrypt/decrypt-compare, HMAC-SHA1 hashing (enabling OATH code
 validation), and Random number entropy generation.
 .
 This package includes the following utilities :
 .
   * yhsm-keystore-unlock - Keystore unlock
   * yhsm-linux-add-entropy - Entropy seeder
Homepage: https://github.com/Yubico/python-pyhsm
Description-md5: 61550c2ed43451c76563e759ec8908ee
Section: python
Priority: optional
Filename: pool/main/p/python-pyhsm/yhsm-tools_1.0.4-1_all.deb
Size: 21084
MD5sum: 0cfe836272df74f85f423c0ab819f7f5
SHA1: 036e5b46dd7a617dc780105f4682368303e772d0
SHA256: b8d0b13943efb07ff8a6bd35668b54de6b7445aece83d8ff89d0f5492d79ce13

Package: yhsm-validation-server
Source: python-pyhsm
Version: 1.0.4-1
Installed-Size: 105
Maintainer: Yubico Open Source Maintainers <ossmaint@yubico.com>
Architecture: all
Depends: python, adduser, python-pyhsm (= 1.0.4-1), python-argparse, yhsm-tools
Description-en: Validation server using YubiHSM
 This package validates YubiKey OTP's, OATH codes or password hashes
 using YubiHSM.
 .
 The interface is a REST API with a simple web server listening on
 localhost only (per default). It can function as a drop-in replacement
 for the traditional PHP based Yubico validation server, except that
 it does not provide the advanced replication features of that server.
Homepage: https://github.com/Yubico/python-pyhsm
Description-md5: fccea400990e1c8586328d1c8d3f19ca
Section: python
Priority: optional
Filename: pool/main/p/python-pyhsm/yhsm-validation-server_1.0.4-1_all.deb
Size: 28070
MD5sum: 88d0da6c09d81e934ddd96a00454d666
SHA1: a302c1038a0c71ae753374b6ed1fb4ccf08f470c
SHA256: 089e368c00f1b2bfafe73242d75b3ed851469298675568213fa222615ccfce78

Package: yhsm-yubikey-ksm
Source: python-pyhsm
Version: 1.0.4-1
Installed-Size: 104
Maintainer: Yubico Open Source Maintainers <ossmaint@yubico.com>
Architecture: all
Depends: python, adduser, python-pyhsm (= 1.0.4-1), python-argparse, yhsm-tools
Description-en: Yubikey Key Storage Module using YubiHSM
 Decryption backend for a Yubico validation service. Uses the
 YubiHSM to decrypt YubiKey OTPs and answer 'OK' or 'ERR'.
 .
 This package provides the decryption backend for a Yubico validation
 service. It uses the YubiHSM to decrypt YubiKey OTPs and answer 'OK'
 or 'ERR'.
Homepage: https://github.com/Yubico/python-pyhsm
Description-md5: bc7dd65fb9d2e8a900451652aac9acb3
Section: python
Priority: optional
Filename: pool/main/p/python-pyhsm/yhsm-yubikey-ksm_1.0.4-1_all.deb
Size: 23310
MD5sum: 4bfd7b634493d1e314aa5581f9faf2b3
SHA1: abd224bc18653dba1f84db99fd3e9598098515db
SHA256: 6b3d15735a95becf500d662fcbba19ca9fabd2af396541c682f7ec32b494602a

Package: python-yubico
Version: 1.1.0-2
Installed-Size: 134
Maintainer: Yubico Open Source Maintainers <ossmaint@yubico.com>
Architecture: all
Provides: python2.6-yubico, python2.7-yubico
Depends: python, python-support (>= 0.90.0), python-usb
Description-en: Python code for talking to Yubico YubiKeys
 The YubiKey is a hardware authentication token. This is a Python
 package for interacting with YubiKeys. Typical use is to detect,
 configure (personalize) or issue challenge-responses to YubiKeys.
Homepage: https://github.com/Yubico/python-yubico
Description-md5: 2937d841b8c27be62aaa3657dcd4f2da
Python-Version: 2.6, 2.7
Section: python
Priority: optional
Filename: pool/main/p/python-yubico/python-yubico_1.1.0-2_all.deb
Size: 31070
MD5sum: fe3df4e8ec1d13daa397a4641232f468
SHA1: 880683c17760d9fc8862be4ab9a45ceb05bc04c0
SHA256: 8306b88e51d27042a33121e6f2762663a39bdfcdf5912d854952e28fd1210782

Package: python-yubico-tools
Source: python-yubico
Version: 1.1.0-2
Installed-Size: 47
Maintainer: Yubico Open Source Maintainers <ossmaint@yubico.com>
Architecture: all
Depends: python, python-argparse, python-yubico (= 1.1.0-2)
Description-en: Tools for Yubico YubiKeys
 The YubiKey is a hardware authentication token. This package
 contains utilities for the YubiKey implemented using the
 python-yubico package.
 .
 This package currently includes the following utilities :
 .
   * yubikey-totp - OATH TOTP code generator using YubiKey
Homepage: https://github.com/Yubico/python-yubico
Description-md5: d14e0bb5a992380aed6c9b63cc6d1587
Section: python
Priority: optional
Filename: pool/main/p/python-yubico/python-yubico-tools_1.1.0-2_all.deb
Size: 8930
MD5sum: 71d0c59db1cc5959fd3bc2a7d4bfd208
SHA1: 562ed8d335a50acda4769d3b2cdf047661875b54
SHA256: 4cb55ea60026d2b9ada61c31213cabd5c9e3e9e3ec4d896b0c86adc44f3c20ff

Package: libykclient-dev
Source: ykclient
Version: 2.6-1
Installed-Size: 108
Maintainer: Tollef Fog Heen <tfheen@debian.org>
Architecture: i386
Depends: libykclient3 (= 2.6-1), libc6 (>= 2.0), libcurl3-gnutls (>= 7.16.2-1)
Description-en: Yubikey client library development files
 Yubikeys are USB tokens that act like keyboards and generate one-time
 passwords.  The tokens are produced and sold by Yubico
 .
 This library is used for talking to an online validation server such
 as yubikey-server-c, yubikey-server-php or yubikey-server-j.
 .
 This package contains the necessary files for developing using libyubikey.
Homepage: http://code.google.com/p/yubico-c-client/
Description-md5: 3d6cd77318cc0b73fec57f3cc7589248
Tag: devel::library, role::devel-lib, security::authentication
Section: libdevel
Priority: optional
Filename: pool/main/y/ykclient/libykclient-dev_2.6-1_i386.deb
Size: 26544
MD5sum: eb2c675c9a05e3ff6b01b00f0d62d48d
SHA1: bed65dcfc5fc6b33bc8d660be606ad686caf65fe
SHA256: 725a59a9de8f93b7edfb1321520cd1516a8b2269bcdab71617a0d701c55ea689

Package: libykclient3
Source: ykclient
Version: 2.6-1
Installed-Size: 88
Maintainer: Tollef Fog Heen <tfheen@debian.org>
Architecture: i386
Depends: libc6 (>= 2.7), libcurl3-gnutls (>= 7.16.2-1)
Description-en: Yubikey client library runtime
 Yubikeys are USB tokens that act like keyboards and generate one-time
 passwords.  The tokens are produced and sold by Yubico
 .
 This library is used for talking to an online validation server such
 as yubikey-server-c, yubikey-server-php or yubikey-server-j.
 .
 This package contains the runtime library.
Homepage: http://code.google.com/p/yubico-c-client/
Description-md5: f8865d83b137e6e3e8268ae9c917b2e1
Tag: role::shared-lib
Section: libs
Priority: optional
Filename: pool/main/y/ykclient/libykclient3_2.6-1_i386.deb
Size: 23982
MD5sum: 9c1387056e6e1c37ea9f5b7abd8ba454
SHA1: 09d3991376e6ea29a747a4a8758ae5a6bea11039
SHA256: 0c354118288f0f018ed78b480b224e4aa1ecb8bf51e7dc0ebded19d3e45e6e44

Package: libpam-yubico
Source: yubico-pam
Version: 2.12-1
Installed-Size: 152
Maintainer: Yubico Open Source Maintainers <ossmaint@yubico.com>
Architecture: i386
Depends: libpam-runtime (>= 1.0.1-6~), libykclient3 (>= 2.4), libldap-2.4-2 (>= 2.4.7), libykpers-1-1 (>= 1.5.2), debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.7), libpam0g (>= 1.1.3), libyubikey0 (>= 1.5)
Description-en: two-factor password and YubiKey OTP PAM module
 This package provides the Yubico PAM module. It enables the use of
 two-factor authentication, with existing logins and passwords plus
 a YubiKey One-Time Password that is validated against an online
 validation service. The default is the free YubiCloud, but it is easy
 to set up a custom service.
 .
 A second mode of operation is available using the YubiKey's HMAC-SHA-1
 Challenge-Response functionality. This allows for offline validation
 using a YubiKey, for example on a laptop computer. However, this only
 works for local logins, not for instance SSH logins.
Homepage: http://code.google.com/p/yubico-pam/
Description-md5: d0744e8e79ba8b0531d2ced11a11bf5c
Section: admin
Priority: optional
Filename: pool/main/y/yubico-pam/libpam-yubico_2.12-1_i386.deb
Size: 65932
MD5sum: 5bd2a9a2bf4a22e8f1ae87448809fe40
SHA1: 83f58bdd7c60a6683c113da5108aff51bc0ffec2
SHA256: c327f949f1c8a6643f04b1c22ec4a64640ad30f68f778b9a8d21e9ae0b9db2cd

Package: libykpers-1-1
Source: yubikey-personalization
Version: 1.7.0-1
Installed-Size: 108
Maintainer: Tollef Fog Heen <tfheen@debian.org>
Architecture: i386
Depends: libc6 (>= 2.4), libusb-1.0-0 (>= 2:1.0.8), libyubikey0 (>= 1.5)
Pre-Depends: multiarch-support
Description-en: Personalization tool for Yubikey OTP tokens
 Yubikeys are USB tokens that act like keyboards and generate one-time
 or static passwords.
 .
 This package contains the run-time shared library needed for the
 personalization tool.
Multi-Arch: same
Homepage: http://code.google.com/p/yubikey-personalization/
Description-md5: ae493fb115f955eee6883b8a89b1c227
Tag: implemented-in::c, role::shared-lib, security::cryptography
Section: libs
Priority: extra
Filename: pool/main/y/yubikey-personalization/libykpers-1-1_1.7.0-1_i386.deb
Size: 42562
MD5sum: 9bb5ea0b2459ebb08ca6bcd6ecdd2782
SHA1: b92a237a965595c63a120febceb12bba35739593
SHA256: 3dff14af7a845075c8e74112cdcd93882fbb84cced9f098e8346e394d2350d30

Package: libykpers-1-dev
Source: yubikey-personalization
Version: 1.7.0-1
Installed-Size: 152
Maintainer: Tollef Fog Heen <tfheen@debian.org>
Architecture: i386
Depends: libykpers-1-1 (= 1.7.0-1)
Description-en: Personalization tool for Yubikey OTP tokens
 Yubikeys are USB tokens that act like keyboards and generate one-time
 or static passwords.
 .
 This package contains the development files for the library.
Homepage: http://code.google.com/p/yubikey-personalization/
Description-md5: 87e3ae1e55a8d6d9bcd88b893a0f9c2f
Tag: devel::library, role::devel-lib, security::authentication
Section: libdevel
Priority: extra
Filename: pool/main/y/yubikey-personalization/libykpers-1-dev_1.7.0-1_i386.deb
Size: 48796
MD5sum: 79dcfcfd24c5dd1477709b79570eee5c
SHA1: 824861e80885c656ab7cf11554fbf59062672187
SHA256: 1eaf1588a0ef8fefb8a3f77257c86719c3a9563f0e2fd3eac8af095be1da982c

Package: yubikey-personalization
Version: 1.7.0-1
Installed-Size: 119
Maintainer: Tollef Fog Heen <tfheen@debian.org>
Architecture: i386
Depends: libc6 (>= 2.7), libusb-1.0-0 (>= 2:1.0.8), libykpers-1-1 (>= 1.7.0-1), libyubikey0 (>= 1.5)
Description-en: Personalization tool for Yubikey OTP tokens
 Yubikeys are USB tokens that act like keyboards and generate one-time
 or static passwords.
 .
 This is a tool to customize the tokens with your own cryptographic
 key, user id and so on.
Homepage: http://code.google.com/p/yubikey-personalization/
Description-md5: 3a4c8e6cc91bc183ebe17612d36b7e0d
Tag: role::program
Section: utils
Priority: extra
Filename: pool/main/y/yubikey-personalization/yubikey-personalization_1.7.0-1_i386.deb
Size: 45958
MD5sum: 2eabd60aa37bb4f719e2fb56384ba226
SHA1: d442ca9a52c81e900ebfc31de7afe5f42f621749
SHA256: d69f563835a08bd12f9a7e378d510d8519643782bb6e82a1d6bdb0a7c92fa4ad

Package: yubikey-personalization-gui
Version: 3.0.6-1
Installed-Size: 628
Maintainer: Yubico Open Source Maintainers <ossmaint@yubico.com>
Architecture: i386
Depends: libc6 (>= 2.4), libgcc1 (>= 1:4.1.1), libqtcore4 (>= 4:4.7.0~beta1), libqtgui4 (>= 4:4.5.3), libstdc++6 (>= 4.1.1), libykpers-1-1 (>= 1.5.0), libyubikey0 (>= 1.5)
Description-en: Graphical personalization tool for YubiKey tokens
 YubiKeys are USB tokens that act like keyboards and generate one-time
 passwords, static passwords or work in challenge-response mode.
 .
 This is a graphical tool to customize the token with your own
 cryptographic key and options.
Homepage: https://github.com/Yubico/yubikey-personalization-gui
Description-md5: ead8aea67c068c6ea35aca4fae2014de
Section: utils
Priority: extra
Filename: pool/main/y/yubikey-personalization-gui/yubikey-personalization-gui_3.0.6-1_i386.deb
Size: 216766
MD5sum: 835eb2eac7ecea1b6496333c4f5531f8
SHA1: b54d51b266ad50dad6ab3b6dec7fdf15776b3acf
SHA256: c2437417c752bbf1005ec1839903cbad3702ba16ff87e9ed2edfdeeaf8745f27

Package: yubikey-server-c
Source: yubikey-server-c (0.5-1)
Version: 0.5-1+b1
Installed-Size: 60
Maintainer: Tollef Fog Heen <tfheen@debian.org>
Architecture: i386
Depends: libc6 (>= 2.1), libgcrypt11 (>= 1.4.5), libmicrohttpd10, libpq5, libyubikey0 (>= 1.5)
Description-en: Yubikey validation server
 Yubikeys are USB tokens that act like keyboards and generate one-time
 passwords.  The tokens are produced and sold by Yubico
 .
 This is a server that checks the validity of those OTP tokens.  There
 are servers written in Java and PHP, while this one is written in C
 .
 It implements the server side of the API as described on
 http://www.yubico.com/developers/api/ and can be used with any client
 that implements the same API.
Description-md5: 0f2e28b0040f34b4aa563451d55ed24d
Tag: implemented-in::c, interface::daemon, network::server, role::program,
 security::authentication
Section: admin
Priority: optional
Filename: pool/main/y/yubikey-server-c/yubikey-server-c_0.5-1+b1_i386.deb
Size: 13714
MD5sum: 02a4e23dc629d39147af7ea737cd7b8d
SHA1: 529363fad2b6e690b2482f1d35d09a62b847d7b5
SHA256: cb9aea36c4a706ea2e7126e022be5e00a293bec72917e2e5f3d00361ccd3d0f5

Package: yubiserver
Version: 0.2-2
Installed-Size: 109
Maintainer: Nanakos Chrysostomos <nanakos@wired-net.gr>
Architecture: i386
Depends: libc6 (>= 2.0), libconfig9, libev4 (>= 1:4.04), libgcrypt11 (>= 1.4.5), libmhash2, libsqlite3-0 (>= 3.5.9)
Description-en: Yubikey OTP and HOTP/OATH Validation Server
 Simple and lightweight Yubikey OTP and HOTP/OATH validation server
 to be used with Yubico's Yubikey USB tokens including a powerful
 administration tool, yubiserver-admin, with which you can manage
 yubiserver's database by adding,deleting,activating and deactivating
 users that validate with OTP or HOTP/OATH tokens.
 .
 Yubiserver implements Yubico's server side API and can be used
 with Yubikey USB tokens and any other client that can implement
 the same API.
Homepage: http://www.include.gr/debian/yubiserver
Description-md5: 25adc2ac9637da3388deb300356914fd
Tag: network::server, role::program, security::authentication
Section: admin
Priority: optional
Filename: pool/main/y/yubiserver/yubiserver_0.2-2_i386.deb
Size: 26240
MD5sum: 9a96490a3ea6ffbb4bedc26babeb7e67
SHA1: f2606a8d17b6f5dc835993a99ea2f0a759abf279
SHA256: 3e65570e4e743f29752db05ccc7a35c8c51e12c59450f955c2617bdf01d222f9

YubiKey (最終更新日時 2015-03-01 23:18:04 更新者 DaisukeMiyakawa)