| # |
| # This module decrypts and validates Yubikey static and dynamic |
| # OTP tokens. |
| # |
| yubikey { |
| # |
| # The length (number of ASCII bytes) of the Public-ID portion |
| # of the OTP string. |
| # |
| # Yubikey defaults to a 6 byte ID (2 * 6 = 12) |
| # id_length = 12 |
| |
| # |
| # If true, the authorize method of rlm_yubikey will attempt to split the |
| # value of User-Password, into the user's password, and the OTP token. |
| # |
| # If enabled and successful, the value of User-Password will be truncated |
| # and request:Yubikey-OTP will be added. |
| # |
| # split = yes |
| |
| # |
| # Decrypt mode - Tokens will be decrypted and processed locally |
| # |
| # The module itself does not provide persistent storage as this |
| # would be duplicative of functionality already in the server. |
| # |
| # Yubikey authentication needs two control attributes |
| # retrieved from persistent storage: |
| # * Yubikey-Key - The AES key used to decrypt the OTP data. |
| # The Yubikey-Public-Id and/or User-Name |
| # attributes may be used to retrieve the key. |
| # * Yubikey-Counter - This is compared with the counter in the OTP |
| # data and used to prevent replay attacks. |
| # This attribute will also be available in |
| # the request list after successful |
| # decryption. |
| # |
| # Yubikey-Counter isn't strictly required, but the server will |
| # generate warnings if it's not present when yubikey.authenticate |
| # is called. |
| # |
| # These attributes are available after authorization: |
| # * Yubikey-Public-ID - The public portion of the OTP string |
| # |
| # These attributes are available after authentication (if successful): |
| # * Yubikey-Private-ID - The encrypted ID included in OTP data, |
| # must be verified if tokens share keys. |
| # * Yubikey-Counter - The last counter value (should be recorded). |
| # * Yubikey-Timestamp - Token's internal clock (mainly useful for debugging). |
| # * Yubikey-Random - Randomly generated value from the token. |
| # |
| decrypt = no |
| |
| # |
| # Validation mode - Tokens will be validated against a Yubicloud server |
| # |
| validate = no |
| |
| # |
| # Settings for validation mode. |
| # |
| validation { |
| # |
| # URL of validation server, multiple URL config items may be used |
| # to list multiple servers. |
| # |
| # - %d is a placeholder for public ID of the token |
| # - %s is a placeholder for the token string itself |
| # |
| # If no URLs are listed, will default to the default URLs in the |
| # ykclient library, which point to the yubico validation servers. |
| servers { |
| # uri = 'http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s' |
| # uri = 'http://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s' |
| } |
| |
| # |
| # API Client ID |
| # |
| # Must be set to your client id for the validation server. |
| # |
| # client_id = 00000 |
| |
| # |
| # API Secret key (Base64 encoded) |
| # |
| # Must be set to your API key for the validation server. |
| # |
| # api_key = '000000000000000000000000' |
| |
| # |
| # Connection pool parameters |
| # |
| pool { |
| # Number of connections to start |
| start = 5 |
| |
| # Minimum number of connections to keep open |
| min = 4 |
| |
| # Maximum number of connections |
| # |
| # If these connections are all in use and a new one |
| # is requested, the request will NOT get a connection. |
| max = 10 |
| |
| # Spare connections to be left idle |
| # |
| # NOTE: Idle connections WILL be closed if "idle_timeout" |
| # is set. |
| spare = 3 |
| |
| # Number of uses before the connection is closed |
| # |
| # 0 means "infinite" |
| uses = 0 |
| |
| # The lifetime (in seconds) of the connection |
| lifetime = 0 |
| |
| # idle timeout (in seconds). A connection which is |
| # unused for this length of time will be closed. |
| idle_timeout = 60 |
| |
| # Cycle over all connections in a pool instead of concentrating |
| # connection use on a few connections. |
| spread = yes |
| |
| # NOTE: All configuration settings are enforced. If a |
| # connection is closed because of "idle_timeout", |
| # "uses", or "lifetime", then the total number of |
| # connections MAY fall below "min". When that |
| # happens, it will open a new connection. It will |
| # also log a WARNING message. |
| # |
| # The solution is to either lower the "min" connections, |
| # or increase lifetime/idle_timeout. |
| } |
| } |
| } |