| Chetan Gaonker | 7f4bf74 | 2016-05-04 15:56:08 -0700 | [diff] [blame] | 1 | # |
| 2 | # This module decrypts and validates Yubikey static and dynamic |
| 3 | # OTP tokens. |
| 4 | # |
| 5 | yubikey { |
| 6 | # |
| 7 | # The length (number of ASCII bytes) of the Public-ID portion |
| 8 | # of the OTP string. |
| 9 | # |
| 10 | # Yubikey defaults to a 6 byte ID (2 * 6 = 12) |
| 11 | # id_length = 12 |
| 12 | |
| 13 | # |
| 14 | # If true, the authorize method of rlm_yubikey will attempt to split the |
| 15 | # value of User-Password, into the user's password, and the OTP token. |
| 16 | # |
| 17 | # If enabled and successful, the value of User-Password will be truncated |
| 18 | # and request:Yubikey-OTP will be added. |
| 19 | # |
| 20 | # split = yes |
| 21 | |
| 22 | # |
| 23 | # Decrypt mode - Tokens will be decrypted and processed locally |
| 24 | # |
| 25 | # The module itself does not provide persistent storage as this |
| 26 | # would be duplicative of functionality already in the server. |
| 27 | # |
| 28 | # Yubikey authentication needs two control attributes |
| 29 | # retrieved from persistent storage: |
| 30 | # * Yubikey-Key - The AES key used to decrypt the OTP data. |
| 31 | # The Yubikey-Public-Id and/or User-Name |
| 32 | # attributes may be used to retrieve the key. |
| 33 | # * Yubikey-Counter - This is compared with the counter in the OTP |
| 34 | # data and used to prevent replay attacks. |
| 35 | # This attribute will also be available in |
| 36 | # the request list after successful |
| 37 | # decryption. |
| 38 | # |
| 39 | # Yubikey-Counter isn't strictly required, but the server will |
| 40 | # generate warnings if it's not present when yubikey.authenticate |
| 41 | # is called. |
| 42 | # |
| 43 | # These attributes are available after authorization: |
| 44 | # * Yubikey-Public-ID - The public portion of the OTP string |
| 45 | # |
| 46 | # These attributes are available after authentication (if successful): |
| 47 | # * Yubikey-Private-ID - The encrypted ID included in OTP data, |
| 48 | # must be verified if tokens share keys. |
| 49 | # * Yubikey-Counter - The last counter value (should be recorded). |
| 50 | # * Yubikey-Timestamp - Token's internal clock (mainly useful for debugging). |
| 51 | # * Yubikey-Random - Randomly generated value from the token. |
| 52 | # |
| 53 | decrypt = no |
| 54 | |
| 55 | # |
| 56 | # Validation mode - Tokens will be validated against a Yubicloud server |
| 57 | # |
| 58 | validate = no |
| 59 | |
| 60 | # |
| 61 | # Settings for validation mode. |
| 62 | # |
| 63 | validation { |
| 64 | # |
| 65 | # URL of validation server, multiple URL config items may be used |
| 66 | # to list multiple servers. |
| 67 | # |
| 68 | # - %d is a placeholder for public ID of the token |
| 69 | # - %s is a placeholder for the token string itself |
| 70 | # |
| 71 | # If no URLs are listed, will default to the default URLs in the |
| 72 | # ykclient library, which point to the yubico validation servers. |
| 73 | servers { |
| 74 | # uri = 'http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s' |
| 75 | # uri = 'http://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s' |
| 76 | } |
| 77 | |
| 78 | # |
| 79 | # API Client ID |
| 80 | # |
| 81 | # Must be set to your client id for the validation server. |
| 82 | # |
| 83 | # client_id = 00000 |
| 84 | |
| 85 | # |
| 86 | # API Secret key (Base64 encoded) |
| 87 | # |
| 88 | # Must be set to your API key for the validation server. |
| 89 | # |
| 90 | # api_key = '000000000000000000000000' |
| 91 | |
| 92 | # |
| 93 | # Connection pool parameters |
| 94 | # |
| 95 | pool { |
| 96 | # Number of connections to start |
| 97 | start = 5 |
| 98 | |
| 99 | # Minimum number of connections to keep open |
| 100 | min = 4 |
| 101 | |
| 102 | # Maximum number of connections |
| 103 | # |
| 104 | # If these connections are all in use and a new one |
| 105 | # is requested, the request will NOT get a connection. |
| 106 | max = 10 |
| 107 | |
| 108 | # Spare connections to be left idle |
| 109 | # |
| 110 | # NOTE: Idle connections WILL be closed if "idle_timeout" |
| 111 | # is set. |
| 112 | spare = 3 |
| 113 | |
| 114 | # Number of uses before the connection is closed |
| 115 | # |
| 116 | # 0 means "infinite" |
| 117 | uses = 0 |
| 118 | |
| 119 | # The lifetime (in seconds) of the connection |
| 120 | lifetime = 0 |
| 121 | |
| 122 | # idle timeout (in seconds). A connection which is |
| 123 | # unused for this length of time will be closed. |
| 124 | idle_timeout = 60 |
| 125 | |
| 126 | # Cycle over all connections in a pool instead of concentrating |
| 127 | # connection use on a few connections. |
| 128 | spread = yes |
| 129 | |
| 130 | # NOTE: All configuration settings are enforced. If a |
| 131 | # connection is closed because of "idle_timeout", |
| 132 | # "uses", or "lifetime", then the total number of |
| 133 | # connections MAY fall below "min". When that |
| 134 | # happens, it will open a new connection. It will |
| 135 | # also log a WARNING message. |
| 136 | # |
| 137 | # The solution is to either lower the "min" connections, |
| 138 | # or increase lifetime/idle_timeout. |
| 139 | } |
| 140 | } |
| 141 | } |