YubikeyHelp

From DcSharedWiki
Revision as of 17:38, 7 June 2009 by Unknown user
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This page is about creating your own validation server, to complement the existing documentation.

/!\ Beware you need to change the key data in you Yubykey to be able to manage your own accounts, and that doing so will prevent you from using Yubiko special services (most being available for demonstration purpose, and most being replacable, like having your own OpenID server; but you can still have a second key if you want to access Yobiko's services).

Before we go, you must understand this key is not designed to allow subscribing to different providers (like with distributing SSH public keys), but to contain full or partial credentials for one account on a particular provider. If you need to access say your own machines and your staff corporate machines via SSH and PAM+yubikey for example, then you must have two keys. As this is symetrical cryptography, both ends needs to access the AES key and i guess you would not share your key between your personnal accounts and staff accounts (in the previous example).

Understanding the Key

The yubikey hold several interresting data inside. A few of them can be modified by the user :

  • public name
  • private name
  • management password: a secret used to allow changing the key data
  • AES key: the secret key used to create the OTP

blabla

Creating your own Key

Installing the Personnalization Tool

Get the latest tarball from this page: http://code.google.com/p/yubikey-personalization/ (currently http://yubikey-personalization.googlecode.com/files/ykpers-0.92.tar.gz) and uncompress it.

Install the needed build dependencies:

 apt-get install libusb-dev


In the source directory:

 ./configure
 make
 make install

(This will install things in /usr/local, but you cann pass parameters to the configure script to install it elsewhere)

Updating Key Data

# ykpersonalize -ouid=ilichrhvicil -ofixed=hfighehn
Passphrase to create AES key:
Firmware version 1.3.5 Touch level 8880 Program sequence 8
fixed:hfighehn
uid:cccrcccccrcc
key:iefrgfvdhufdgniljcnjirclkbferjbi
acc_code:cccccccccccc
ticket_flags:APPEND_CR
config_flags:


blabla

The KSM

The Validation Server