Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 45ce9a1194 | |||
| 7de5e6c478 | |||
| 20802b6666 | |||
|
|
ff350afe5d | ||
|
|
87b717177c | ||
|
|
bcbaa7805e | ||
|
|
4dd1273208 | ||
|
|
d70410bac1 | ||
|
|
45afe245f8 |
1
.env.template
Normal file
1
.env.template
Normal file
@ -0,0 +1 @@
|
|||||||
|
DB_PASSWORD=
|
||||||
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
.env
|
||||||
35
Dockerfile
35
Dockerfile
@ -3,14 +3,18 @@
|
|||||||
#
|
#
|
||||||
# VERSION 0.1
|
# VERSION 0.1
|
||||||
#
|
#
|
||||||
# Prereq : rng-tools - rngd -r /dev/urandom
|
# Prereq : apt-get install rng-tools && rngd -r /dev/urandom
|
||||||
# BUILD : docker build -t <username>/yubiserver
|
# BUILD : docker build -t <username>/yubikey-server:0.1 .
|
||||||
# RUN : docker run -d -p 8000:80 <yourname>/yubiserver
|
# RUN : docker run --name yubikey-server -d -p 8000:80 <yourname>/yubikey-server:0.1
|
||||||
#
|
#
|
||||||
|
|
||||||
FROM ubuntu:14.04
|
FROM ubuntu:14.04
|
||||||
MAINTAINER Maxime VISONNEAU <maxime.visonneau@gmail.com>
|
MAINTAINER Maxime VISONNEAU <maxime.visonneau@gmail.com>
|
||||||
|
|
||||||
|
## Custom variables
|
||||||
|
ENV KEYS_AMOUNT = 0 # Total of keys that will be generated = Amount of Yubikey you want to manage with this KSM
|
||||||
|
ENV DB_PASSWORD = unsecure # Database password
|
||||||
|
|
||||||
# Installation & Configuration
|
# Installation & Configuration
|
||||||
|
|
||||||
RUN DEBIAN_FRONTEND=noninteractive
|
RUN DEBIAN_FRONTEND=noninteractive
|
||||||
@ -27,15 +31,22 @@ RUN echo 'exit 0' > /usr/sbin/policy-rc.d
|
|||||||
RUN apt-get install -y --force-yes yubikey-ksm yubikey-val
|
RUN apt-get install -y --force-yes yubikey-ksm yubikey-val
|
||||||
RUN gpg --no-tty --batch --trust-model always --gen-key /root/gpg.conf
|
RUN gpg --no-tty --batch --trust-model always --gen-key /root/gpg.conf
|
||||||
RUN gpg --no-tty --import default.sec
|
RUN gpg --no-tty --import default.sec
|
||||||
RUN ykksm-gen-keys --urandom 1 10 > /root/keys.txt
|
#COPY generate_keys.sh /root/
|
||||||
RUN gpg --no-tty --trust-model always -a -s --encrypt -r `gpg --no-tty --list-keys | head -n 3 | tail -1 | awk '{print $2}' | cut -d '/' -f2` < /root/keys.txt > /root/encrypted_keys.txt
|
RUN chmod +x /root/generate_keys.sh && /root/generate_keys.sh $KEYS_AMOUNT
|
||||||
RUN /etc/init.d/mysql start && ykksm-import --database 'DBI:mysql:dbname=ykksm;host=127.0.0.1' --db-user ykksmreader --db-passwd unsecured < /root/encrypted_keys.txt
|
|
||||||
RUN /etc/init.d/mysql start && \
|
# RUN ykksm-gen-keys --urandom 1 $KEYS_AMOUNT > /root/keys.txt
|
||||||
echo "######### KEYS ###########" && \
|
# RUN gpg --no-tty --trust-model always -a -s --encrypt -r `gpg --no-tty --list-keys | head -n 3 | tail -1 | awk '{print $2}' | cut -d '/' -f2` < /root/keys.txt > /root/encrypted_keys.txt
|
||||||
cat /root/keys.txt && rm -f /root/keys.txt && \
|
# RUN /etc/init.d/mysql start && ykksm-import < /root/encrypted_keys.txt
|
||||||
echo "######## CLIENT ##########" && \
|
# RUN /etc/init.d/mysql start && \
|
||||||
ykval-export-clients
|
# echo "######### KEYS ###########" && \
|
||||||
|
# echo "---" && \
|
||||||
|
# for i in `grep -v ^# /root/keys.txt`; do echo "key`echo $i | cut -d',' -f1`:"; echo " public_id: `echo $i | cut -d',' -f2`"; echo " private_id: `echo $i | cut -d',' -f3`"; echo " secret_key: `echo $i | cut -d',' -f4`"; done; \
|
||||||
|
# rm -f /root/keys.txt && \
|
||||||
|
# echo "######## CLIENT ##########" && \
|
||||||
|
# echo "---\nclient:" && \
|
||||||
|
# echo " id: `ykval-export-clients | cut -d',' -f1`" && \
|
||||||
|
# echo " key: `ykval-export-clients | cut -d',' -f4`"
|
||||||
|
|
||||||
# Expose and Startup
|
# Expose and Startup
|
||||||
EXPOSE 80
|
EXPOSE 80
|
||||||
CMD ["/usr/bin/supervisord"]
|
ENTRYPOINT ["/usr/bin/supervisord"]
|
||||||
|
|||||||
226
README.md
226
README.md
@ -1,2 +1,228 @@
|
|||||||
# docker-yubikey-validation-server
|
# docker-yubikey-validation-server
|
||||||
Dockerized stack of Yubico yubikey-ksm and yubikey-val
|
Dockerized stack of Yubico yubikey-ksm and yubikey-val
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
This repository will help you build a working *Yubico(r) Yubikey Validation Server*. After digging around I did not see much of documentation about this. I don't know why Yubico is not so explicit about the existence of very useful packages onto their repository.
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
- docker
|
||||||
|
|
||||||
|
*Docker* is used in order to avoid the direct installation of all the KSM components onto your system.
|
||||||
|
|
||||||
|
- rng-tools
|
||||||
|
|
||||||
|
*rng-tools* generate entropy onto your machine making it able to automatically generate the gpg keys during the creation of the container.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
- Make sure you have **docker** and **rng-tools** installed and running
|
||||||
|
```bash
|
||||||
|
# Docker -- service docker start
|
||||||
|
pgrep docker
|
||||||
|
8765
|
||||||
|
987
|
||||||
|
|
||||||
|
# rng-tools -- rngd -r /dev/urandom
|
||||||
|
pgrep rngd
|
||||||
|
876
|
||||||
|
```
|
||||||
|
|
||||||
|
- Clone this repository
|
||||||
|
|
||||||
|
```bash
|
||||||
|
git clone https://github.com/mvisonneau/docker-yubikey-validation-server.git
|
||||||
|
```
|
||||||
|
|
||||||
|
- Adjust the **unsecured** fields into the `Dockerfile` and `conf/yubi.seed`
|
||||||
|
|
||||||
|
```bash
|
||||||
|
### Dockerfile
|
||||||
|
ENV DB_PASSWORD = unsecured
|
||||||
|
|
||||||
|
### conf/yubi.seed
|
||||||
|
mysql-server-5.5 mysql-server/root_password_again password unsecured
|
||||||
|
mysql-server-5.5 mysql-server/root_password password unsecured
|
||||||
|
yubikey-ksm yubikey-ksm/mysql/admin-pass password unsecured
|
||||||
|
yubikey-ksm yubikey-ksm/mysql/app-pass password unsecured
|
||||||
|
yubikey-val yubikey-val/mysql/admin-pass password unsecured
|
||||||
|
yubikey-val yubikey-val/mysql/app-pass password unsecured
|
||||||
|
```
|
||||||
|
- Adjust the amount of keys you want to generate into the `Dockerfile`
|
||||||
|
|
||||||
|
```bash
|
||||||
|
### Dockerfile
|
||||||
|
ENV KEYS_AMOUNT = 10
|
||||||
|
```
|
||||||
|
|
||||||
|
- Build the container and run it
|
||||||
|
```bash
|
||||||
|
cd docker-yubikey-validation-server
|
||||||
|
sudo docker build -t <username>/yubikey-server:0.1 .
|
||||||
|
sudo docker run --name yubikey-server -d -p 8000:80 <yourname>/yubikey-server:0.1
|
||||||
|
```
|
||||||
|
|
||||||
|
- Retreive your custom keys and client id, their supposed to be formatted as YAML
|
||||||
|
|
||||||
|
Those datas are very sensitive, you should keep them in at encrypted place where noone can access it.
|
||||||
|
They will be used in order to program your keys.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
######### KEYS ###########
|
||||||
|
---
|
||||||
|
key1:
|
||||||
|
public_id: cccccccccccb
|
||||||
|
private_id: fe9e85768b07
|
||||||
|
secret_key: yu6765f3d1eafa89bee65aeb81b70888
|
||||||
|
key2:
|
||||||
|
public_id: cccccccccccd
|
||||||
|
private_id: 75o98a8907c6
|
||||||
|
secret_key: 767u5434b4060516a833e121d32uy789
|
||||||
|
|
||||||
|
######## CLIENT ##########
|
||||||
|
---
|
||||||
|
client:
|
||||||
|
id: 1
|
||||||
|
key: gh8u5b0UIb989vatK3RwOpoLKJ=
|
||||||
|
```
|
||||||
|
|
||||||
|
- Test it
|
||||||
|
|
||||||
|
Check if the container is up and running :
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo docker ps
|
||||||
|
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
|
||||||
|
6dad717f2853 mvisonneau/yubikey-server:0.1 "/usr/bin/supervisor 2 seconds ago Up 1 seconds 0.0.0.0:8000->80/tcp yubikey-server
|
||||||
|
```
|
||||||
|
|
||||||
|
Check if it does reply on the exported port :
|
||||||
|
```bash
|
||||||
|
sudo curl http://localhost:8000/wsapi/decrypt
|
||||||
|
ERR No OTP provided
|
||||||
|
```
|
||||||
|
|
||||||
|
- Almost there ! Now you just have to program your Yubikeys with the generated values.
|
||||||
|
- You can also shut the rng-tools daemon, it is not required anymore.
|
||||||
|
|
||||||
|
## Use case : 2 STEP Verification (SSH)
|
||||||
|
|
||||||
|
Let's say you wanna build a 2 step verification onto a specific machine that is not supposed to access internet directly or you just don't wanna rely onto the *Yubicloud* service availability. This example is for you !
|
||||||
|
|
||||||
|
### Requirements
|
||||||
|
|
||||||
|
This method is based on the new functionnalities of **OpenSSH 6.2**. It should not work on older versions.
|
||||||
|
|
||||||
|
### Environment
|
||||||
|
|
||||||
|
- Ubuntu 14.04 LTS x64
|
||||||
|
- OpenSSH 6.6
|
||||||
|
- Docker 1.5.0
|
||||||
|
- rng-tools 4.0
|
||||||
|
- libpam-yubico 2.18.1
|
||||||
|
|
||||||
|
### 1- Installation of Docker
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -sSL https://get.docker.com/ubuntu/ | sudo sh
|
||||||
|
```
|
||||||
|
|
||||||
|
### 2- Installation of rng-tools
|
||||||
|
```bash
|
||||||
|
sudo apt-get install rng-tools
|
||||||
|
```
|
||||||
|
|
||||||
|
### 3- Installation of the libpam-yubico
|
||||||
|
```bash
|
||||||
|
sudo add-apt-repository ppa:yubico/stable
|
||||||
|
sudo apt-get update
|
||||||
|
sudo apt-get install libpam-yubico
|
||||||
|
```
|
||||||
|
|
||||||
|
### 4- Build the container & Configure your Keys
|
||||||
|
|
||||||
|
Please refer to the **Usage** section of this README
|
||||||
|
|
||||||
|
### 5- Run the container
|
||||||
|
|
||||||
|
In this case, we want our container to be automatically started at boot and always up. In order to do so we have to adjust the run command :
|
||||||
|
```bash
|
||||||
|
sudo docker run --name yubikey-server -d -p 8000:80 <yourname>/yubikey-server:0.1
|
||||||
|
```
|
||||||
|
|
||||||
|
### 6- Configure SSH
|
||||||
|
```bash
|
||||||
|
### /etc/ssh/sshd_config
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
PubkeyAuthentication no
|
||||||
|
PasswordAuthentication no
|
||||||
|
AuthenticationMethods publickey,password
|
||||||
|
```
|
||||||
|
```bash
|
||||||
|
service ssh restart
|
||||||
|
```
|
||||||
|
|
||||||
|
### 7- Configure PAM
|
||||||
|
|
||||||
|
Create a new file */etc/pam.d/yubi-auth* : Replace {ID} and {KEY} with your *Client Info* you got when you created the container.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
### /etc/pam.d/yubi-auth
|
||||||
|
auth required pam_yubico.so id={ID} key={KEY} authfile=/etc/yubimap urllist=http://localhost:8000/wsapi/2.0/verify debug
|
||||||
|
```
|
||||||
|
|
||||||
|
*NB : For now debug mode is activated. For security reasons after you are done testing your installation you should disable it by removing the `debug` at the end of the line.*
|
||||||
|
|
||||||
|
The debug file also has to be manually created :
|
||||||
|
```bash
|
||||||
|
touch /var/run/pam-debug.log
|
||||||
|
chmod go+w /var/run/pam-debug.log
|
||||||
|
```
|
||||||
|
|
||||||
|
Into the PAM configuration of sshd you should comment the line `@include common-auth` and add the following `@include yubi-auth`
|
||||||
|
|
||||||
|
```bash
|
||||||
|
### /etc/pam.d/sshd
|
||||||
|
#@include common-auth
|
||||||
|
@include yubi-auth
|
||||||
|
```
|
||||||
|
|
||||||
|
### 8- Configure the mapping between users and keys
|
||||||
|
|
||||||
|
Creation of a file called /etc/yubimap with mod 400, replace the {publickey:keyn} with the values of the keys you got :
|
||||||
|
|
||||||
|
```bash
|
||||||
|
### /etc/yubimap
|
||||||
|
user1:{publickey:key1}
|
||||||
|
user2:{publickey:key2}
|
||||||
|
```
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo chmod 400 /etc/yubimap
|
||||||
|
```
|
||||||
|
|
||||||
|
*NB: The library also supports LDAP in order to manage the relationship*
|
||||||
|
|
||||||
|
### 9- Results
|
||||||
|
|
||||||
|
You should now be able to login onto your machine only if you have a correct Yubikey defined with your user. I suggest to keep a terminal open with your current session if you do not have physical access on the machine.
|
||||||
|
|
||||||
|
## Roadmap
|
||||||
|
- Document how to program the Yubikeys
|
||||||
|
- Create a Puppet module doing about the same
|
||||||
|
- Make a Vagrantfile based on Ubuntu 14.04 LTS
|
||||||
|
- Enhancement of keys management
|
||||||
|
- Add the possibility to join an existing key file to add some more keys
|
||||||
|
|
||||||
|
## Contribute
|
||||||
|
|
||||||
|
In order to contribute, you can fork and send PR.
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
Maxime VISONNEAU - @mvisonneau
|
||||||
|
|
||||||
|
This script is licensed under the Apache License, Version 2.0.
|
||||||
|
|
||||||
|
See http://www.apache.org/licenses/LICENSE-2.0.html for the full license text.
|
||||||
12
conf/generate_keys.sh
Executable file
12
conf/generate_keys.sh
Executable file
@ -0,0 +1,12 @@
|
|||||||
|
ykksm-gen-keys --urandom 1 $1 > /root/keys.txt
|
||||||
|
gpg --no-tty --trust-model always -a -s --encrypt -r `gpg --no-tty --list-keys | head -n 3 | tail -1 | awk '{print $2}' | cut -d '/' -f2` < /root/keys.txt > /root/encrypted_keys.txt
|
||||||
|
/etc/init.d/mysql start && ykksm-import < /root/encrypted_keys.txt
|
||||||
|
/etc/init.d/mysql start && \
|
||||||
|
echo "######### KEYS ###########" && \
|
||||||
|
echo "---" && \
|
||||||
|
for i in `grep -v ^# /root/keys.txt`; do echo "key`echo $i | cut -d',' -f1`:"; echo " public_id: `echo $i | cut -d',' -f2`"; echo " private_id: `echo $i | cut -d',' -f3`"; echo " secret_key: `echo $i | cut -d',' -f4`"; done; \
|
||||||
|
rm -f /root/keys.txt && \
|
||||||
|
echo "######## CLIENT ##########" && \
|
||||||
|
echo "---\nclient:" && \
|
||||||
|
echo " id: `ykval-export-clients | cut -d',' -f1`" && \
|
||||||
|
echo " key: `ykval-export-clients | cut -d',' -f4`"
|
||||||
@ -1,16 +1,16 @@
|
|||||||
mysql-server-5.5 mysql-server/root_password_again password unsecured
|
mysql-server-5.5 mysql-server/root_password_again password unsecure
|
||||||
mysql-server-5.5 mysql-server/root_password password unsecured
|
mysql-server-5.5 mysql-server/root_password password unsecure
|
||||||
yubikey-ksm yubikey-ksm/db/dbname string ykksm
|
yubikey-ksm yubikey-ksm/db/dbname string ykksm
|
||||||
yubikey-ksm yubikey-ksm/db/app-user string ykksmreader
|
yubikey-ksm yubikey-ksm/db/app-user string ykksmreader
|
||||||
yubikey-ksm yubikey-ksm/database-type select mysql
|
yubikey-ksm yubikey-ksm/database-type select mysql
|
||||||
yubikey-ksm yubikey-ksm/mysql/admin-pass password unsecured
|
yubikey-ksm yubikey-ksm/mysql/admin-pass password unsecure
|
||||||
yubikey-ksm yubikey-ksm/mysql/app-pass password unsecured
|
yubikey-ksm yubikey-ksm/mysql/app-pass password unsecure
|
||||||
yubikey-ksm yubikey-ksm/mysql/admin-user string root
|
yubikey-ksm yubikey-ksm/mysql/admin-user string root
|
||||||
yubikey-ksm yubikey-ksm/mysql/method select unix socket
|
yubikey-ksm yubikey-ksm/mysql/method select unix socket
|
||||||
yubikey-val yubikey-val/db/dbname string ykval
|
yubikey-val yubikey-val/db/dbname string ykval
|
||||||
yubikey-val yubikey-val/db/app-user string ykval_verifier
|
yubikey-val yubikey-val/db/app-user string ykval_verifier
|
||||||
yubikey-val yubikey-val/mysql/admin-pass password unsecured
|
yubikey-val yubikey-val/mysql/admin-pass password unsecure
|
||||||
yubikey-val yubikey-val/mysql/app-pass password unsecured
|
yubikey-val yubikey-val/mysql/app-pass password unsecure
|
||||||
yubikey-val yubikey-val/mysql/method select unix socket
|
yubikey-val yubikey-val/mysql/method select unix socket
|
||||||
yubikey-val yubikey-val/database-type select mysql
|
yubikey-val yubikey-val/database-type select mysql
|
||||||
yubikey-val yubikey-val/mysql/admin-user string root
|
yubikey-val yubikey-val/mysql/admin-user string root
|
||||||
|
|||||||
13
docker-compose.yml
Normal file
13
docker-compose.yml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
version: "3.5"
|
||||||
|
services:
|
||||||
|
yubikey-val:
|
||||||
|
container_name: yubikey_val
|
||||||
|
build: .
|
||||||
|
ports:
|
||||||
|
- 8889:80
|
||||||
|
networks:
|
||||||
|
- bitwarden
|
||||||
|
networks:
|
||||||
|
bitwarden:
|
||||||
|
external: true
|
||||||
|
name: bitwarden
|
||||||
Loading…
x
Reference in New Issue
Block a user