Compare commits

..

9 Commits
0.1 ... master

Author SHA1 Message Date
45ce9a1194 Add .env.template file 2021-05-06 14:35:27 +02:00
7de5e6c478 Add .env 2021-05-06 14:34:36 +02:00
20802b6666 Add docker compose and helper scripts 2021-05-06 14:32:56 +02:00
Maxime VISONNEAU
ff350afe5d Merge pull request #3 from JoelCapitao/master
Fix issue #1 & #2
2016-03-23 10:55:43 -07:00
Joel Capitao
87b717177c Fix issue #1 & #2 2016-03-19 16:26:14 +01:00
Maxime VISONNEAU
bcbaa7805e Documentation 2015-02-20 18:52:08 +01:00
Maxime VISONNEAU
4dd1273208 Comments adjustments 2015-02-19 22:12:41 +01:00
Maxime VISONNEAU
d70410bac1 Refactored output to yaml format 2015-02-18 16:36:23 +00:00
Maxime VISONNEAU
45afe245f8 Upgraded output of generated keys and client info 2015-02-18 16:26:15 +00:00
7 changed files with 282 additions and 18 deletions

1
.env.template Normal file
View File

@ -0,0 +1 @@
DB_PASSWORD=

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.env

View File

@ -3,14 +3,18 @@
# #
# VERSION 0.1 # VERSION 0.1
# #
# Prereq : rng-tools - rngd -r /dev/urandom # Prereq : apt-get install rng-tools && rngd -r /dev/urandom
# BUILD : docker build -t <username>/yubiserver # BUILD : docker build -t <username>/yubikey-server:0.1 .
# RUN : docker run -d -p 8000:80 <yourname>/yubiserver # RUN : docker run --name yubikey-server -d -p 8000:80 <yourname>/yubikey-server:0.1
# #
FROM ubuntu:14.04 FROM ubuntu:14.04
MAINTAINER Maxime VISONNEAU <maxime.visonneau@gmail.com> MAINTAINER Maxime VISONNEAU <maxime.visonneau@gmail.com>
## Custom variables
ENV KEYS_AMOUNT = 0 # Total of keys that will be generated = Amount of Yubikey you want to manage with this KSM
ENV DB_PASSWORD = unsecure # Database password
# Installation & Configuration # Installation & Configuration
RUN DEBIAN_FRONTEND=noninteractive RUN DEBIAN_FRONTEND=noninteractive
@ -27,15 +31,22 @@ RUN echo 'exit 0' > /usr/sbin/policy-rc.d
RUN apt-get install -y --force-yes yubikey-ksm yubikey-val RUN apt-get install -y --force-yes yubikey-ksm yubikey-val
RUN gpg --no-tty --batch --trust-model always --gen-key /root/gpg.conf RUN gpg --no-tty --batch --trust-model always --gen-key /root/gpg.conf
RUN gpg --no-tty --import default.sec RUN gpg --no-tty --import default.sec
RUN ykksm-gen-keys --urandom 1 10 > /root/keys.txt #COPY generate_keys.sh /root/
RUN gpg --no-tty --trust-model always -a -s --encrypt -r `gpg --no-tty --list-keys | head -n 3 | tail -1 | awk '{print $2}' | cut -d '/' -f2` < /root/keys.txt > /root/encrypted_keys.txt RUN chmod +x /root/generate_keys.sh && /root/generate_keys.sh $KEYS_AMOUNT
RUN /etc/init.d/mysql start && ykksm-import --database 'DBI:mysql:dbname=ykksm;host=127.0.0.1' --db-user ykksmreader --db-passwd unsecured < /root/encrypted_keys.txt
RUN /etc/init.d/mysql start && \ # RUN ykksm-gen-keys --urandom 1 $KEYS_AMOUNT > /root/keys.txt
echo "######### KEYS ###########" && \ # RUN gpg --no-tty --trust-model always -a -s --encrypt -r `gpg --no-tty --list-keys | head -n 3 | tail -1 | awk '{print $2}' | cut -d '/' -f2` < /root/keys.txt > /root/encrypted_keys.txt
cat /root/keys.txt && rm -f /root/keys.txt && \ # RUN /etc/init.d/mysql start && ykksm-import < /root/encrypted_keys.txt
echo "######## CLIENT ##########" && \ # RUN /etc/init.d/mysql start && \
ykval-export-clients # echo "######### KEYS ###########" && \
# echo "---" && \
# for i in `grep -v ^# /root/keys.txt`; do echo "key`echo $i | cut -d',' -f1`:"; echo " public_id: `echo $i | cut -d',' -f2`"; echo " private_id: `echo $i | cut -d',' -f3`"; echo " secret_key: `echo $i | cut -d',' -f4`"; done; \
# rm -f /root/keys.txt && \
# echo "######## CLIENT ##########" && \
# echo "---\nclient:" && \
# echo " id: `ykval-export-clients | cut -d',' -f1`" && \
# echo " key: `ykval-export-clients | cut -d',' -f4`"
# Expose and Startup # Expose and Startup
EXPOSE 80 EXPOSE 80
CMD ["/usr/bin/supervisord"] ENTRYPOINT ["/usr/bin/supervisord"]

226
README.md
View File

@ -1,2 +1,228 @@
# docker-yubikey-validation-server # docker-yubikey-validation-server
Dockerized stack of Yubico yubikey-ksm and yubikey-val Dockerized stack of Yubico yubikey-ksm and yubikey-val
## Overview
This repository will help you build a working *Yubico(r) Yubikey Validation Server*. After digging around I did not see much of documentation about this. I don't know why Yubico is not so explicit about the existence of very useful packages onto their repository.
## Requirements
- docker
*Docker* is used in order to avoid the direct installation of all the KSM components onto your system.
- rng-tools
*rng-tools* generate entropy onto your machine making it able to automatically generate the gpg keys during the creation of the container.
## Usage
- Make sure you have **docker** and **rng-tools** installed and running
```bash
# Docker -- service docker start
pgrep docker
8765
987
# rng-tools -- rngd -r /dev/urandom
pgrep rngd
876
```
- Clone this repository
```bash
git clone https://github.com/mvisonneau/docker-yubikey-validation-server.git
```
- Adjust the **unsecured** fields into the `Dockerfile` and `conf/yubi.seed`
```bash
### Dockerfile
ENV DB_PASSWORD = unsecured
### conf/yubi.seed
mysql-server-5.5 mysql-server/root_password_again password unsecured
mysql-server-5.5 mysql-server/root_password password unsecured
yubikey-ksm yubikey-ksm/mysql/admin-pass password unsecured
yubikey-ksm yubikey-ksm/mysql/app-pass password unsecured
yubikey-val yubikey-val/mysql/admin-pass password unsecured
yubikey-val yubikey-val/mysql/app-pass password unsecured
```
- Adjust the amount of keys you want to generate into the `Dockerfile`
```bash
### Dockerfile
ENV KEYS_AMOUNT = 10
```
- Build the container and run it
```bash
cd docker-yubikey-validation-server
sudo docker build -t <username>/yubikey-server:0.1 .
sudo docker run --name yubikey-server -d -p 8000:80 <yourname>/yubikey-server:0.1
```
- Retreive your custom keys and client id, their supposed to be formatted as YAML
Those datas are very sensitive, you should keep them in at encrypted place where noone can access it.
They will be used in order to program your keys.
```yaml
######### KEYS ###########
---
key1:
public_id: cccccccccccb
private_id: fe9e85768b07
secret_key: yu6765f3d1eafa89bee65aeb81b70888
key2:
public_id: cccccccccccd
private_id: 75o98a8907c6
secret_key: 767u5434b4060516a833e121d32uy789
######## CLIENT ##########
---
client:
id: 1
key: gh8u5b0UIb989vatK3RwOpoLKJ=
```
- Test it
Check if the container is up and running :
```bash
sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6dad717f2853 mvisonneau/yubikey-server:0.1 "/usr/bin/supervisor 2 seconds ago Up 1 seconds 0.0.0.0:8000->80/tcp yubikey-server
```
Check if it does reply on the exported port :
```bash
sudo curl http://localhost:8000/wsapi/decrypt
ERR No OTP provided
```
- Almost there ! Now you just have to program your Yubikeys with the generated values.
- You can also shut the rng-tools daemon, it is not required anymore.
## Use case : 2 STEP Verification (SSH)
Let's say you wanna build a 2 step verification onto a specific machine that is not supposed to access internet directly or you just don't wanna rely onto the *Yubicloud* service availability. This example is for you !
### Requirements
This method is based on the new functionnalities of **OpenSSH 6.2**. It should not work on older versions.
### Environment
- Ubuntu 14.04 LTS x64
- OpenSSH 6.6
- Docker 1.5.0
- rng-tools 4.0
- libpam-yubico 2.18.1
### 1- Installation of Docker
```bash
curl -sSL https://get.docker.com/ubuntu/ | sudo sh
```
### 2- Installation of rng-tools
```bash
sudo apt-get install rng-tools
```
### 3- Installation of the libpam-yubico
```bash
sudo add-apt-repository ppa:yubico/stable
sudo apt-get update
sudo apt-get install libpam-yubico
```
### 4- Build the container & Configure your Keys
Please refer to the **Usage** section of this README
### 5- Run the container
In this case, we want our container to be automatically started at boot and always up. In order to do so we have to adjust the run command :
```bash
sudo docker run --name yubikey-server -d -p 8000:80 <yourname>/yubikey-server:0.1
```
### 6- Configure SSH
```bash
### /etc/ssh/sshd_config
ChallengeResponseAuthentication no
PubkeyAuthentication no
PasswordAuthentication no
AuthenticationMethods publickey,password
```
```bash
service ssh restart
```
### 7- Configure PAM
Create a new file */etc/pam.d/yubi-auth* : Replace {ID} and {KEY} with your *Client Info* you got when you created the container.
```bash
### /etc/pam.d/yubi-auth
auth required pam_yubico.so id={ID} key={KEY} authfile=/etc/yubimap urllist=http://localhost:8000/wsapi/2.0/verify debug
```
*NB : For now debug mode is activated. For security reasons after you are done testing your installation you should disable it by removing the `debug` at the end of the line.*
The debug file also has to be manually created :
```bash
touch /var/run/pam-debug.log
chmod go+w /var/run/pam-debug.log
```
Into the PAM configuration of sshd you should comment the line `@include common-auth` and add the following `@include yubi-auth`
```bash
### /etc/pam.d/sshd
#@include common-auth
@include yubi-auth
```
### 8- Configure the mapping between users and keys
Creation of a file called /etc/yubimap with mod 400, replace the {publickey:keyn} with the values of the keys you got :
```bash
### /etc/yubimap
user1:{publickey:key1}
user2:{publickey:key2}
```
```bash
sudo chmod 400 /etc/yubimap
```
*NB: The library also supports LDAP in order to manage the relationship*
### 9- Results
You should now be able to login onto your machine only if you have a correct Yubikey defined with your user. I suggest to keep a terminal open with your current session if you do not have physical access on the machine.
## Roadmap
- Document how to program the Yubikeys
- Create a Puppet module doing about the same
- Make a Vagrantfile based on Ubuntu 14.04 LTS
- Enhancement of keys management
- Add the possibility to join an existing key file to add some more keys
## Contribute
In order to contribute, you can fork and send PR.
## License
Maxime VISONNEAU - @mvisonneau
This script is licensed under the Apache License, Version 2.0.
See http://www.apache.org/licenses/LICENSE-2.0.html for the full license text.

12
conf/generate_keys.sh Executable file
View File

@ -0,0 +1,12 @@
ykksm-gen-keys --urandom 1 $1 > /root/keys.txt
gpg --no-tty --trust-model always -a -s --encrypt -r `gpg --no-tty --list-keys | head -n 3 | tail -1 | awk '{print $2}' | cut -d '/' -f2` < /root/keys.txt > /root/encrypted_keys.txt
/etc/init.d/mysql start && ykksm-import < /root/encrypted_keys.txt
/etc/init.d/mysql start && \
echo "######### KEYS ###########" && \
echo "---" && \
for i in `grep -v ^# /root/keys.txt`; do echo "key`echo $i | cut -d',' -f1`:"; echo " public_id: `echo $i | cut -d',' -f2`"; echo " private_id: `echo $i | cut -d',' -f3`"; echo " secret_key: `echo $i | cut -d',' -f4`"; done; \
rm -f /root/keys.txt && \
echo "######## CLIENT ##########" && \
echo "---\nclient:" && \
echo " id: `ykval-export-clients | cut -d',' -f1`" && \
echo " key: `ykval-export-clients | cut -d',' -f4`"

View File

@ -1,16 +1,16 @@
mysql-server-5.5 mysql-server/root_password_again password unsecured mysql-server-5.5 mysql-server/root_password_again password unsecure
mysql-server-5.5 mysql-server/root_password password unsecured mysql-server-5.5 mysql-server/root_password password unsecure
yubikey-ksm yubikey-ksm/db/dbname string ykksm yubikey-ksm yubikey-ksm/db/dbname string ykksm
yubikey-ksm yubikey-ksm/db/app-user string ykksmreader yubikey-ksm yubikey-ksm/db/app-user string ykksmreader
yubikey-ksm yubikey-ksm/database-type select mysql yubikey-ksm yubikey-ksm/database-type select mysql
yubikey-ksm yubikey-ksm/mysql/admin-pass password unsecured yubikey-ksm yubikey-ksm/mysql/admin-pass password unsecure
yubikey-ksm yubikey-ksm/mysql/app-pass password unsecured yubikey-ksm yubikey-ksm/mysql/app-pass password unsecure
yubikey-ksm yubikey-ksm/mysql/admin-user string root yubikey-ksm yubikey-ksm/mysql/admin-user string root
yubikey-ksm yubikey-ksm/mysql/method select unix socket yubikey-ksm yubikey-ksm/mysql/method select unix socket
yubikey-val yubikey-val/db/dbname string ykval yubikey-val yubikey-val/db/dbname string ykval
yubikey-val yubikey-val/db/app-user string ykval_verifier yubikey-val yubikey-val/db/app-user string ykval_verifier
yubikey-val yubikey-val/mysql/admin-pass password unsecured yubikey-val yubikey-val/mysql/admin-pass password unsecure
yubikey-val yubikey-val/mysql/app-pass password unsecured yubikey-val yubikey-val/mysql/app-pass password unsecure
yubikey-val yubikey-val/mysql/method select unix socket yubikey-val yubikey-val/mysql/method select unix socket
yubikey-val yubikey-val/database-type select mysql yubikey-val yubikey-val/database-type select mysql
yubikey-val yubikey-val/mysql/admin-user string root yubikey-val yubikey-val/mysql/admin-user string root

13
docker-compose.yml Normal file
View File

@ -0,0 +1,13 @@
version: "3.5"
services:
yubikey-val:
container_name: yubikey_val
build: .
ports:
- 8889:80
networks:
- bitwarden
networks:
bitwarden:
external: true
name: bitwarden