From: Tollef Fog Heen Date: Sun, 16 Oct 2011 18:25:24 +0000 (+0200) Subject: Write a bit of documentation X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;p=yubikey-server-c Write a bit of documentation --- diff --git a/README b/README index c3750c0..a68fcfc 100644 --- a/README +++ b/README @@ -17,4 +17,58 @@ group=yubikeyd dbdef=dbname=yubikey port=5433 port=8000 +Getting started +=============== +yubikey-server-c stores raw bytes in some of the tables rather than a +Base64 or hex encoded representation. PostgreSQL has (at least) two +ways to insert this kind of data: + +- Use decode('encoded_string_goes_here', 'encoding') + +- Use quoted byte strings: E'\\000\\000\\000\\000\\000\\000'. The + numbers are octal + +To authenticate an OTP the Yubikey needs to exist in the database and +the client asking yubikey-server-c must be allowed access. Each +client (typically each service) that authenticates needs its own +shared secret. To set this up, do + + INSERT INTO shared_secret (secret, active) VALUES + (decode('MQ6fOy1t/add/wisbu2O+LpPiMs=', 'base64'), 't'); + +The base64 string in the middle is the base64 encoded version of the +secret as we store the raw bytes in the database. Depending on the +client, it might accept a base64 encoded version or it might want hex +or something else (in its configuration file). + +For each yubikey, you need to insert a row into the yubikey table +like: + +INSERT INTO yubikey + (active, public_id, secret_uid, secret_key, session_counter, session_use) + VALUES + ('t', 'tfheen', E'\\000\\000\\000\\000\\000\\000', + decode('baef43c254e9d2217912e80ed71a7b4a', 'hex'), + 0, 0); + +The public id is the fixed part of the yubikey OTP. It is generally +not the user name. It is what you set using the -o fixed=ffffffff option +to ykpersonalize. It is between 0 and 16 charcters long. + +The secret uid is set using the -o uid=uuuuuu to ykpersonalize. It is +always six bytes (or 12 modhex characters). + +The secret key is either randomly generated by ykpersonalize based on +a passphrase or it can be set using the -a option. + +The session counter and session use generally start at 0 so they don't +need to be changed. + +After this has been inserted, you should be able to authenticate using +ykclient like: + +ykclient --url http://localhost:7443/verify?id=%%d&otp=%%s \ + --apikey $shared_secret \ + $id_of_client \ + $otp