  • 输入网页链接,自动生成快照
  • 标签化管理网页链接

Im trying to setup a self hosted validation server or yubikey-val and yubikey-ksm, both server are
separated, I have followed the steps in this url https://developers.yubico.com/yubikey-v ... ation.html ,
as well as https://developers.yubico.com/yubikey-ksm/ I have also installed ykclient on a separate server
to test, verify and decrypt my servers.

I have generated the client keys and put in the yubikey-val server mysql with database of ykval.

When I try to test using the ykclient and verify or
ykclient --url "" --apikey my_apikey= 2 my_otpkey --debug
Verification output (1): Yubikey OTP was bad (BAD_OTP)

My questions are:
1. trying to search the net for any documentation about this self hosted server, with separated server for both ykval and ykksm, if there is, can you point me to that url?
2. there is a setting in yubikey-val ykval-config.php

do I need to change this to the ip address of my ykksm server?
3. is there any other config I need to edit for this self-hosted separated validation server and ykksm server
to work?

Thank you in advance.

Still troubleshooting the problem, to add for the troubleshooting

When I run this command on the ykksm server to test
wget -O - 'http://localhost/wsapi/decrypt?otp=mykeyfkgknthctdkdkrleficdrlhvlbjlgter'

error on the /var/log/apache2/ykksm-error.log
[Tue Sep 19 02:53:15.328215 2017] [:error] [pid 1465] [client] PHP Fatal error: Call to undefined function mcrypt_module_open() in /usr/share/yubikey-ksm/ykksm-utils.php on line 48

I have php5-mcrypt installed.

Thank you in advance.


Searching the net around to fix the mcrypt error
PHP Fatal error: Call to undefined function mcrypt_module_open() in /usr/share/yubikey-ksm/ykksm-utils.php on line 48

I have enabled the php5-mcrypt by editing the /etc/php5/apache2/php.ini add the line extension=mcrypt.so, then restart apache2.

Then test the ykksm server again via

curl 'http://localhost/wsapi/decrypt?otp=myyubicootpjtgtbtirtuhfchrhulentjbdhglulhdn' -v

Then got this response
ERR Corrupt OTP
which the ykksm docs is the correct response, and the logs are
Sep 19 23:24:48 auth-ksm ykksm[3533]: UID error: myyubicootpjtgtbtirtuhfchrhulentjbdhglulhdn f56e9c3d8737839e9b850b7394bb50d9: f56e9c3d8737 vs d3f0fc27cd93

What I need to do now is troubleshoot the ykval server, when I run
wget -q -O - 'http://localhost/wsapi/2.0/verify?id=1&nonce=asdmalksdmlkasmdlkasmdlakmsdaasklmdlak&otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'

I should get a status=NO_SUCH_CLIENT, im getting status=BAD_OTP, I have already generated some clients on the database

Thanks in advance


Just a question, if I want to host a self validation server, do I really need to personalize my yubikey, or use the ykpersonalize tool. I tested my yubikey using dropbox, and the yubikey works fine, also I tried the pam.d login
my yubikey using the api.yubico.com to validate or verify also works fine, im trying to configure a self-hosted validation server and I'm getting this error.

Sep 19 23:24:48 auth-ksm ykksm[3533]: UID error: myyubicootpjtgtbtirtuhfchrhulentjbdhglulhdn f56e9c3d8737839e9b850b7394bb50d9: f56e9c3d8737 vs d3f0fc27cd93

The only step I did not do is to personalize the yubikey
Again my question is, do I have to personalize my yubikey in order for my ykksm to work?

Thank you in advance


After installing a personalization tool in windows,personalize my slot2, then input it in the ykksm database. I was able to test via wget on the localhost. Also test connection via ykclient and I get a SUCCESS OTP

Then I configure a VE container, setup pam.d and ssh for two step authentication, and test loging in via ssh, and I was able to login, logs from ykksm server also logs this

Sep 26 00:36:02 auth-ksm ykksm[2090]: SUCCESS OTP myyubikeykeys PT myrandomlogs OK counter=0001 low=d301 high=b8 use=0b

If I got free time, will write a doc on what steps I made to make this self hosted validation server, and will share it here
Thank you
