NAME

yhsm-validation-server ‐ Credential validation server utilizing YubiHSM

SYNOPSIS

yhsm-validation-server [mode]

DESCRIPTION

This is a validation server using the YubiHSM for cryptographic operations.

It is primarily built to validate YubiKey OTPs (not stored in the YubiHSM internal database), but it can also validate OATH token codes and legacy passwords.

OPTIONS

-D, --device

device file name (default: /dev/ttyACM0)

-v, --verbose

enable verbose operation

--debug

enable debug printout, including all data sent to/from YubiHSM

--U, --serve-url base

base of URL for validation web service (default: /yhsm/validate?)

--port num

port to listen on (default: 8003)

--addr addr

address to bind to (default: 127.0.0.1)

--hmac-kh kh

key handle to use for HMAC‐SHA‐1. Examples : "1", "0xabcd".

--hotp-window num

number of OATH counter values to try (default: 5)

--totp-interval num

interval for TOTP time-step to use in seconds (default: 30)

--totp-tolerance num

number of time-steps on either side of now to allow TOTP codes for (default: 1)

--db-file fn

db file holding AEADs (see yhsm-init-oath-token(1)) (default: /var/yubico/yhsm-validation-server.db)

--clients-file fn

text file with mode OTP validation client shared secrets (see yhsm-init-oath-token(1)) (default: /var/yubico/yhsm-validation-server.db)

--pid-file fn

write process id of server to this file

MODES

--otp

Validate YubiKey OTP against entry in the YubiHSM internal database. Response should be compatible with those of yubikey-val-server-php ⟨URL: http://code.google.com/p/yubikey-val-server-php/ ⟩.

--short-otp

Validate YubiKey OTP against entry in the YubiHSM internal database. Returns a single line with the decrypted information from the OTP, compatible with yubikey-ksm ⟨URL: http://code.google.com/p/yubikey-ksm/ ⟩.

--hotp

Validate codes using the OATH HOTP algorithm, performing the HMAC‐SHA‐1 inside the YubiHSM.

--totp

Validate codes using the OATH TOTP algorithm, performing the HMAC‐SHA‐1 inside the YubiHSM.

--pwhash

Validate that a string (a PBKDF2 hash of a password for example) matches the one in an AEAD. Can be used to protect legacy passwords within an AEAD only readable to a YubiHSM, but still recoverable if you know the AEAD key (since you put it in the YubiHSM).

CLIENTS FILE

This file holds HMAC‐SHA‐1 secrets shared between the validation client and server.

An example file, with a single entry for id 4711 would be :

# hash-style comments and blank lines are ignored
4711,grF5BERXEXPPpww1/TBvFg==
# end

EXIT STATUS

0

YubiHSM keystore successfully unlocked

1

Failed to unlock keystore

255

Client ID not found in internal database

BUGS

Report python-pyhsm/yhsm-validation-server bugs in the issue tracker ⟨URL: https://github.com/Yubico/python-pyhsm/issues/ ⟩

SEE ALSO

The home page ⟨URL: https://developers.yubico.com/python-pyhsm/ ⟩

YubiHSMs can be obtained from Yubico ⟨URL: http://www.yubico.com/ ⟩.