diff options
Diffstat (limited to '')
-rw-r--r-- | raddb/mods-available/yubikey | 158 |
1 files changed, 158 insertions, 0 deletions
diff --git a/raddb/mods-available/yubikey b/raddb/mods-available/yubikey new file mode 100644 index 0000000..9ba61ef --- /dev/null +++ b/raddb/mods-available/yubikey @@ -0,0 +1,158 @@ +# +# This module decrypts and validates Yubikey static and dynamic +# OTP tokens. +# +yubikey { + # + # The length (number of ASCII bytes) of the Public-ID portion + # of the OTP string. + # + # Yubikey defaults to a 6 byte ID (2 * 6 = 12) +# id_length = 12 + + # + # If true, the authorize method of rlm_yubikey will attempt to split the + # value of User-Password, into the user's password, and the OTP token. + # + # If enabled and successful, the value of &request:User-Password will be + # truncated and &request:Yubikey-OTP will be added. + # +# split = yes + + # + # Decrypt mode - Tokens will be decrypted and processed locally + # + # The module itself does not provide persistent storage as this + # would be duplicative of functionality already in the server. + # + # Yubikey authentication needs two attributes retrieved from + # persistent storage: + # * &control:Yubikey-Key - The AES key used to decrypt the OTP data. + # The Yubikey-Public-Id and/or User-Name + # attributes may be used to retrieve the key. + # * &control:Yubikey-Counter - This is compared with the counter in the OTP + # data and used to prevent replay attacks. + # This attribute will also be available in + # the request list after successful + # decryption. + # + # Yubikey-Counter isn't strictly required, but the server will + # generate warnings if it's not present when yubikey.authenticate + # is called. + # + # These attributes are available after authorization: + # * &request:Yubikey-Public-ID - The public portion of the OTP string. + # and additionally if 'split' is set: + # * &request:Yubikey-OTP - The OTP portion of User-Password. + # + # These attributes are available after authentication (if successful): + # * &request:Yubikey-Private-ID - The encrypted ID included in OTP data, + # must be verified if tokens share keys. + # * &request:Yubikey-Counter - The last counter value (should be recorded). + # * &request:Yubikey-Timestamp - Token's internal clock (mainly useful for + # debugging). + # * &request:Yubikey-Random - Randomly generated value from the token. + # + decrypt = no + + # + # Validation mode - Tokens will be validated against a Yubicloud server + # + validate = no + + # + # Settings for validation mode. + # + validation { + # + # URL of validation server, multiple URL config items may be used + # to list multiple servers. + # + # - %d is a placeholder for public ID of the token + # - %s is a placeholder for the token string itself + # + # If no URLs are listed, will default to the default URLs in the + # ykclient library, which point to the yubico validation servers. + servers { +# uri = 'https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s' +# uri = 'https://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s' + } + + # + # API Client ID + # + # Must be set to your client id for the validation server. + # +# client_id = 00000 + + # + # API Secret key (Base64 encoded) + # + # Must be set to your API key for the validation server. + # +# api_key = '000000000000000000000000' + + # + # Connection pool parameters + # + pool { + # Connections to create during module instantiation. + # If the server cannot create specified number of + # connections during instantiation it will exit. + # Set to 0 to allow the server to start without the + # yubikey server being available. + start = ${thread[pool].start_servers} + + # Minimum number of connections to keep open + min = ${thread[pool].min_spare_servers} + + # Maximum number of connections + # + # If these connections are all in use and a new one + # is requested, the request will NOT get a connection. + # + # Setting 'max' to LESS than the number of threads means + # that some threads may starve, and you will see errors + # like 'No connections available and at max connection limit' + # + # Setting 'max' to MORE than the number of threads means + # that there are more connections than necessary. + max = ${thread[pool].max_servers} + + # Number of uses before the connection is closed + # + # NOTE: A setting of 0 means infinite (no limit). + uses = 0 + + # The number of seconds to wait after the server tries + # to open a connection, and fails. During this time, + # no new connections will be opened. + retry_delay = 30 + + # The lifetime (in seconds) of the connection + # + # NOTE: A setting of 0 means infinite (no limit). + lifetime = 0 + + # The idle timeout (in seconds). A connection which is + # unused for this length of time will be closed. + # + # NOTE: A setting of 0 means infinite (no timeout). + idle_timeout = 60 + + # Cycle over all connections in a pool instead of concentrating + # connection use on a few connections. + spread = yes + + # NOTE: All configuration settings are enforced. If a + # connection is closed because of "idle_timeout", + # "uses", or "lifetime", then the total number of + # connections MAY fall below "min". When that + # happens, it will open a new connection. It will + # also log a WARNING message. + # + # The solution is to either lower the "min" connections, + # or increase lifetime/idle_timeout. + } + } +} |