xenial (1) yhsm-validation-server.1.gz

Provided by: yhsm-validation-server_1.0.4l-1_all bug

NAME

       yhsm-validation-server ‐ Credential validation server utilizing YubiHSM

SYNOPSIS

       yhsm-validation-server [mode]

DESCRIPTION

       This is a validation server using the YubiHSM for cryptographic operations.

       It  is primarily built to validate YubiKey OTPs (not stored in the YubiHSM internal database), but it can
       also validate OATH token codes and legacy passwords.

OPTIONS

       -D, --device
              device file name (default: /dev/ttyACM0)

       -v, --verbose
              enable verbose operation

       --debug
              enable debug printout, including all data sent to/from YubiHSM

       --U, --serve-url base
              base of URL for validation web service (default: /yhsm/validate?)

       --port num
              port to listen on (default: 8003)

       --addr addr
              address to bind to (default: 127.0.0.1)

       --hmac-kh kh
              key handle to use for HMAC‐SHA‐1. Examples : "1", "0xabcd".

       --hotp-window num
              number of OATH counter values to try (default: 5)

       --db-file fn
              db  file  holding  AEADs  (see  yhsm-init-oath-token(1))  (default:   /var/yubico/yhsm-validation-
              server.db)

       --clients-file fn
              text  file  with mode OTP validation client shared secrets (see yhsm-init-oath-token(1)) (default:
              /var/yubico/yhsm-validation-server.db)

       --pid-file fn
              write process id of server to this file

MODES

       --otp  Validate YubiKey OTP  against  entry  in  the  YubiHSM  internal  database.   Response  should  be
              compatible with those of yubikey-val-server-php ⟨http://code.google.com/p/
              yubikey-val-server-php/⟩.

       --short-otp
              Validate YubiKey OTP against entry in the YubiHSM internal database.  Returns a single  line  with
              the decrypted information from the OTP, compatible with yubikey-ksm ⟨http://code.google.com/p/
              yubikey-ksm/⟩.

       --hotp Validate codes using the OATH HOTP algorithm, performing the HMAC‐SHA‐1 inside the YubiHSM.

       --pwhash
              Validate that a string (a PBKDF2 hash of a password for example) matches the one in an AEAD.   Can
              be  used  to  protect  legacy  passwords  within  an  AEAD  only  readable to a YubiHSM, but still
              recoverable if you know the AEAD key (since you put it in the YubiHSM).

CLIENTS FILE

       This file holds HMAC‐SHA‐1 secrets shared between the validation client and server.

       An example file, with a single entry for id 4711 would be :

           # hash-style comments and blank lines are ignored
           4711,grF5BERXEXPPpww1/TBvFg==

           # end

EXIT STATUS

       0   YubiHSM keystore successfully unlocked

       1   Failed to unlock keystore

       255 Client ID not found in internal database

BUGS

       Report python-pyhsm/yhsm-validation-server bugs in the issue tracker ⟨https://github.com/Yubico/
       python-pyhsm/issues/⟩

SEE ALSO

       The home page ⟨https://developers.yubico.com/python-pyhsm/⟩

       YubiHSMs can be obtained from Yubico ⟨http://www.yubico.com/⟩.