/etc/freeradius/3.0/mods-available/yubikey is in freeradius-config 3.0.16+dfsg-1ubuntu3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 | #
# This module decrypts and validates Yubikey static and dynamic
# OTP tokens.
#
yubikey {
#
# The length (number of ASCII bytes) of the Public-ID portion
# of the OTP string.
#
# Yubikey defaults to a 6 byte ID (2 * 6 = 12)
# id_length = 12
#
# If true, the authorize method of rlm_yubikey will attempt to split the
# value of User-Password, into the user's password, and the OTP token.
#
# If enabled and successful, the value of &request:User-Password will be
# truncated and &request:Yubikey-OTP will be added.
#
# split = yes
#
# Decrypt mode - Tokens will be decrypted and processed locally
#
# The module itself does not provide persistent storage as this
# would be duplicative of functionality already in the server.
#
# Yubikey authentication needs two attributes retrieved from
# persistent storage:
# * &control:Yubikey-Key - The AES key used to decrypt the OTP data.
# The Yubikey-Public-Id and/or User-Name
# attributes may be used to retrieve the key.
# * &control:Yubikey-Counter - This is compared with the counter in the OTP
# data and used to prevent replay attacks.
# This attribute will also be available in
# the request list after successful
# decryption.
#
# Yubikey-Counter isn't strictly required, but the server will
# generate warnings if it's not present when yubikey.authenticate
# is called.
#
# These attributes are available after authorization:
# * &request:Yubikey-Public-ID - The public portion of the OTP string.
# and additionally if 'split' is set:
# * &request:Yubikey-OTP - The OTP portion of User-Password.
#
# These attributes are available after authentication (if successful):
# * &request:Yubikey-Private-ID - The encrypted ID included in OTP data,
# must be verified if tokens share keys.
# * &request:Yubikey-Counter - The last counter value (should be recorded).
# * &request:Yubikey-Timestamp - Token's internal clock (mainly useful for
# debugging).
# * &request:Yubikey-Random - Randomly generated value from the token.
#
decrypt = no
#
# Validation mode - Tokens will be validated against a Yubicloud server
#
validate = no
#
# Settings for validation mode.
#
validation {
#
# URL of validation server, multiple URL config items may be used
# to list multiple servers.
#
# - %d is a placeholder for public ID of the token
# - %s is a placeholder for the token string itself
#
# If no URLs are listed, will default to the default URLs in the
# ykclient library, which point to the yubico validation servers.
servers {
# uri = 'http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
# uri = 'http://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
}
#
# API Client ID
#
# Must be set to your client id for the validation server.
#
# client_id = 00000
#
# API Secret key (Base64 encoded)
#
# Must be set to your API key for the validation server.
#
# api_key = '000000000000000000000000'
#
# Connection pool parameters
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# yubikey server being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Number of uses before the connection is closed
#
# NOTE: A setting of 0 means infinite (no limit).
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 60
# Cycle over all connections in a pool instead of concentrating
# connection use on a few connections.
spread = yes
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}
}
|