yubiserver
is a simple and lightweight Yubikey OTP and HOTP/OATH validation server to be used with Yubico's Yubikey USB tokens including a powerful administration tool, yubiserver-admin, with which you can manage yubiserver's database by adding,deleting,activating and deactivating users that validate with OTP or HOTP/OATH tokens.
Index
Download
The yubiserver
tarball. Install by issuing 'configure && make install'
.
Packages are known to be available for Debian via their respective Package Management Systems.
Synopsis
yubiserver [Options]
Options
- --version, -V
- Print version information.
- --help, -h
- Print this help screen.
- --database, -d
-
Use this SQLite3 database file.
- --port , -p
-
Port to bind the server. Default port is 8000.
- --logfile, -l
-
Use this as logfile. Default is '/var/log/yubiserver.log'.
yubiserver-admin [[-b FILE]] [table] [Options] [[attributes]]
Options
- --version, -V
- Print version information.
- --help, -h
- Print this help screen.
- --database, -b
- Use this SQLite3 database file.
- --yubikey, -y
- Choose Yubikey Token table.
- --oath, -o
- Choose OATH Token table.
- --api, -p
- Choose API Key table.
- --add N [P S [A]], -a N [P S [A]]
- Add Yubikey OTP & HOTP/OATH token or API Key 'N' user
where N is the username, P the Public Token ID,
S the Secret ID and A the AES Key
N must be 16 characters max,P must be 12 characters
for Yubikey OTP and 12 characters max for HOTP/OATH
S must be 12 characters for Yubikey OTP and 40 for HOTP/OATH
and AES key must be 32 characters
Adding a user to API keys requires a username
and a API Key 20 characters long
- --delete N, -x N
- Delete Yubikey OTP, HOTP/OATH token or API Key 'N' user.
- --enable N, -e N
- Enable Yubikey OTP, HOTP/OATH token or API Key 'N' user.
- --disable N, -d N
- Disable Yubikey OTP, HOTP/OATH token or API Key 'N' user.
- --list, -l
- List Yubikey OTP, HOTP/OATH token or API Key 'N' user.
ChangeLog
yubiserver (0.6-3.1) unstable; urgency=low * Non-maintainer upload. * B-d on libgcrypt20-dev instead of (dummy transition package) libgcrypt11-dev. Closes: #864141 -- Andreas MetzlerSat, 27 Oct 2018 11:43:28 +0200 yubiserver (0.6-3) unstable; urgency=high * Upgrade automake. * Fix FTBFS (Closes: Bug#794706). -- Chrysostomos Nanakos Sat, 15 Aug 2015 12:36:01 +0300 yubiserver (0.6-2) unstable; urgency=high * Fix upgrade failure from 'stretch'. Thanks to Andreas Beckmann for the bug report (Closes: Bug#790646). -- Chrysostomos Nanakos Wed, 01 Jul 2015 11:06:14 +0300 yubiserver (0.6-1) unstable; urgency=high * Fix CVE vulnerabilities: CVE-2015-0842 yubiserver: SQL injection issues (potential auth bypass) CVE-2015-0843 yubiserver: Buffer overflows due to misuse of sprintf * Code cleanup and refactoring. -- Chrysostomos Nanakos Mon, 29 Jun 2015 11:42:55 +0300 yubiserver (0.5-3) unstable; urgency=medium * Handle -l switch correctly. Thanks to Clemens Lang for the bug report (Closes: Bug#781552). * Remove unowned directory after purge. Thanks to Andreas Beckmann for the bug report (Closes: Bug#770535). -- Chrysostomos Nanakos Fri, 26 Jun 2015 14:49:21 +0300 yubiserver (0.5-2) unstable; urgency=medium * Fix debian/yubiserver.postint chown/chmod errors. After renaming yubiserver.sqlite db file to yubiserver.sqlite.init and removing the installation of the db file to /var/lib/yubiserver directory until the first initialization, chmod and chown failed due to the missing db file. -- Nanakos Chrysostomos Fri, 24 Oct 2014 09:58:31 +0300 yubiserver (0.5-1) unstable; urgency=medium * Refactor code and various cleanups. * Rename yubiserver.sqlite db file to yubiserver.sqlite.init and make a copy under /etc/yubiserver directory. For the first time yubiserver starts, check if yubiserver.sqlite db file exists under the predefined directory, if not then copy it. That way we exclude the database file when generating md5sums file for the package. (Closes: Bug#760715) * Update debian/watch file to use signed upstream tarballs. -- Nanakos Chrysostomos Fri, 03 Oct 2014 14:11:37 +0300 yubiserver (0.4-4) unstable; urgency=low * Fix buffer overruns. (Closes: Bug#721754) * Initialize libgcrypt after fork()'ing yubiserver. Avoid "Oops, secure memory pool already initialized" libgcrypt messages every time aes128ecb_decrypt() function is called. -- Nanakos Chrysostomos Sun, 23 Feb 2014 19:58:07 +0200 yubiserver (0.4-3) unstable; urgency=low * Fixed debian/yubiserver.postrm and added debian/yubiserver.preinst to avoid fail while upgrading from 'testing'. Thanks to Andreas Beckmann for the bug filling. (Closes: Bug#718735) -- Nanakos Chrysostomos Mon, 05 Aug 2013 12:43:03 +0300 yubiserver (0.4-2) unstable; urgency=low * Fixed debian/yubiserver.postrm ignore any errors from deluser. Thanks to Andreas Beckmann for the bug filling and Kamal Mostafa for the immediate re-upload of the package. (Closes: Bug#718602) -- Nanakos Chrysostomos Sat, 03 Aug 2013 21:25:26 +0300 yubiserver (0.4-1) unstable; urgency=low * Bumped S-V version to 3.9.4 * Clean lintian Errors and Warnings * Added compile,depcomp,install-sh,missing and removed old symlinks. Thanks to Lucas Nussbaum for pointing this out. (Closes: Bug#713230) * Updated debian/yubiserver.postinst - Moved mkdir's to yubiserver.dirs. - Replaced whole directory chown's to unique entries concerning each directory and file used by yubiserver. * Updated debian/yubiserver.postrm - Split purge operation to handle the removal of yubiserver user and clean /var/log/yubiserver and /var/run/yubiserver dir's. - Removal of package only affects the deletion of /var/rub/yubiserver directory. * Updated debian/init - Init script creates /var/run/yubiserver directory if it doesn't exist according to Debian Policy 9.1.4 and 9.3.2. * Fixed Makefile.am to compile cleanly after gcc's more restrictive rules about explicity library ordering. Thanks to Kamal Mostafa for the related patch. -- Nanakos Chrysostomos Fri, 26 Jul 2013 20:33:39 +0300 yubiserver (0.3-1) unstable; urgency=low * Saved debian/copyright file to UTF-8 encoding * Update debian/rules - Changed field --with-default-sqlite3-db-file - Changed field --with-default-yubiserver-log-file - Added dh_installdirs and dh_install helpers along with their counterpart files, yubiserver.dirs and yubiserver.postinst * Added new file for handling package removal, yubiserver.postrm * With changes above now the database file yubiserver.sqlite installs in the appropriate location /var/lib/yubiserver (Closes: Bug#690837) Thanks to Apollon Oikonomopoulos for pointing this out. * yubiserver now drops privileges and runs as the new added user 'yubiserver'. With changes above a new system user/group 'yubiserver' is created and the appropriate permissions to the database and the yubiserver-admin binary are set. The database file is group-writable by this group, allowing the local administrator to grant yubiserver-admin access to regular users. Thanks to Apollon Oikonomopoulos for pointing this out. (Closes: Bug#690840) -- Nanakos Chrysostomos Sun, 21 Oct 2012 15:00:39 +0300 yubiserver (0.2-3) unstable; urgency=low * Fixing array bounds errors. -- Nanakos Chrysostomos Tue, 21 Aug 2012 20:25:54 +0300 yubiserver (0.2-2) unstable; urgency=low * Fixed buffer overruns. * Fixed FTBFS bug in debian/rules file. (Closes: Bug#666357) Thanks to Lucas Nussbaum and Anibal Monsalve Salazar for their help and for pointing this out. -- Nanakos Chrysostomos Sat, 21 Apr 2012 12:39:30 +0300 yubiserver (0.2-1) unstable; urgency=low * Fixed bug in yubiserver-admin concerning the failed selection of the non-default SQLite3 database file. * yubiserver now uses for connection management the high performance event loop library libev. * Fixed ISO Date field when producing the HMAC output string. * Fixed typographic mistakes; OAUTH was OATH for yubiserver's case. * Fixed SQLite3 memory leaks. * Removed pre-filled identity from the database. Thanks to Gian Piero Carruba for resolving this security issue. -- Nanakos Chrysostomos Mon, 30 Jan 2012 18:00:08 +0200 yubiserver (0.1-1) unstable; urgency=low * Initial release (Closes: Bug#647101) -- Nanakos Chrysostomos Wed, 28 Sep 2011 15:44:24 +0300