Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

yhsm-import-keys(1) [debian man page]

yhsm-import-keys(1)					      General Commands Manual					       yhsm-import-keys(1)

NAME

       yhsm-import-keys - import YubiKey secrets to YubiHSM

SYNOPSIS

       yhsm-import-keys --key-handles ...  [options]

DESCRIPTION

       Read YubiKey token data from standard input, and store it in files or in the YubiHSM internal database.

       The default mode is to turn each YubiKey secret into an AEAD (Authenticated Encryption with Associated Data) block that is stored in a file
       on the host computer (one file per YubiKey). This enables validation of virtually unlimited numbers of YubiKey's OTPs.

       If --internal-db is used, the YubiKey secret will be stored inside the YubiHSM, and complete validation (including counter management) will
       be done inside the YubiHSM. The internal database is currently limited to 1024 entrys.

OPTIONS

       -D, --device
	      device file name (default: /dev/ttyACM0)

       -v, --verbose
	      enable verbose operation

       --debug
	      enable debug printout, including all data sent to/from YubiHSM

       --public_id_chars num
	      number of chars to pad public id to (default: 12)

       --key-handles kh
	      key handles to use for decoding OTPs. Examples : "1", "0xabcd"

       --output-dir dir, --aead-dir dir, -O dir
	      base directory for AEADs (default: /var/cache/yubikey-ksm/aeads)

       --internal-db
	      add entrys to YubiHSM internal database, rather than creating AEAD files

INPUT FORMAT

       The format of the input matches the export format of various Yubico tools, notably the PHP based soft KSM <http://code.google.com/p/
       yubikey-ksm/>.

       An example file, with a single entry for id 4711 would be :

	   # ykksm 1
	   123456,ftftftcccc,534543524554,fcacd309a20ce1809c2db257f0e8d6ea,000000000000,,,

       (seqno, public id, private uid, AES key, dunno,,,)

       The #ykksm 1 is a file marker, and has to be on the very first line of input.

BUGS

       Report python-pyhsm/yhsm-import-keys bugs in the issue tracker <https://github.com/Yubico/python-pyhsm/issues/>

SEE ALSO

       The python-yubico home page <https://github.com/Yubico/python-pyhsm/>

       YubiHSMs can be obtained from Yubico <http://www.yubico.com/>.

python-pyhsm							   December 2011					       yhsm-import-keys(1)

Check Out this Related Man Page

yhsm-validation-server(1)				      General Commands Manual					 yhsm-validation-server(1)

NAME

       yhsm-validation-server - Credential validation server utilizing YubiHSM

SYNOPSIS

       yhsm-validation-server [mode]

DESCRIPTION

       This is a validation server using the YubiHSM for cryptographic operations.

       It is primarily built to validate YubiKey OTPs (not stored in the YubiHSM internal database), but it can also validate OATH token codes and
       legacy passwords.

OPTIONS

       -D, --device
	      device file name (default: /dev/ttyACM0)

       -v, --verbose
	      enable verbose operation

       --debug
	      enable debug printout, including all data sent to/from YubiHSM

       --U, --serve-url base
	      base of URL for validation web service (default: /yhsm/validate?)

       --port num
	      port to listen on (default: 8003)

       --addr addr
	      address to bind to (default: 127.0.0.1)

       --hmac-kh kh
	      key handle to use for HMAC-SHA-1. Examples : "1", "0xabcd".

       --hotp-window num
	      number of OATH counter values to try (default: 5)

       --db-file fn
	      db file holding AEADs (see yhsm-init-oath-token(1)) (default: /var/yubico/yhsm-validation-server.db)

       --clients-file fn
	      text file with mode OTP validation  client  shared  secrets  (see  yhsm-init-oath-token(1))  (default:  /var/yubico/yhsm-validation-
	      server.db)

       --pid-file fn
	      write process id of server to this file

MODES

       --otp  Validate YubiKey OTP against entry in the YubiHSM internal database.  Response should be compatible with those of yubikey-val-
	      server-php <http://code.google.com/p/yubikey-val-server-php/>.

       --short-otp
	      Validate YubiKey OTP against entry in the YubiHSM internal database.  Returns a single line with the decrypted information from  the
	      OTP, compatible with yubikey-ksm <http://code.google.com/p/yubikey-ksm/>.

       --hotp Validate codes using the OATH HOTP algorithm, performing the HMAC-SHA-1 inside the YubiHSM.

       --pwhash
	      Validate	that  a  string (a PBKDF2 hash of a password for example) matches the one in an AEAD.  Can be used to protect legacy pass-
	      words within an AEAD only readable to a YubiHSM, but still recoverable if you know the AEAD key (since you put it in the YubiHSM).

CLIENTS FILE

       This file holds HMAC-SHA-1 secrets shared between the validation client and server.

       An example file, with a single entry for id 4711 would be :

	   # hash-style comments and blank lines are ignored
	   4711,grF5BERXEXPPpww1/TBvFg==

	   # end

EXIT STATUS

       0   YubiHSM keystore successfully unlocked

       1   Failed to unlock keystore

       255 Client ID not found in internal database

BUGS

       Report python-pyhsm/yhsm-validation-server bugs in the issue tracker <https://github.com/Yubico/python-pyhsm/issues/>

SEE ALSO

       The python-yubico home page <https://github.com/Yubico/python-pyhsm/>

       YubiHSMs can be obtained from Yubico <http://www.yubico.com/>.

python-pyhsm							   December 2011					 yhsm-validation-server(1)
Man Page