yubico / yubikey-val Goto Github PK

See https://github.com/Yubico/yubikey-val/blob/master/ykval-revoke.php#L72.

This error message currently returns something like

ERROR Could not disable for djccccccccbb (rows )

since the $rows variable is never defined.

vagrant@yubikey:~/yubikey-val$ sudo make install
install -D --mode 644 ykval-verify.php /usr/share/yubikey-val/ykval-verify.php
install -D --mode 644 ykval-common.php /usr/share/yubikey-val/ykval-common.php
install -D --mode 644 ykval-synclib.php /usr/share/yubikey-val/ykval-synclib.php
install -D --mode 644 ykval-sync.php /usr/share/yubikey-val/ykval-sync.php
install -D --mode 644 ykval-resync.php /usr/share/yubikey-val/ykval-resync.php
install -D --mode 644 ykval-db.php /usr/share/yubikey-val/ykval-db.php
install -D --mode 644 ykval-db-pdo.php /usr/share/yubikey-val/ykval-db-pdo.php
install -D --mode 644 ykval-db-oci.php /usr/share/yubikey-val/ykval-db-oci.php
install -D --mode 644 ykval-log.php /usr/share/yubikey-val/ykval-log.php
install -D ykval-queue /usr/sbin/ykval-queue
install -D ykval-synchronize /usr/sbin/ykval-synchronize
install -D ykval-export /usr/sbin/ykval-export
install -D ykval-import /usr/sbin/ykval-import
install -D ykval-gen-clients /usr/sbin/ykval-gen-clients
install -D ykval-export-clients /usr/sbin/ykval-export-clients
install -D ykval-import-clients /usr/sbin/ykval-import-clients
install -D ykval-checksum-clients /usr/sbin/ykval-checksum-clients
install -D ykval-checksum-deactivated /usr/sbin/ykval-checksum-deactivated
install -D ykval-queue.1 /usr/share/man/man1/ykval-queue.1
install -D ykval-synchronize.1 /usr/share/man/man1/ykval-synchronize.1
install -D ykval-import.1 /usr/share/man/man1/ykval-import.1
install -D ykval-export.1 /usr/share/man/man1/ykval-export.1
install -D ykval-gen-clients.1 /usr/share/man/man1/ykval-gen-clients.1
install -D ykval-import-clients.1 /usr/share/man/man1/ykval-import-clients.1
install -D ykval-export-clients.1 /usr/share/man/man1/ykval-export-clients.1
install -D ykval-checksum-clients.1 /usr/share/man/man1/ykval-checksum-clients.1
install -D ykval-checksum-deactivated.1 /usr/share/man/man1/ykval-checksum-deactivated.1
install -D ykval-munin-ksmlatency.php /usr/share/munin/plugins/ykval_ksmlatency
install -D ykval-munin-vallatency.php /usr/share/munin/plugins/ykval_vallatency
install -D ykval-munin-queuelength.php /usr/share/munin/plugins/ykval_queuelength
install -D ykval-munin-responses.pl /usr/share/munin/plugins/ykval_responses
install -D ykval-munin-yubikeystats.php /usr/share/munin/plugins/ykval_yubikeystats
install -D --backup --mode 640 --group www-data ykval-config.php /etc/yubico/val/ykval-config.php
install -D --mode 644 ykval-db.sql /usr/share/doc/yubikey-val/ykval-db.sql
install -D --mode 644 ykval-db.oracle.sql /usr/share/doc/yubikey-val/ykval-db.oracle.sql
install -D --mode 644 doc/ClientInfoFormat.wiki doc/Installation.wiki doc/RevocationService.wiki doc/ServerReplicationProtocol.wiki doc/SyncMonitor.wiki doc/Troubleshooting.wiki /usr/share/doc/yubikey-val/
install: cannot stat `doc/ClientInfoFormat.wiki': No such file or directory
install: cannot stat `doc/Installation.wiki': No such file or directory
install: cannot stat `doc/RevocationService.wiki': No such file or directory
install: cannot stat `doc/ServerReplicationProtocol.wiki': No such file or directory
install: cannot stat `doc/SyncMonitor.wiki': No such file or directory
install: cannot stat `doc/Troubleshooting.wiki': No such file or directory
make: *** [install] Error 1

Quick fix:

change

DOCS=doc/ClientInfoFormat.wiki doc/Installation.wiki                        \

to

DOCS =
#doc/ClientInfoFormat.wiki doc/Installation.wiki                        \
#       doc/RevocationService.wiki doc/ServerReplicationProtocol.wiki   \
#       doc/SyncMonitor.wiki doc/Troubleshooting.wiki

Comment line 101:

#       install -D --mode 644 $(DOCS) $(DESTDIR)$(docprefix)/

It looks like the Wiki pages disappeared from the Repository?

Please use a timing-invariant equality check for checking hmac equality check (https://github.com/Yubico/yubikey-val/blob/master/ykval-verify.php#L229), such as in http://hu1.php.net/manual/en/function.hash-equals.php

Thanks!

It would be nice if the sync daemon could sync over all counters to a new validation server, when setting up a new server.

in commit 382cfc2 the default URL for ykval got a port 8002. This breaks our installation:

we did install before the patch according to the gudie (https://github.com/Yubico/yubix/blob/master/doc/Getting_Started.adoc). After doing upgrade to latest version the response of OTP validation is BAD_OTP. The URL was changed without adopting the apache2 config (it's simply not listening on 8002).
For us that was critical - maybe it could have supported still port 80 and 8002? Or is there a place to get noted of such significant changes maybe which we miss?

Thx in advance for any info about this issue

I think it would be worth to mention in the documentation that one needs to base64decode the API key from Yubico when applying the HMAC-SHA-1 algorithm when generating signatures, and not use the API key in its obtained format.

https://github.com/Yubico/yubikey-val/blob/master/ykval-synclib.php#L94

Is this not a SQL injection vulnerability?

$res = $this->db->customQuery("SELECT id, secret FROM clients WHERE active='1' AND id='" . $client . "'");

I am configuring a total of two validation servers - my concern is:
In the default configuration you need to specify both the localhost and peer validation server in "YKVAL_SYNC_POOL" and set "$baseParams['YKVAL_SYNC_DEFAULT_LEVEL'] = 50" for validation to work when one node has failed. This I can accept.

My concern is that reviewing the log file, the validation server doesn't expect this to happen and reports that the "Sync request unnecessarily sent" and "Local server out of sync" and updates the database 3 times for the one request.

What is the correct way to configure the validation / sync service with only two nodes and allowing for it to work if one node is in-accessible?

Thanks
Cam

Log file below: (keys and values are not sensitive)

May 28 13:04:53 yubikey1 ykval[14616]: LOG_INFO:ykval-verify:[127.0.0.1] Request: id=1&nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe&otp=tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic (at 2015-05-28T13:04:53+10:00 0.04450200 1432782293) HTTP May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:[127.0.0.1] found protocol version 2 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:db:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] DB query is: SELECT id, secret FROM clients WHERE active='1' AND id='1' May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] Client data: id=1 secret=debbcd4b169e2b6020d4aa95c9f3cbf3efc84922 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] YK-KSM adding URL : http://127.0.0.1/wsapi/decrypt?otp=tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic May 28 13:04:53 yubikey1 ykksm[14611]: SUCCESS OTP tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic PT 4fb80b61665c0500180c8c1d4e89354c OK counter=0005 low=0c18 high=8c use=1d 127.0.0.1 - - [28/May/2015:13:04:53 +1000] "GET /wsapi/decrypt?otp=tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic HTTP/1.1" 200 40 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] YK-KSM curl multi info : msg=1 result=0 handle=Resource id #9 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] YK-KSM curl multi content : OK counter=0005 low=0c18 high=8c use=1d May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] YK-KSM response matches ^OK May 28 13:04:53 yubikey1 ykval[14616]: LOG_INFO:ykval-verify:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] YK-KSM errno/error: 0/ url=http://127.0.0.1/wsapi/decrypt?otp=tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic content_type=text/html; charset=UTF-8 http_code=200 header_size=192 request_size=130 filetime=-1 ssl_verify_result=0 redirect_count=0 total_time=0.005587 namelookup_time=5.2E-5 connect_time=9.4E-5 pretransfer_time=0.000115 size_upload=0 size_download=40 speed_download=7159 speed_upload=0 download_content_length=40 upload_content_length=0 starttransfer_time=0.00557 redirect_time=0 certinfo= May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] YK-KSM response: OK counter=0005 low=0c18 high=8c use=1d#012 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] Decrypted OTP: session_counter=5 low=3096 high=140 session_use=29 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] searching for yk_publicname tfdurdtkubbl in local db May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:db:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] DB query is: SELECT * FROM yubikeys WHERE yk_publicname = 'tfdurdtkubbl' LIMIT 1 May 28 13:04:53 yubikey1 ykval[14616]: LOG_INFO:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] yubikey found in db modified=1432782181 nonce=jsmeyghkwotzkmvjpnwnbwuxycacouxy yk_publicname=tfdurdtkubbl yk_counter=5 yk_use=28 yk_high=140 yk_low=2210 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] Auth data: modified=1432782181 nonce=jsmeyghkwotzkmvjpnwnbwuxycacouxy active=1 yk_publicname=tfdurdtkubbl yk_counter=5 yk_use=28 yk_high=140 yk_low=2210 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:db:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] DB query is: UPDATE yubikeys SET modified='1432782293', yk_counter='5', yk_use='29', yk_low='3096', yk_high='140', nonce='kgmsczgodsqyjhiblgndnhwbwhlbscxe' WHERE yk_publicname = 'tfdurdtkubbl' and (5>yk_counter or (5=yk_counter and 29>yk_use)) May 28 13:04:53 yubikey1 ykval[14616]: LOG_INFO:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] updated database modified=1432782293 nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe yk_publicname=tfdurdtkubbl yk_counter=5 yk_use=29 yk_high=140 yk_low=3096 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:db:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] DB query is: INSERT INTO queue (queued,modified,otp,server,server_nonce,info) VALUES ('1432782293','1432782293','tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic','http://127.0.0.1/wsapi/2.0/sync','f2b2ccb565fa6e38a25b86d20b8cbde5','yk_publicname=tfdurdtkubbl&yk_counter=5&yk_use=29&yk_high=140&yk_low=3096&nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe,local_counter=5&local_use=28') May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:db:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] DB query is: INSERT INTO queue (queued,modified,otp,server,server_nonce,info) VALUES ('1432782293','1432782293','tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic','http://10.10.0.179/wsapi/2.0/sync','f2b2ccb565fa6e38a25b86d20b8cbde5','yk_publicname=tfdurdtkubbl&yk_counter=5&yk_use=29&yk_high=140&yk_low=3096&nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe,local_counter=5&local_use=28') May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:db:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] DB query is: SELECT * FROM queue WHERE modified = '1432782293' and server_nonce = 'f2b2ccb565fa6e38a25b86d20b8cbde5' May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] YK-VAL sync adding URL : http://127.0.0.1/wsapi/2.0/sync?otp=tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic&modified=1432782293&yk_publicname=tfdurdtkubbl&yk_counter=5&yk_use=29&yk_high=140&yk_low=3096&nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] YK-VAL sync adding URL : http://10.10.0.179/wsapi/2.0/sync?otp=tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic&modified=1432782293&yk_publicname=tfdurdtkubbl&yk_counter=5&yk_use=29&yk_high=140&yk_low=3096&nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe May 28 13:04:53 yubikey1 ykval[14614]: LOG_INFO:ykval-sync:[127.0.0.1] Request: otp=tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic&modified=1432782293&yk_publicname=tfdurdtkubbl&yk_counter=5&yk_use=29&yk_high=140&yk_low=3096&nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe May 28 13:04:53 yubikey1 ykval[14614]: LOG_DEBUG:ykval-sync:[127.0.0.1] Received request from 127.0.0.1 May 28 13:04:53 yubikey1 ykval[14614]: LOG_INFO:ykval-sync:[127.0.0.1] Received modified=1432782293 otp=tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe yk_publicname=tfdurdtkubbl yk_counter=5 yk_use=29 yk_high=140 yk_low=3096 May 28 13:04:53 yubikey1 ykval[14614]: LOG_DEBUG:ykval-sync:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] searching for yk_publicname tfdurdtkubbl in local db May 28 13:04:53 yubikey1 ykval[14614]: LOG_DEBUG:ykval-sync:synclib:db:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] DB query is: SELECT * FROM yubikeys WHERE yk_publicname = 'tfdurdtkubbl' LIMIT 1 May 28 13:04:53 yubikey1 ykval[14614]: LOG_INFO:ykval-sync:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] yubikey found in db modified=1432782293 nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe yk_publicname=tfdurdtkubbl yk_counter=5 yk_use=29 yk_high=140 yk_low=3096 May 28 13:04:53 yubikey1 ykval[14614]: LOG_DEBUG:ykval-sync:synclib:db:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] DB query is: UPDATE yubikeys SET modified='1432782293', yk_counter='5', yk_use='29', yk_low='3096', yk_high='140', nonce='kgmsczgodsqyjhiblgndnhwbwhlbscxe' WHERE yk_publicname = 'tfdurdtkubbl' and (5>yk_counter or (5=yk_counter and 29>yk_use)) template - - [28/May/2015:13:04:53 +1000] "GET /wsapi/2.0/sync?otp=tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic&modified=1432782293&yk_publicname=tfdurdtkubbl&yk_counter=5&yk_use=29&yk_high=140&yk_low=3096&nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe HTTP/1.1" 200 213 May 28 13:04:53 yubikey1 ykval[14614]: LOG_INFO:ykval-sync:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] database not updated modified=1432782293 nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe yk_publicname=tfdurdtkubbl yk_counter=5 yk_use=29 yk_high=140 yk_low=3096 May 28 13:04:53 yubikey1 ykval[14614]: LOG_DEBUG:ykval-sync:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] Local params modified=1432782293 nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe active=1 yk_publicname=tfdurdtkubbl yk_counter=5 yk_use=29 yk_high=140 yk_low=3096 May 28 13:04:53 yubikey1 ykval[14614]: LOG_DEBUG:ykval-sync:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] Sync request params modified=1432782293 otp=tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe yk_publicname=tfdurdtkubbl yk_counter=5 yk_use=29 yk_high=140 yk_low=3096 May 28 13:04:53 yubikey1 ykval[14614]: LOG_INFO:ykval-sync:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] Sync request unnecessarily sent May 28 13:04:53 yubikey1 ykval[14614]: LOG_DEBUG:ykval-sync:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] SIGN: modified=1432782293&nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe&status=OK&t=2015-05-28T03:04:53Z0075&yk_counter=5&yk_high=140&yk_low=3096&yk_publicname=tfdurdtkubbl&yk_use=29 H=RGoPlaXx5KmNsWF4uz8X0keCs8Y= May 28 13:04:53 yubikey1 ykval[14614]: LOG_INFO:ykval-sync:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] Response: h=RGoPlaXx5KmNsWF4uz8X0keCs8Y=#015#012t=2015-05-28T03:04:53Z0075#015#012modified=1432782293#015#012nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe#015#012yk_publicname=tfdurdtkubbl#015#012yk_counter=5#015#012yk_use=29#015#012yk_high=140#015#012yk_low=3096#015#012status=OK#015#012#015#012 (at 2015-05-28T03:04:53+00:00 0.07547100 1432782293) May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] YK-VAL sync curl multi info : msg=1 result=0 handle=Resource id #11 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] YK-VAL sync curl multi content : h=RGoPlaXx5KmNsWF4uz8X0keCs8Y=#015#012t=2015-05-28T03:04:53Z0075#015#012modified=1432782293#015#012nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe#015#012yk_publicname=tfdurdtkubbl#015#012yk_counter=5#015#012yk_use=29#015#012yk_high=140#015#012yk_low=3096#015#012status=OK#015#012#015 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] YK-VAL sync response matches status=OK May 28 13:04:53 yubikey1 ykval[14616]: LOG_INFO:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] YK-VAL sync errno/error: 0/ url=http://127.0.0.1/wsapi/2.0/sync?otp=tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic&modified=1432782293&yk_publicname=tfdurdtkubbl&yk_counter=5&yk_use=29&yk_high=140&yk_low=3096&nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe content_type=text/plain; charset=UTF-8 http_code=200 header_size=194 request_size=264 filetime=-1 ssl_verify_result=0 redirect_count=0 total_time=0.020582 namelookup_time=4.9E-5 connect_time=9.9E-5 pretransfer_time=0.000204 size_upload=0 size_download=213 speed_download=10348 speed_upload=0 download_content_length=213 upload_content_length=0 starttransfer_time=0.020565 redirect_time=0 certinfo= May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] local db contains modified=1432782181 nonce=jsmeyghkwotzkmvjpnwnbwuxycacouxy yk_publicname=tfdurdtkubbl yk_counter=5 yk_use=28 yk_high=140 yk_low=2210 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] response contains modified=1432782293 nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe yk_publicname=tfdurdtkubbl yk_counter=5 yk_use=29 yk_high=140 yk_low=3096 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] OTP contains modified=1432782293 nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe yk_publicname=tfdurdtkubbl yk_counter=5 yk_use=29 yk_high=140 yk_low=3096 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:db:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] DB query is: UPDATE yubikeys SET modified='1432782293', yk_counter='5', yk_use='29', yk_low='3096', yk_high='140', nonce='kgmsczgodsqyjhiblgndnhwbwhlbscxe' WHERE yk_publicname = 'tfdurdtkubbl' and (5>yk_counter or (5=yk_counter and 29>yk_use)) May 28 13:04:53 yubikey1 ykval[14616]: LOG_INFO:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] database not updated modified=1432782293 nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe yk_publicname=tfdurdtkubbl yk_counter=5 yk_use=29 yk_high=140 yk_low=3096 May 28 13:04:53 yubikey1 ykval[14616]: LOG_NOTICE:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] Local server out of sync May 28 13:04:53 yubikey1 ykval[14616]: LOG_INFO:ykval-verify:synclib:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] deleting server=http://127.0.0.1/wsapi/2.0/sync modified=1432782293 server_nonce=f2b2ccb565fa6e38a25b86d20b8cbde5 May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:db:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] DB query is: DELETE FROM queue WHERE modified = '1432782293' and server_nonce = 'f2b2ccb565fa6e38a25b86d20b8cbde5' and server = 'http://127.0.0.1/wsapi/2.0/sync' May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:synclib:db:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] DB query is: UPDATE queue SET queued=NULL WHERE server_nonce = 'f2b2ccb565fa6e38a25b86d20b8cbde5' May 28 13:04:53 yubikey1 ykval[14616]: LOG_INFO:ykval-verify:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] ykval-verify:notice:synclevel=50 nr servers=2 req answers=1 answers=1 valid answers=1 sl success rate=50 timeout=1 May 28 13:04:53 yubikey1 ykval[14616]: LOG_INFO:ykval-verify:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] Timestamp seen=9177250 this=9178136 delta=886 secs=110.75 accessed=1432782181 (2015-05-28 13:03:01) now=1432782293 (2015-05-28 13:04:53) elapsed=112 deviation=1.25 secs or 1% May 28 13:04:53 yubikey1 ykval[14616]: LOG_DEBUG:ykval-verify:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] SIGN: nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe&otp=tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic&sl=50&status=OK&t=2015-05-28T03:04:53Z0078 H=uLDbqjGsMMOT7hzyORLbO+cRUAg= May 28 13:04:53 yubikey1 ykval[14616]: LOG_INFO:ykval-verify:[127.0.0.1] [tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic] Response: h=uLDbqjGsMMOT7hzyORLbO+cRUAg=#015#012t=2015-05-28T03:04:53Z0078#015#012otp=tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic#015#012nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe#015#012sl=50#015#012status=OK#015#012#015#012 (at 2015-05-28T03:04:53+00:00 0.07902000 1432782293) template - - [28/May/2015:13:04:53 +1000] "GET /wsapi/2.0/verify?id=1&nonce=kgmsczgodsqyjhiblgndnhwbwhlbscxe&otp=tfdurdtkubblrggheiedjndlcefheljvetjbgleudvic HTTP/1.1" 200 170

I'm using the Yubikey invalidation script for slack and my colleague pointed out that even though the API server returns 200, the key is not invalidated. It is still able to be used to authenticate into our VPN server.

I've verified for myself that this is not an issue with the script as the documentation shows the same URL and request params.

Steps to repro:

1. Copy the output of:

$ node
> crypto.pseudoRandomBytes(16).toString('hex')

2. Copy an OTP from my yubikey in a text editor
3. Construct a curl request using the docs above:

curl -vvv "https://api.yubico.com/wsapi/2.0/verify?id=$URL_ENCODED_API_KEY&otp=$OTP&nonce=$NONCE"

The response gives a 200 OK with the text value:

h=[HMAC]
t=2019-08-19T16:17:49Z0114
status=MISSING_PARAMETER

I can submit that request multiple times with different nonces and get the same response. Does the /verify API not actually invalidate the OTP?

I just wanted to point out that for a2ensite to work, the apache config files need to have a .conf extension for a2ensite to pick it up:

root@yubikey-val:/var/www# cd /etc/apache2/sites-available/
root@yubikey-val:/etc/apache2/sites-available# mv ykval ykval.conf
root@yubikey-val:/etc/apache2/sites-available# mv ykval-ssl ykval-ssl.conf
root@yubikey-val:/etc/apache2/sites-available# a2ensite ykval
Enabling site ykval.
To activate the new configuration, you need to run:
service apache2 reload

Otherwise, it looks like the documentation is still relevant. Thanks

I've installed yubikey-val 2.24-2 from the Ubuntu PPA.

ykval-queue keeps spewing messages into /var/log/syslog all the time, even when doing nothing - I only have a single server, so it's not queueing to anything.

There should be a log verbosity setting somewhere in /etc. It's okay if it defaults to more verbose, but it should be there and allow the admin to turn it down a few notches if necessary. E.g., on a more "normal" logging level it should not emit a log message if it hasn't done anything.

There is one step not covered in any of the documentation, that I could find, how do I setup a key to use this?

I have a Yubikey NEO that my employer gave me, there is a tiny barcode and a six digit number printed on the back, when I push its button it "types" an eight digit number. What would I need to do to use it with the validator?

I originally opened this issue in the yubico-dotnet-client repo.

I was testing invalid OTPs, and often got an exception saying that the server signature did not match the key.

As @klali helpfully pointed out, this is because, in the server, if the parameters provided are missing or malformed then the response is sent back immediately with a bad status, without having loaded the key first. Hence the whole response is signed with an empty key, and hence the signature is wrong.

https://code.google.com/p/yubikey-val-server-php/wiki/GettingStartedWritingClients suggests that clients check the length of the OTP, but not for ModHex characters in QWERTY or Dvorak format (and the reference clients all prevent the other checks from failing, such as a malformed nonce or missing parameters). But the server does specifically check for the ModHex characters in QWERTY and Dvorak, so there can be a mismatch if I enter in random characters that are part of neither alphabet, since the reference clients (and clients conforming to the suggestions on the wiki) won't catch it.

Would it make sense for the ModHex alphabet check to be done after the key is loaded, since all the other validation failures that can happen before the key is loaded are prevented by checks/implementation of the reference clients? This way all bad otp responses that the client receives will be signed correctly, and there won't be the unexpected bad signature failure (which would suggest some type of MITM or other more serious problem).

It would be nice to monitor how syncing works -- whether two servers are fully in sync or not.

It would be good to have some documentation on how KSM sync should work, there is a section on monitoring the sync - but nothing regarding how to achieve the actually sync?

https://github.com/Yubico/yubikey-ksm/wiki/SyncMonitor

Is there a way? If so, where would it be documented?
Thanks

The end of the Validation Server documentation at https://github.com/Yubico/yubikey-val/wiki/Installation states:

"You now have a YK-VAL up and running. See https://github.com/Yubico/yubikey-ksm/wiki/ServerHardening on how to improve security of your system."

Yet the ServerHardening page is in the KSM wiki. Should there be a separate ServerHardening page in the Validation wiki, to avoid confusion?

The ServerHardening doc in the KSM wiki then states "The database contains sensitive information." - which database? I understand that the KSM database does, but are we to interpret this as meaning that the ykval database for the Validation server also contains sensitive information?

Therefore, does the validation server need to use encrypted volumes too? Or just KSM?

As you can see, the docs are a little vague in what is perhaps the most important area not to be :)

Thank you for any clarification and for open sourcing this software.

Hi,

I'm trying to configure a local KSM and Val server, so that we can authenticate by SSH even if outgoing trafic is busted (routing issues or otherwise).

Now, the PAM module is asking for the password everytime, and when I run locally the HTTP request that ykclient does, I get:

h=qzD+X3hDDm6VJ7yT87TRmqwCKzQ=
t=2018-09-26T14:33:51Z0013
status=BACKEND_ERROR

ykval-queue is running, and no errors in Apache's log. I did enable debugging for the PAM module, and nothing is logged.

What could the culprit?

Trying to follow the instructions at 'GeneratingClients' here: https://github.com/Yubico/yubikey-val/wiki/GeneratingClients

I run: ykval-gen-clients --urandom 11

But there is no output. Instead ykval.log shows:

LOG_DEBUG:ykval-gen-clients:db:DB query is:SELECT id FROM clients ORDER BY id DESC LIMIT 1
LOG_DEBUG:ykval-gen-clients:db:DB query is: INSERT INTO clients (id,active,created,secret,email,notes,otp) VALUES ('1', '1', '1404359826','XXXXXXXXXXXXXXXXXXXXXXXX =','','','')
LOG_INFO:ykval-gen-clients:db:Database query error: Array ( [0] => 42000 [1] => 1142 [2] => INSERT command denied to user 'ykval_verifier'@'localhost' for table 'clients' )
LOG_ERR:ykval-gen-clients:Failed to insert new client with query INSERT INTO clients (id,active,created,secret,email,notes,otp) VALUES ('1', '1', '1404359826’,’XXXXXXXXXXXXXXXXXXXXXXXX=','','','')
Failed to insert new client with query INSERT INTO clients (id,active,created,secret,email,notes,otp) VALUES ('1', '1', '1404359826','XXXXXXXXXXXXXXXXXXXXXXXX =','','','')`

It looks like the instructions should grant INSERT privileges to the 'clients' table, would you agree?

Currently it says:

GRANT SELECT(id, secret, active) ON ykval.clients TO 'ykval_verifier'@'localhost'; \

To make it easier to parse the log files, the validation server
could generate a random nonce and use that in the logging for all
log lines for that request. We tried (but failed) to achieve
this by putting the otp and nonce in the log lines, but they
aren't guaranteed to be unique.

Hi,

I find the logging to /var/log/ykval.log (for the Validation server) and /var/log/auth.log (KSM, per the current out-of-the-box config) extremely verbose, and this might expose more info than desired in logs, even in relatively secured servers.

E.G the KSM appears to log 'plaintext' values post-decryption, not sure how sensitive but it raises alarm bells

Is there any way to configure the verbosity level in the config.php files in /etc/yubico/(val or ksm)/* ? I can't seem to find any sample configuration or documentation that states it's possible (without modifying the PHP directly)

Thanks

Possibly this is achieved by syslog configuration, but we should provide an example

Test web interface more thorougly through travis ci? With mysql/postgresql, different php version, etc.

Hi guys,

I am using freeRADIUS with a local KSM & Validation server for OTP authentication. Though after ruling out Radius

I am sure this is a configuration error, but I have been going around in circles for a week and getting nowhere so I am starting to think its an issue with my local valuation server where as it is not verifying the OTP.

I have a working version running on Ubuntu 12.04 and I am trying a fresh install on Ubuntu 16.04 so I am sure my config is right but could be room for error.

ykclient --debug --url "https://localhost/wsapi/2.0/verify?id=%d&otp=%s" --apikey  9uhj+B7nlkYwXL2NhKSbJ6hxj4= 2 aaaaaaaaaaafijfbvukgvluvvgnirkhcrgjubuebihn

Input:
  validation URL: https://localhost/wsapi/2.0/verify?id=%d&otp=%s
  client id: 2
  token: aaaaaaaaaaafijfbvukgvluvvgnirkhcrgjubuebihn
  api key: m9uhj+B7nlkYwXL2NhKSbJ6hxj4=
Response from: https://localhost/wsapi/2.0/verify?id=2&nonce=pusktrsfbqlgctysakuigxsxktaerzyj&otp=aaaaaaaaaaafijfbvukgvluvvgnirkhcrgjubuebihn&h=%2FAKOLOM6mKRLvJZ2InJlRmv%2Bx%2FM%3D
Verification output (1): Yubikey OTP was bad (BAD_OTP)
  otp: (null)
  nonce: (null)
  t: 2017-12-01T16:59:22Z0699
  timestamp: (null)
  sessioncounter: (null)
  sessionuse: (null)
  sl: (null)
  status: BAD_OTP

My log files shows a similar error:

 LOG_DEBUG:ykval-verify:[::1] [aaaaaaaaaaafijfbvukgvluvvgnirkhcrgjubuebihn] SIGN: stat
us=BAD_OTP&t=2017-12-01T16:59:22Z0699 H=u3SsG2c+9RTaulI5v+pnJcHNDzQ=
LOG_DEBUG:ykval-verify:[::1] [aaaaaaaaaaafijfbvukgvluvvgnirkhcrgjubuebihn] SIGN: stat
us=BAD_OTP&t=2017-12-01T16:59:22Z0699 H=u3SsG2c+9RTaulI5v+pnJcHNDzQ=

Probably not a bug but I'd appreciate any debugging tips.

Thanks in advance

The Dvorak support today is done in a hackish way, and it is not well defined in the protocol how it works. We should clarify the protocol wrt alternative keyboard layouts and implement it, with support for some other keyboard layouts (e.g., Colemak).

Setting allow_url_fopen to false used to be a common security practice, as it prevented include()ing phpfiles (I see this task has been taken over by allow_url_include). So this'll be a common occurence.

SInce there's a dependency on curl already, and using curl gives you more control over the process anyway, I added this to ykval-common.php:

--- ykval-common.php.old    2013-09-25 21:33:32.000000000 +0200
+++ ykval-common.php    2013-10-08 00:51:40.764063673 +0200
@@ -208,8 +208,51 @@
   return $str;
 }

-function retrieveURLsimple ($url, $match="^OK") {
-  foreach (file($url) as $line) {
+function retrieveURLsimple ($url, $logger, $match="^OK") {
+  global $baseParams;
+
+  $result = array();
+  if (!ini_get('allow_url_fopen')) {
+
+    $ch = curl_init();
+
+    curl_setopt($ch, CURLOPT_URL, $url);
+    curl_setopt($ch, CURLOPT_HEADER, 0);
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+    curl_setopt($ch, CURLOPT_FAILONERROR, 1);
+    curl_setopt($ch, CURLOPT_TIMEOUT, 5);
+
+    // if https, we really should check the CA for the KSM
+
+    if (substr($url,0,8) == "https://") {
+      if (isset($baseParams['__YKVAL_CAPATH__'])) {
+        // point this to your local selection of acceptable CA certificates,
+        // don't forget to run c_rehash if you're using openssl
+        curl_setopt($ch, CURLOPT_CAPATH, $baseParams['__YKVAL_CAPATH__']);
+      }
+    }
+
+    $result = curl_exec($ch);
+    if (curl_errno($ch)!=0) {
+      $logger->log(LOG_INFO, 'curl failed: '.curl_error($ch));
+      curl_close($ch);
+      return false;
+    }
+
+    curl_close($ch);
+
+    $result = explode("\n",$result);
+
+  } else {
+    $result = file($url);
+  }
+
+  //left here to aid debugging
+  //$logger->log(LOG_DEBUG, log_format("YK-KSM url: ", $url));
+  //$logger->log(LOG_DEBUG, log_format("YK-KSM response: ", $result));
+  //curl_setopt($ch, CURLOPT_VERBOSE, 1);
+
+  foreach ($result as $line) {
     if (preg_match("/".$match."/", $line)) {
       return $line;
     }
@@ -221,17 +264,17 @@
 function KSMdecryptOTP($urls, $logger) {
   $ret = array();
   if (!is_array($urls)) {
-    $response = retrieveURLsimple ($urls);
+    $response = retrieveURLsimple ($urls, $logger);
   } elseif (count($urls) == 1) {
-    $response = retrieveURLsimple ($urls[0]);
+    $response = retrieveURLsimple ($urls[0], $logger);
   } else {
     $response = retrieveURLasync ("YK-KSM", $urls, $logger, $ans_req=1, $match="^OK", $returl=False, $timeout=10);
     if (is_array($response)) {
       $response = $response[0];
     }
   }

Feel free to hack away at this if you don't like the global, for example, of if you feel the old way of doing it should be removed.

There are still some pages (e.g., GettingStartedWritingClients) that do not cover the replicated protocol. We should fix that. While doing that, we should describe the validation algorithm that clients should use.

to generate new clients

The documentation for yubikey-val and yubikey-ksm suggests to create a Logrotate file that contains this postrotate command:

invoke-rc.d rsyslog reload > /dev/null

Debian Wheezy no longer supports 'reload' here. The logrotate cronjob errors out with the following:

/etc/cron.daily/logrotate:
Usage: /etc/init.d/rsyslog {start|stop|rotate|restart|force-reload|status}
invoke-rc.d: initscript rsyslog, action "reload" failed.
error: error running non-shared postrotate script for /var/log/ykval.log of '/var/log/ykval.log '
run-parts: /etc/cron.daily/logrotate exited with return code 1

Suggest to change 'reload' to 'restart' which works fine.

I ran psalm against the repo, and it returns a few undefined constants, which give warnings in newer versions of PHP. This codebase relies on the old-PHP behavior of converting them to strings in a lot of places. Here's a report:

ERROR: UndefinedConstant - ykval-common.php:147:22 - Const LOG_WARN is not defined
        $logger->log(LOG_WARN, $ident . 'curl options must be an array');

ERROR: UndefinedConstant - ykval-common.php:153:26 - Const LOG_WARN is not defined
            $logger->log(LOG_WARN, "$ident failed to set " . curl_opt_name($key));

ERROR: UndefinedConstant - ykval-db.php:71:30 - Const tm_hour is not defined
        return mktime($stamp[tm_hour], $stamp[tm_min], $stamp[tm_sec], $stamp[tm_mon]+1, $stamp[tm_mday], $stamp[tm_year]);


ERROR: UndefinedConstant - ykval-db.php:71:47 - Const tm_min is not defined
        return mktime($stamp[tm_hour], $stamp[tm_min], $stamp[tm_sec], $stamp[tm_mon]+1, $stamp[tm_mday], $stamp[tm_year]);


ERROR: UndefinedConstant - ykval-db.php:71:63 - Const tm_sec is not defined
        return mktime($stamp[tm_hour], $stamp[tm_min], $stamp[tm_sec], $stamp[tm_mon]+1, $stamp[tm_mday], $stamp[tm_year]);


ERROR: UndefinedConstant - ykval-db.php:71:79 - Const tm_mon is not defined
        return mktime($stamp[tm_hour], $stamp[tm_min], $stamp[tm_sec], $stamp[tm_mon]+1, $stamp[tm_mday], $stamp[tm_year]);


ERROR: UndefinedConstant - ykval-db.php:71:97 - Const tm_mday is not defined
        return mktime($stamp[tm_hour], $stamp[tm_min], $stamp[tm_sec], $stamp[tm_mon]+1, $stamp[tm_mday], $stamp[tm_year]);


ERROR: UndefinedConstant - ykval-db.php:71:114 - Const tm_year is not defined
        return mktime($stamp[tm_hour], $stamp[tm_min], $stamp[tm_sec], $stamp[tm_mon]+1, $stamp[tm_mday], $stamp[tm_year]);

Hello,
I have a YubiKey standard, firmware version 2.3.1.
I use yubikey-personalization-gui version 3.1.19, library version 1.16.3 on Archlinux.
I configure my YubiKey with "Yubico OTP" mode (advanced) where I can set a public ID of 0 to 16 bytes (so 0 to 32 modhex characters).
So at max the OTP length goes to 32(static public ID)+32(dynamic OTP)=64 modhex characters.
So why OTP_MAX_LEN is set to 48 ?
Comment say "TOKEN_LEN plus public identity of 0..16" but it's bytes not characters.
Maybe there is something I don't get ?

I have a cluster of validation servers and I would like to enabled/disable individual yubikeys cluster-wide. I found the /revoke endpoint, but that appears to only change the active flag on the local database (it doesn't use the synchonization queue). I would have to hit /revoke on every server in the pool. If a server happened to be offline when that request was made, there doesn't appear to be a way to maintain integrity across the cluster. The normal /sync calls do not include this field.

I also discovered that the /resync command skips synchronizing keys that have the active flag set to false. So if I follow step 10 described here to add a new server to the pool, there will be a data mismatch if I try to verify an inactive yubikey on the new server.

Do you have any recommendations for how I should handle this? It looks like the active/inactive flag is a partially implemented feature that hasn't been thought out for clustered setups. Or maybe I'm just misunderstanding its purpose?

In the past we have had some issues with ykval-queue dying (due to database connection issues). It is believed this is all solved in the current code. However, if this problem happens again, it may be more reliable to have ykval-queue be a short shell script that essentially does:

while sleep $DELAY; do
ykval-queue-internal
done

Then ykval-queue-internal can die on database errors (or any other error) but it will still be invoked later on when the issue may have been resolved.

/Simon

https://github.com/Yubico/yubikey-val/blob/master/ykval-synclib.php#L333

Verifypeer = 0 here disables any protections granted by TLS. The response data can be manipulated by a mitm attacker.

The wiki installation instructions still mention subversion and googlecode.

https://github.com/Yubico/yubikey-val/wiki/Installation

FreeRADIUS, PAM and Yubikeys have been working fine for the past year.
This morning though my users have experienced the following errors when trying to use the OTP.
Nothing has changed on the server that I can see in the logs over the weekend.

debug: pam_yubico.c:1156 (pam_sm_authenticate): ykclient return value (109): Error performing curl
debug: pam_yubico.c:1157 (pam_sm_authenticate): ykclient url used: 
debug: pam_yubico.c:1220 (pam_sm_authenticate): done. [Authentication service cannot retrieve authentication info]
Mon Feb 10 14:41:34 2020 : Debug: pam_pass: function pam_authenticate FAILED for <user.name>. Reason: Authentication service cannot retrieve authentication info
Mon Feb 10 14:41:34 2020 : Info: ++[pam] = reject

This is my versioning - Ubuntu 16.04:

yubikey-val                  2.39-2~ppa1~xenial1 all

I'm a bit lost as to why it would fail. The server logs shows many itterations of:

Feb  9 07:02:18 radius1 ykval[978]: LOG_DEBUG:ykval-queue:synclib:db:DB query is: select distinct server from queue WHERE queued < 1581231728 or queued is null

Apache2 is running and reachable
MYSQL is running and reachable

Any ideas?

Thanks

Considerations are early-termination, what to do with errors from one server only, etc. Each client seems to have a their own algorithm and they aren't consistent between clients.

having issues with ykval-queue processing- specifically, something in ykval-synclib.php is not properly passing yk_publicname, causing a bad (null) entry in the yubikeys table. (the "searching for yk_publicname in local db" line)

debug info:

LOG_DEBUG:ykval-queue:synclib:response contains modified=1461770674 nonce=ihbygicyzcpxrdsattfetzcnocnlvfmg yk_publicname=ccccccddnrki yk_counter=229 yk_use=0 yk_high=21 yk_low=49226
LOG_DEBUG:ykval-queue:synclib:db:DB query is: UPDATE yubikeys SET modified='1461770674', yk_counter='229', yk_use='0', yk_low='49226', yk_high='21', nonce='ihbygicyzcpxrdsattfetzcnocnlvfmg' WHERE yk_publicname = 'ccccccddnrki' and (229>yk_counter or (229=yk_counter and 0>yk_use))
LOG_INFO:ykval-queue:synclib:database not updated modified=1461770674 nonce=ihbygicyzcpxrdsattfetzcnocnlvfmg yk_publicname=ccccccddnrki yk_counter=229 yk_use=0 yk_high=21 yk_low=49226
LOG_DEBUG:ykval-queue:synclib:searching for yk_publicname in local db
LOG_DEBUG:ykval-queue:synclib:db:DB query is: SELECT * FROM yubikeys WHERE yk_publicname is NULL LIMIT 1
LOG_NOTICE:ykval-queue:synclib:Discovered new identity
LOG_DEBUG:ykval-queue:synclib:db:DB query is: INSERT INTO yubikeys (active,created,modified,yk_counter,yk_use,yk_low,yk_high,nonce,notes) VALUES ('1','1461780090','-1','-1','-1','-1','-1','0000000000000000','')
LOG_DEBUG:ykval-queue:synclib:db:DB query is: SELECT * FROM yubikeys WHERE yk_publicname is NULL LIMIT 1
LOG_NOTICE:ykval-queue:synclib:params for yk_publicname not found in database
LOG_DEBUG:ykval-queue:synclib:validation params: modified= nonce= yk_publicname= yk_counter= yk_use= yk_high= yk_low=
LOG_DEBUG:ykval-queue:synclib:OTP params:
LOG_NOTICE:ykval-queue:synclib:Local server out of sync compared to counters at validation request time.
LOG_WARNING:ykval-queue:synclib:Local server out of sync compared to current local counters. Local server updated.
LOG_ERR:ykval-queue:synclib:Remote server has higher counters than OTP. This response would have marked the OTP as invalid.
LOG_DEBUG:ykval-queue:synclib:deleting queue entry with modified= server_nonce= server=
LOG_DEBUG:ykval-queue:synclib:db:DB query is: DELETE FROM queue WHERE modified = '' and server_nonce = '' and server = ''

https://github.com/Yubico/yubikey-val/blob/master/ykval-synclib.php#L47

I'm not sure of implications yet, but this nonce appears to be predictable. If non-predictability is important (as it is for most nonces) suggest change to openssl_random_pseudo_bytes.

It turns out that ykval-gen-clients creates client only in the ykval server on which the command is run.
If you're using multiple synchronized ykval servers, that client needs to be propagated to all the rest of the servers, using ykval-export-clients/ykval-import-clients. If a client is only present on one server, using the API against that client will fail in the situation when the client is configured with multiple URLs.

The documentation does not mention any of this.

Perhaps synchronization of clients can be added to the current server or documentation of ykval-gen-clients updated to reflect the need to manually synchronize the client table.