Comments (2)
Here's what I ended up doing in case anybody stumbles across this issue:
I couldn't come up with a robust + secure way to use /revoke
. I didn't like that I had to rely on an IP whitelist for access instead of an API key with more fine-grained permission controls. I also ran into some edge-cases trying to implement synchronization due to the simplistic error handling in the /revoke
endpoint.
I decided to go in another direction and approached this from the KSM level. I'm already storing my AEAD keys in a MySQL database, which is being replicated across my cluster. So I added an active
flag to the AEAD table:
CREATE TABLE ykksm.aead_table (
public_id varchar(16) NOT NULL,
keyhandle INT NOT NULL,
nonce BLOB(6) NOT NULL,
aead BLOB(32) NOT NULL,
active BOOL NOT NULL,
PRIMARY KEY (public_id, keyhandle)
);
I added some logic to my KSM servers to check the active
flag when they try to load a key handle. If it's false, the KSM will return an ERR Disabled public_id
failure. This gets bubbled up in the yubikey-val server as a generic BAD_OTP
response.
This allows me to sidestep both of the issues that I outlined in my previous post. I've disable the /revoke
endpoint and from the validation server's perspective, every yubikey is active now. Our administrators can use the same internal tool to provision new yubikeys into our AEAD database, as well as enable/disable yubikeys if they need to be revoked.
from yubikey-val.
I'd say that your last statement is quite true, active isn't implemented enough to be usable with only this project. Yubico used to run a service for revoking keys in YubiCloud, that had it's own queue of revocations in case a server was down.
As the sync protocol looks right now the active flag isn't transmittable over it at all. I guess the easiest way to give something to handle new servers would be to let resync hit the revoke endpoint for inactive identities.
from yubikey-val.
Related Issues (20)
- Log level configurable? HOT 2
- Improve documentation wrt multi-API use
- make install does not work since documentation changed HOT 1
- ykval-queue logging very verbose even when doing nothing HOT 1
- Possible timing attack in HMAC check HOT 2
- Ubuntu server 14.04 HOT 1
- OTP_MAX_LEN : 64
- Correct way to use two validation servers? HOT 1
- recent commit breaks existing installations with BAD_OTP HOT 5
- yk_publicname in ykval-synclib.php HOT 6
- ykval-gen-clients does not synchronize clients across multiple ykval servers, breaks clients
- One step not covered in any of the documentation.. HOT 1
- Undefined $rows variable in ykval-revoke.php
- Verification output (1): Yubikey OTP was bad (BAD_OTP) HOT 9
- BACKEND_ERROR status
- Always getting 200 with MISSING_PARAMETER when trying to invalidate OTP HOT 1
- ykclient return value (109): Error performing curl HOT 6
- Undefined Constants
- Possible SQL injection vulnerability in ykval-synclib.php HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yubikey-val.