2 # This module decrypts and validates Yubikey static and dynamic
7 # The length (number of ascii bytes) of the Public-ID portion
10 # Yubikey defaults to a 6 byte ID (2 * 6 = 12)
14 # Decrypt mode - Tokens will be decrypted and processed locally
16 # The module itself does not provide persistent storage as this
17 # would be duplicative of functionality already in the server.
19 # Yubikey authentication needs two control attributes
20 # retrieved from persistent storage:
21 # * Yubikey-Key - The AES key used to decrypt the OTP data.
22 # The Yubikey-Public-Id and/or User-Name
23 # attrubutes may be used to retrieve the key.
24 # * Yubikey-Counter - This is compared with the counter in the OTP
25 # data and used to prevent replay attacks.
26 # This attribute will also be available in
27 # the request list after successfull
30 # Yubikey-Counter isn't strictly required, but the server will
31 # generate warnings if it's not present when yubikey.authenticate
34 # These attributes are available after authorization:
35 # * Yubikey-Public-ID - The public portion of the OTP string
37 # These attributes are available after authentication (if successfull):
38 # * Yubikey-Private-ID - The encrypted ID included in OTP data,
39 # must be verified if tokens share keys.
40 # * Yubikey-Counter - The last counter value (should be recorded).
41 # * Yubikey-Timestamp - Token's internal clock (mainly useful for debugging).
42 # * Yubikey-Random - Randomly generated value from the token.
47 # Validation mode - Tokens will be validated against a Yubicloud server
52 # Settings for validation mode.
56 # URL of validation server, multiple URL config items may be used
57 # to list multiple servers.
59 # - %d is a placeholder for public ID of the token
60 # - %s is a placeholder for the token string itself
62 # If no URLs are listed, will default to the default URLs in the
63 # ykclient library, which point to the yubico validation servers.
65 # uri = 'http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
66 # uri = 'http://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
72 # Must be set to your client id for the validation server.
77 # API Secret key (Base64 encoded)
79 # Must be set to your API key for the validation server.
81 # api_key = '000000000000000000000000'
84 # Connection pool parameters
87 # Number of connections to start
90 # Minimum number of connections to keep open
93 # Maximum number of connections
95 # If these connections are all in use and a new one
96 # is requested, the request will NOT get a connection.
99 # Spare connections to be left idle
101 # NOTE: Idle connections WILL be closed if "idle_timeout"
105 # Number of uses before the connection is closed
110 # The lifetime (in seconds) of the connection
113 # idle timeout (in seconds). A connection which is
114 # unused for this length of time will be closed.
117 # Cycle over all connections in a pool instead of concentrating
118 # connection use on a few connections.
121 # NOTE: All configuration settings are enforced. If a
122 # connection is closed because of "idle_timeout",
123 # "uses", or "lifetime", then the total number of
124 # connections MAY fall below "min". When that
125 # happens, it will open a new connection. It will
126 # also log a WARNING message.
128 # The solution is to either lower the "min" connections,
129 # or increase lifetime/idle_timeout.