/go-yubiserv

Yubico validation service

Primary LanguageGoMIT LicenseMIT

go-yubiserv

Service for Yubikey local validation. Supports SQLite and Hashicorp Valut keystores.

Command line parameters and environment variables

Command line arg Environment variable Default value Description
--config value, -c value YSR_CONFIG config.yaml Configuration file name
--debug, -d YSR_DEBUG false Enable debug log messages
--log-format YSR_LOGGER_FORMAT console Log format: console/json
--api-address value YSR_API_ADDRESS :8433 Validation API bind address
--api-timeout value YSR_API_TIMEOUT 1s Validation API connect/read timeout
--api-secret value YSR_API_SECRET Base64-encoded string for HMAC signature verification, empty to disable check
--api-tls-cert value YSR_TLS_CERT Validation API TLS certificate file path. If empty, will use HTTP mode
--api-tls-key value YSR_TLS_KEY Validation API TLS private key file path. If empty, will use HTTP mode
--keystore value YSR_KEYSTORE vault Key store: vault/sqlite
--sqlite-dbpath value YSR_SQLITE_DBPATH yubiserv.db SQLite3 database path
--vault-address value YSR_VAULT_ADDRESS https://127.0.0.1:8200 Vault server address
--vault-role-id value YSR_VAULT_ROLE_ID role_id for Vault auth, overrides role-file
--vault-role-file value YSR_VAULT_ROLE_FILE role_id Path to file containing role_id for Vault auth
--vault-secret-id value YSR_VAULT_SECRET_ID secret_id for Vault auth, overrides secret-id
--vault-secret-file value YSR_VAULT_SECRET_FILE secret_id Path to file containing secret_id for Vault auth
--vault-path YSR_VAULT_PATH secret/data/yubiserv Vault path to KV secrets store

Vault key store details

All secrets are kept in vault KV storage:

path: {vault-path}/<public-id> Example: secret/data/yubiserv/vvcccciiktcv

data:

{
  "aes_key": "1234567890abcdef0123456789abcdef",
  "private_id": "01234567890a"
}

Both AES key and private identifier can be randomly generated with yubikey manager when creating new OTP slot.

SQLite3 key store details

yubiserv generate --start 1 --count 3

Can be used to generate some keys. Use --save argument to generate and save to DB.

... TODO ...

Typical usage:

SQLite3 key store in HTTPS TLS mode

yubiserv --keystore=sqlite --api-secret=ynS/XoXc2gwGDBssYSu2w21Aky4= --api-tls-key=./yubiserv.key.pem --api-tls-cert=./yubiserv.cert.pem

Vault key store in plain HTTP mode

yubiserv --api-secret=ynS/XoXc2gwGDBssYSu2w21Aky4= --vault-address=https://127.0.0.1:8200 --vault-path="secret/service/yubiserv"

Configuration file example (not required)

shutdown_timeout: 30s
api:
  address: :8443
  secret: ynS/XoXc2gwGDBssYSu2w21Aky4=
  timeout: 1s
  tls_cert: ./fullchain.pem
  tls_key: ./privkey.pem

logger:
  color: true
  format: console
  full_caller: false
  level: debug
  no_disclaimer: true
  sampling:
    initial: 100
    thereafter: 100
  trace_level: fatal

vault:
  address: https://127.0.0.1:8200
  role_file: role_id
  secret_file: secret_id