yubikey-val
yubikey-val copied to clipboard
Yubico
YubiKey OTP validation server in PHP
I am configuring a total of two validation servers - my concern is: In the default configuration you need to specify both the localhost and peer validation server in "**YKVAL_SYNC_POOL**"...
Hello, I have a YubiKey standard, firmware version 2.3.1. I use yubikey-personalization-gui version 3.1.19, library version 1.16.3 on Archlinux. I configure my YubiKey with "Yubico OTP" mode (advanced) where I...
The Dvorak support today is done in a hackish way, and it is not well defined in the protocol how it works. We should clarify the protocol wrt alternative keyboard...
The end of the Validation Server documentation at https://github.com/Yubico/yubikey-val/wiki/Installation states: "You now have a YK-VAL up and running. See https://github.com/Yubico/yubikey-ksm/wiki/ServerHardening on how to improve security of your system." Yet the...
It would be nice to monitor how syncing works -- whether two servers are fully in sync or not.
There are still some pages (e.g., GettingStartedWritingClients) that do not cover the replicated protocol. We should fix that. While doing that, we should describe the validation algorithm that clients should...
I think it would be worth to mention in the documentation that one needs to base64decode the API key from Yubico when applying the HMAC-SHA-1 algorithm when generating signatures, and...
Considerations are early-termination, what to do with errors from one server only, etc. Each client seems to have a their own algorithm and they aren't consistent between clients.
I originally opened [this issue in the yubico-dotnet-client repo](https://github.com/Yubico/yubico-dotnet-client/issues/3). I was testing invalid OTPs, and often got an exception saying that the server signature did not match the key. As...
https://github.com/Yubico/yubikey-val/blob/master/ykval-synclib.php#L47 I'm not sure of implications yet, but this nonce appears to be predictable. If non-predictability is important (as it is for most nonces) suggest change to openssl_random_pseudo_bytes.
