# README
go-yubiserv
Service for Yubikey local validation. Supports SQLite and Hashicorp Valut keystores.
Command line parameters and environment variables
| Command line arg | Environment variable | Default value | Description |
|---|---|---|---|
| --config value, -c value | YSR_CONFIG | config.yaml | Configuration file name |
| --debug, -d | YSR_DEBUG | false | Enable debug log messages |
| --log-format | YSR_LOGGER_FORMAT | console | Log format: console/json |
| --api-address value | YSR_API_ADDRESS | :8433 | Validation API bind address |
| --api-timeout value | YSR_API_TIMEOUT | 1s | Validation API connect/read timeout |
| --api-secret value | YSR_API_SECRET | Base64-encoded string for HMAC signature verification, empty to disable check | |
| --api-tls-cert value | YSR_TLS_CERT | Validation API TLS certificate file path. If empty, will use HTTP mode | |
| --api-tls-key value | YSR_TLS_KEY | Validation API TLS private key file path. If empty, will use HTTP mode | |
| --keystore value | YSR_KEYSTORE | vault | Key store: vault/sqlite |
| --sqlite-dbpath value | YSR_SQLITE_DBPATH | yubiserv.db | SQLite3 database path |
| --vault-address value | YSR_VAULT_ADDRESS | https://127.0.0.1:8200 | Vault server address |
| --vault-role-id value | YSR_VAULT_ROLE_ID | role_id for Vault auth, overrides role-file | |
| --vault-role-file value | YSR_VAULT_ROLE_FILE | role_id | Path to file containing role_id for Vault auth |
| --vault-secret-id value | YSR_VAULT_SECRET_ID | secret_id for Vault auth, overrides secret-id | |
| --vault-secret-file value | YSR_VAULT_SECRET_FILE | secret_id | Path to file containing secret_id for Vault auth |
| --vault-path | YSR_VAULT_PATH | secret/data/yubiserv | Vault path to KV secrets store |
Vault key store details
All secrets are kept in vault KV storage:
path:
{vault-path}/<public-id>
Example: secret/data/yubiserv/vvcccciiktcv
data:
{
"aes_key": "1234567890abcdef0123456789abcdef",
"private_id": "01234567890a"
}
Both AES key and private identifier can be randomly generated with yubikey manager when creating new OTP slot.
SQLite3 key store details
yubiserv generate --start 1 --count 3
Can be used to generate some keys. Use --save argument to generate and save to DB.
... TODO ...
Typical usage:
SQLite3 key store in HTTPS TLS mode
yubiserv --keystore=sqlite --api-secret=ynS/XoXc2gwGDBssYSu2w21Aky4= --api-tls-key=./yubiserv.key.pem --api-tls-cert=./yubiserv.cert.pem
Vault key store in plain HTTP mode
yubiserv --api-secret=ynS/XoXc2gwGDBssYSu2w21Aky4= --vault-address=https://127.0.0.1:8200 --vault-path="secret/service/yubiserv"
Configuration file example (not required)
shutdown_timeout: 30s
api:
address: :8443
secret: ynS/XoXc2gwGDBssYSu2w21Aky4=
timeout: 1s
tls_cert: ./fullchain.pem
tls_key: ./privkey.pem
logger:
color: true
format: console
full_caller: false
level: debug
no_disclaimer: true
sampling:
initial: 100
thereafter: 100
trace_level: fatal
vault:
address: https://127.0.0.1:8200
role_file: role_id
secret_file: secret_id