This Django app runs a standalone Yubikey OTP validation server. It implements version 2.0 of the validation protocol limited to the case of a single validation server. YubiKey devices and server API keys can easily be managed in the Django admin site or via command line.
Yubival can be integrated to any existing Django project. Alternatively, you can create a new Django site to host your validation server. If unfamiliar with Django, please follow the instructions at "Create a new standalone validation server" below.
Install the package from PyPI:
$ pip install yubival
Add 'yubival' to the INSTALLED_APPS setting in settings.py. It is not required to enable the admin site. If you do, INSTALLED_APPS may look like:
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'yubival',
]
Add the app URLs to the root urls.py file:
from django.contrib import admin
from django.urls import path, include
urlpatterns = [
# ...
path('admin/', admin.site.urls), # optional
path('', include('yubival.urls')),
]
Update the database:
python manage.py migrate
When running the server, you should now be able to query the API at /wsapi/2.0/verify. When not providing any GET parameters, this returns a MISSING_PARAMETER status:
t=2021-10-29T08:31:11.885803
status=MISSING_PARAMETER
This section explains how to setup a new Django site with Yubival. It was tested on a Debian 10 distribution, with Python 3.9 and Django 3.2.
Create a directory for the project:
$ mkdir myyubival
$ cd myyubival
Create a Python environment and activate it:
$ python3 -m venv venv
$ source venv/bin/activate
Install Django and Yubival:
$ pip install Django yubival
Create a new Django project and browse to the newly created directory:
$ django-admin startproject myyubival
$ cd myyubival
Edit the ./myyubival/settings.py file to add 'yubival' to the INSTALLED_APPS setting:
INSTALLED_APPS = [
# ...
'yubival',
]
Make the validation server URLs accessible by editing ./myyubival/urls.py. Include the URLs from the Yubival app:
from django.contrib import admin
from django.urls import path, include
from django.views.generic.base import RedirectView
urlpatterns = [
path('', RedirectView.as_view(pattern_name='admin:index')),
path('admin/', admin.site.urls),
path('', include('yubival.urls')),
]
For convenience, we redirect above the website root to the admin area.
By default, Django will create a SQLite database located in a db.sqlite3 file in the project directory. To use other database engines, edit ./myyubival/settings.py to change the DATABASES setting; see the Databases doc. In both cases, run afterwards the following command to create the initial database tables:
python manage.py migrate
To be able to use the admin site and manage Yubikey devices and server API keys, create an initial user account:
$ python manage.py createsuperuser
To run the development web server, launch:
$ python manage.py runserver
The website can now be accessed at http://127.0.0.1:8000/. It should show a "Page not found" error. The validation API is located at http://127.0.0.1:8000/wsapi/2.0/verify and the admin site interface at http://127.0.0.1:8000/admin/.
While the runserver command above is an easy way to check your configuration and test Yubival, it should not be used to run the web server in production. Refer to the deployment docs to learn how to deploy your new myyubival site.
All subcommands can print a detailed help with --help. Example:
$ python manage.py yubikey --help
$ python manage.py yubikey add-existing --help
Services that need to use the Yubival validation server require an API key which is a shared secret between Yubival and the service. The key is used to sign requests and responses to and from the validation server. API keys can be managed using the manage.py apikey command:
$ python manage.py apikey add service.example.com
Created: service.example.com (1):
id: 1
key: gnQ1sZWtRgCjm17waaiGHQptp8w=
$ python manage.py apikey list
1 service.example.com
$ python manage.py apikey delete 1
Deleted: service.example.com (1)
YubiKeys can be added, listed and deleted using the commands below. To add a key, either use manage.py yubikey add that will automatically generate a public ID, a private ID and an AES key that you can use to configure a new Yubikey device, or use manage.py yubikey add-existing if you have a YubiKey for which you already know its parameters, including its secret key. In any case, make sure that the Yubival server will be the only validation server for the YubiKeys you register. If not, it would become possible to reuse OTP.
$ python manage.py yubikey add James
Created: James (cnfbfdinbblh):
Public ID: cnfbfdinbblh
Private ID: 1b935e02e095
AES key: fcea0ea12f97923ec4f952e0e170d419
$ python manage.py yubikey add-existing Evelyn gkhcilelifuv 0123456789ab 00112233445566778899aabbccddeeff
Created: Evelyn (gkhcilelifuv)
$ python manage.py yubikey list
cnfbfdinbblh James
gkhcilelifuv Evelyn
$ python manage.py yubikey delete cnfbfdinbblh
Deleted: James (cnfbfdinbblh)