This module authenticates YubiKey tokens (yubico.com) against YubiCloud validation service or locally hosted YubiKey Validation Server. This allows flexibility in deciding which validation service or server to use and where to plug in a YubiHSM. This module does not require any YubiKey specific modules because all required work is done by the validation server and possibly by YubiHSM. PyHSM validation server allows using Radiator with YubiHSM (Hardware Security Module) for storing the YubiKey secrets.
Yubico's Validation Server (YK-VAL) and YubiCloud API versions 1.0 and 2.0 are supported. For YubiCloud you should set APIVersion to 2.0 and ClientID to the value assigned to you by Yubico. Configuring APIKey is optional but recommended especially when ValidationServerURL is set to http instead of https. If you run a self hosted YK-VAL, set APIVersion, ClientID and APIKey to match the server configuration.
Yubico's PyHSM validation server and its one line response format is also supported. Yubico's PyHSM validation server yhsm-val supports Yubico OTP, OATH-HOTP and OATH-TOTP.
See a sample configuration file goodies/yubikey-validationserver.cfg for two-factor, single factor and EAP configuration examples.
AuthBy YUBIKEYVALIDATIONSERVER understands also the same parameters as <AuthBy xxxxxx>. For more information, see Section 3.32. <AuthBy xxxxxx>.

3.88.1. ValidationServerURL

The URL for Yubikey Validation server. OTP protocol specific part will be appended to the ValidationServerURL. Defaults to which is compatible with Yubico's PyHSM validation server yhsm-val.
HTTPS requires LWP::Protocol::https Perl module. If it's not installed, Radiator will log an error without connecting to the server.
# Use Yubico's service over HTTPS
ValidationServerURL https://api.yubico.com/wsapi/2.0/verify?

3.88.2. OTPProtocol

This is a comma separated list of OTP protocols Radiator is allowed to support. The possible values are:
  • YubicoOTP
OATH protocols OATH-HOTP and OATH-TOTP are only supported by PyHSM validation server. Default value is YubicoOTP.
# We use PyHSM validation server and can support HOTP too
OTPProtocol YubicoOTP, OATH-HOTP

3.88.3. APIVersion

This is a comma separated list of OTP protocols Radiator is allowed to support. Format specifiers, such as %{GlobalVar:name}, are evaluated when the configuration is loaded. The possible values are:
  • yk-ksm
  • 1.0
  • 2.0
For YubiCloud you should set APIVersion to 2.0 and ClientID to the value assigned by Yubico. APIVersion defaults to yk-ksm which requires PyHSM validation server yk-val that runs with --short-otp parameter.
# YubiCloud supports version 2.0 API
APIVersion 2.0

3.88.4. ClientID

ClientID is required for signed requests and responses. Yubico allocates this for YubiCloud users and seems to always require it when using YubiCloud validation servers.
There is no default value.
# Value allocated to us by Yubico
ClientID 1

3.88.5. APIKey

APIKey is required for signing requests and responses. It is allocated for a ClientID and specified in Base64 format. When this parameter is non-empty, requests are signed and a valid signature is required in responses. Special formatting characters are allowed.
There is no default value.
# Value allocated to us by Yubico
APIKey t2ZMtKeValdA+H0jVpj3LIichn4=

3.88.6. OTPCharset

OTPCharset allows limiting and changing the characters allowed in OTPs. Defaults to 0-9cbdefghijklnrtuv which allows OATH and Yubico OTPs. The value of the parameter is a Perl character set specification. See your Perl reference manual for details about how to construct Perl character set specifications. Note that the some special characters must be escaped with a backslash.
# Allow Yubico OTPs only
OTPCharset cbdefghijklnrtuv
If you need to support non-standard keyboard layouts, such as Dvorak, you may need to change OTPCharset.

3.88.7. Timeout

Connection timeout in seconds. Defaults to 3.

3.88.8. SSLVerify

May be used to control how the Yubikey Validation Server's certificate will be verified. May be one of "none" or "require".

3.88.9. SSLCAPath

When verifying the XML Yubikey Validation Server's certificate, set this to the pathname of the directory containing CA certificates. These certificates must all be in PEM format. The directory in must contain certificates named using the hash value of the certificates' subject names.

3.88.10. SSLCAFile

Use this option to locate the file containing the certificates of the trusted certificate authorities. Thus, you can verify that the server certificate has been signed by a reputable certificate authority. Special characters are permitted.
Here is an example of using SSLCAFile:
SSLCAFile %D/certificates/demoCA/cacert.pem