My favorites | Sign in
Project Logo
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
Search
for
Updated May 04, 2009 by simon75j
Labels: Featured, Phase-Deploy
ReadMeYubico  
Overview and installation instructions for the Yubico OpenID Server

Yubico OpenID Server

The yubico-openid-server project is a fork of JanRain's PHP OpenID Library. The goal of this project is to provide a simple to use OpenID server which supports the Yubikey OTP generator for authentication and trust confirmation.

Installation instructions

The steps below describe how to setup this package as an Yubikey enabled OpenID server. If you want more information, please see the documentation that comes with JanRain's OpenID Library, e.g., the README file.

Start by installing some software that is required. We assume a Debian based system, but you should be able to adapt this to other environments as well. 

vela:~# apt-get install apache2 php5 subversion php-pear php5-curl libapache2-mod-gnutls

You will need to install the Yubico PHP module, see:

http://code.google.com/p/php-yubico/

Configure Apache: 

vela:~# cat>/etc/apache2/sites-available/openid.yubico.com
<VirtualHost *:80>
	ServerName openid.yubico.com
	ServerAdmin info@yubico.com
	
	DocumentRoot /var/www/openid/
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/openid/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>

	ErrorLog /var/log/apache2/openid.yubico.com-error.log
	LogLevel warn

	CustomLog /var/log/apache2/openid.yubico.com-access.log combined
	ServerSignature On

</VirtualHost>
vela:~# cat>/etc/apache2/sites-available/openid.yubico.com-ssl
Listen 443
<VirtualHost *:443>
	ServerName openid.yubico.com
	ServerAdmin info@yubico.com

	GnuTLSEnable on
	GnuTLSCertificateFile /etc/ssl/private/openid.yubico.com-chain.pem
	GnuTLSKeyFile /etc/ssl/private/openid.yubico.com-key.pem
	GnuTLSPriorities NORMAL

	DocumentRoot /var/www/openid/
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/openid/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>

	ErrorLog /var/log/apache2/openid.yubico.com-ssl-error.log
	LogLevel warn

	CustomLog /var/log/apache2/openid.yubico.com-ssl-access.log combined
	ServerSignature On

</VirtualHost>
vela:~#

You'll need to create the files /etc/ssl/private/openid.yubico.com-chain.pem and /etc/ssl/private/openid.yubico.com-key.pem somehow. For a free TLS server certificate provider, check out CA Cert.

Enable the site: 

vela:~# a2enmod gnutls
Enabling module gnutls.
Run '/etc/init.d/apache2 restart' to activate new configuration!
vela:~# a2ensite openid.yubico.com
Enabling site openid.yubico.com.
Run '/etc/init.d/apache2 reload' to activate new configuration!
vela:~# a2ensite openid.yubico.com-ssl
Enabling site openid.yubico.com-ssl.
Run '/etc/init.d/apache2 reload' to activate new configuration!
vela:~# /etc/init.d/apache2 restart

Check out the module: 

vela:/var/www# svn checkout http://yubico-openid-server.googlecode.com/svn/trunk/ yubico-openid-server-read-only
vela:/var/www# ln -s yubico-openid-server-read-only/examples/server/ openid

You can create examples/server/config.php through detect.php, see the README, or just create one as describe below. If you let detect.php create a config.php, you will need to make one Yubikey specific change. You need to add the following to the config.php: 

  require_once 'Auth/Yubico.php';
  $yubi = &new Auth_Yubico('CLIENT-API-ID', 'CLIENT-API-KEY');

Replace CLIENT-API-ID and CLIENT-API-KEY with your own Yubico client credentials. There is an online generator for these values, read the section 'Getting started' and in particular '1. API key' from:

http://yubico.com/developers/api/

The CLIENT-API-ID will be an integer, and the CLIENT-API-KEY will be base64 encoded HMAC key.

Note! You can leave the CLIENT-API-KEY field empty if you don't care about verifying the signature in the response from Yubico's server.

Alternatively, just create the config.php file by hand: 

vela:/var/www/yubico-openid-server-read-only/examples/server# cat>config.php
<?php
/**
 * Set any extra include paths needed to use the library
 */
set_include_path(get_include_path() . PATH_SEPARATOR . "/var/www/openid");

/**
 * The URL for the server.
 *
 * This is the location of server.php. For example:
 *
 * $server_url = 'http://example.com/~user/server.php';
 *
 * This must be a full URL.
 */
$server_url = "http://openid.yubico.com/server.php";

/**
 * Initialize an OpenID store
 *
 * @return object $store an instance of OpenID store (see the
 * documentation for how to create one)
 */
function getOpenIDStore()
{
    require_once "Auth/OpenID/FileStore.php";
    return new Auth_OpenID_FileStore("/var/tmp/openid2.db");
}

require_once 'Auth/Yubico.php';
$yubi = &new Auth_Yubico('4711', 'FOOBARB64=');

?>
vela:/var/www/yubico-openid-server-read-only/examples/server#

That's it! You should now be able to browse to your web server, and it should accept login using the Yubikey. If you setup an OpenID homepage that points to your new OpenID server, it should also allow you to login to other system's using OpenID.

Questions?

We have created a forum topic regarding OpenID and Yubico, see:

http://forum.yubico.com/viewforum.php?f=9

For business questions, see the contact information at:

http://www.yubico.com/

Sign in to add a comment
Hosted by Google Code