debian/0000755000000000000000000000000012133246250007164 5ustar debian/yhsm-yubikey-ksm.default0000644000000000000000000000373412133246250013770 0ustar # Should the YubiHSM YubiKey KSM server be started? # # Since you MUST configure YHSM_KSM_KEYHANDLES, we default to 'false' here. # # Valid values: "true" or "false" YHSM_KSM_ENABLE="false" # The device name of the YubiHSM. For a production setting, a name that is # invariant of system state when the YubiHSM is inserted is recommended # (e.g. "/dev/serial/by-id/usb-Yubico_Yubico_YubiHSM_xxxx-if00"). YHSM_KSM_DEVICE="/dev/ttyACM0" # The key handles to be used when trying to decrypt a YubiKey OTP. # More than one is supported to facilitate multiple generations, or multiple # origins, of keys. # # This is a required field without a default, but an example would be # "0x20" or "0x20 1234" or even "KEY1 0x20 KEY3" where KEY1 and KEY3 will be # converted to integer values. YHSM_KSM_KEYHANDLES="" # If you have protected the key store of your YubiHSM with a 'master key' # (recommended), the key store must be unlocked before any validations can # be performed. Either log in to your server after every reboot and unlock # the key store manually (recommended), or enter the 'master key' in this # variable to have the startup script unlock the key store for you (less # secure). To unlock manually, use /usr/sbin/yhsm-keystore-unlock. # # If you also have configured your YubiHSM with 'admin YubiKeys' (recommended), # you _have_ to log in and unlock the YubiHSM manually after every reboot, # so you might as well leave this field empty. YHSM_KSM_UNLOCK_PASSPHRASE="" # The directory where the AEADs with your YubiKey's secret AES keys is located. #DAEMON_ARGS="$DAEMON_ARGS --aead-dir /var/cache/yubikey-ksm/aeads" # The address to listen on. As a restrictive default, "127.0.0.1" is used. #DAEMON_ARGS="$DAEMON_ARGS --addr 127.0.0.1" # The port to listen on. Default is 8002. #DAEMON_ARGS="$DAEMON_ARGS --port 8003" [ "x$YHSM_KSM_DEVICE" != "x" ] && DAEMON_ARGS="$DAEMON_ARGS -D $YHSM_KSM_DEVICE" [ "x$YHSM_KSM_KEYHANDLES" != "x" ] && DAEMON_ARGS="$DAEMON_ARGS --key-handles $YHSM_KSM_KEYHANDLES" debian/yhsm-yubikey-ksm.dirs0000644000000000000000000000003412133246250013273 0ustar var/cache/yubikey-ksm/aeads debian/yhsm-validation-server.default0000644000000000000000000000403212133246250015145 0ustar # Should the YubiHSM validation server be started? # # Valid values: "true" or "false" YHSM_VAL_ENABLE="true" # The device name of the YubiHSM. For a production setting, a name that is # invariant of system state when the YubiHSM is inserted is recommended # (e.g. "/dev/serial/by-id/usb-Yubico_Yubico_YubiHSM_xxxx-if00"). YHSM_VAL_DEVICE="/dev/ttyACM0" # If you have protected the key store of your YubiHSM with an 'HSM password' # (recommended), the key store must be unlocked before any validations can # be performed. Either log in to your server after every reboot and unlock # the key store manually (recommended), or enter the 'HSM password' in this # variable to have the startup script unlock the key store for you (less # secure). To unlock manually, use /usr/sbin/yhsm-storage-unlock.py. YHSM_VAL_UNLOCK_PASSPHRASE="" # What validation modes to enable. The default we set here is to only allow # validation of YubiKey OTP's, but you can also enable OATH HOTP validation # and a special mode to validate passwords (or hashes of passwords). # # Run `pydoc /usr/sbin/yhsm-validation-server' to read more about these modes. # # Valid values : "--otp" "--hotp" "--pwhash" DAEMON_ARGS="$DAEMON_ARGS --otp" # The address to listen on. As a restrictive default, "127.0.0.1" is used. #DAEMON_ARGS="$DAEMON_ARGS --addr 127.0.0.1" # The port to listen on. #DAEMON_ARGS="$DAEMON_ARGS --port 8003" # The key handle to use when creating HMAC-SHA1 hashes (for OATH validation). # This key handle needs to have the permission flag YSM_HMAC_SHA1_GENERATE set. #DAEMON_ARGS="$DAEMON_ARGS --hmac-kh 1000" # Database file for --hotp and --pwhash modes. #DAEMON_ARGS="$DAEMON_ARGS --db-file /var/yubico/yhsm-validation-server.db" # The look-ahead window for OATH HOTP validation. This is the maximum allowed # number of OATH codes a user can generate, but never send to the validation # service, before finally sending one to the validation service. #DAEMON_ARGS="$DAEMON_ARGS --hotp-window 5" [ "x$YHSM_VAL_DEVICE" != "x" ] && DAEMON_ARGS="$DAEMON_ARGS -D $YHSM_VAL_DEVICE" debian/yhsm-validation-server.preinst0000755000000000000000000000214512133246250015213 0ustar #! /bin/sh # # see: dh_installdeb(1) # # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package set -e case "$1" in upgrade) if [ "x$2" != "x" ]; then if dpkg --compare-versions "$2" le "1.0.3c-1"; then if getent passwd yhsm-valsrv | grep -q ":/home/yhsm-valsrv:"; then # Version 1.0.3c-1 of this package accidentally created a home directory # for the service user usermod -d /var/cache/yubikey-val yhsm-valsrv rmdir /home/yhsm-valsrv fi if getent passwd yhsm-valsrv | grep -q ":/bin/sh$"; then # Version 1.0.3c-1 of this package set a shell on the service user, # although one is not necessary usermod -s /bin/false yhsm-valsrv fi fi fi ;; install|abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# debian/yhsm-validation-server.install0000644000000000000000000000016712133246250015174 0ustar yhsm-val/yhsm-validation-server usr/sbin/ yhsm-val/yhsm-validate-otp usr/sbin/ yhsm-val/yhsm-init-oath-token usr/sbin/ debian/yhsm-docs.doc-base0000644000000000000000000000040412133246250012467 0ustar Document: python-pyhsm Title: API documentation for python-pyhsm Author: Fredrik Thulin Abstract: API documentation for python-pyhsm Section: Programming Format: HTML Index: /usr/share/doc/yhsm-docs/html/index.html Files: /usr/share/doc/yhsm-docs/html/*.html debian/changelog0000644000000000000000000000646212133246250011046 0ustar python-pyhsm (1.0.4f-1) unstable; urgency=low [ Dain Nilsson ] * New upstream release. - Support URLs in device field, for more info see: http://pyserial.sourceforge.net/pyserial_api.html#serial.serial_for_url - Added yhsm-daemon. -- Simon Josefsson Tue, 16 Apr 2013 14:58:00 +0200 python-pyhsm (1.0.4e-1) unstable; urgency=low * New upstream release. * Bump compat level to 9. * Fix dh invocation for python. * Update standards version to 3.9.4. * Remove obsolete 'DM-Upload-Allowed'. * Drop Fredrik as uploader, add Klas and Dain. * Use machine readable copyright file. * Update Homepage URL. -- Simon Josefsson Sat, 06 Apr 2013 07:03:06 +0200 python-pyhsm (1.0.4d-1) unstable; urgency=low [ Klas Lindfors ] * New upstream release. - Make yhsm-yubikey-ksm work with the old fileformat -- Klas Lindfors Mon, 18 Mar 2013 15:18:55 +0100 python-pyhsm (1.0.4c-1) unstable; urgency=low [ Klas Lindfors ] * New upstream release. - Let the OTP validation work with nonce in aead file - add --random-nonce to yhsm-generate-keys and yhsm-import-keys -- Klas Lindfors Mon, 18 Mar 2013 13:46:23 +0100 python-pyhsm (1.0.4b-1) unstable; urgency=low [ Dain Nilsson ] * New upstream release. - yhsm-import-keys: Support soft HSM AEAD generation. - yhsm-import-keys: Ignore lines starting with #. - yhsm-import-keys: Block all-zero (ccc...c) keys. - yhsm-decrypt-keys: Support generating AEADs. - yhsm-decrypt-keys: Ignores non-modhex files in AEAD directory trees. - yhsm-generate-keys: Bugfix that caused AEAD generation to fail. - yhsm-generate-keys: Bugfix that caused wrong nonce to be used. - yhsm-generate-keys: Prevent generating all-zero (ccc...c) keys. -- Dain Nilsson Mon, 11 Feb 2013 16:55:24 +0100 python-pyhsm (1.0.4a-1) unstable; urgency=low [ Fredrik Thulin ] * New upstream release. - Enable IPv6 --addr for network servers. - Verifies communication with YubiHSM on initialization. -- Simon Josefsson Wed, 22 Aug 2012 12:47:53 +0200 python-pyhsm (1.0.4-1) unstable; urgency=low [ Fredrik Thulin ] * New upstream release matching firmware 1.0.4. - Firmware adds flag YSM_USER_NONCE to address security problem for some usages where AEADs could be decrypted by an attacker capable of generating new AEADs. * New file format for stored AEADs (code loading AEADs is backwards compatible), including key handle and nonce. * AES CCM implementation compatible with YubiHSM in software, for transparency and to enable willfull decryption of AEADs. * Tools to generate YubiKey secrets into AEADs as well as decrypt them to enable provisioning YubiKeys with the secrets. [ Simon Josefsson ] * Bump to Debian Policy version 3.9.3. -- Simon Josefsson Sun, 24 Jun 2012 21:27:20 +0200 python-pyhsm (1.0.3c-2) unstable; urgency=low [ Fredrik Thulin ] * Fix package policy violations. Closes: #656205 [ Simon Josefsson ] * Add yhsm-docs.doc-base. -- Simon Josefsson Wed, 18 Jan 2012 20:23:42 +0100 python-pyhsm (1.0.3c-1) unstable; urgency=low * Initial release. -- Fredrik Thulin Thu, 05 Jan 2012 20:08:43 +0100 debian/yhsm-tools.install0000644000000000000000000000021712133246250012672 0ustar utils/yhsm-keystore-unlock usr/sbin/ utils/yhsm-linux-add-entropy usr/sbin/ utils/yhsm-generate-keys usr/bin/ utils/yhsm-decrypt-aead usr/bin/ debian/yhsm-yubikey-ksm.preinst0000755000000000000000000000214512133246250014026 0ustar #! /bin/sh # # see: dh_installdeb(1) # # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package set -e case "$1" in upgrade) if [ "x$2" != "x" ]; then if dpkg --compare-versions "$2" le "1.0.3c-1"; then if getent passwd yhsm-ksmsrv | grep -q ":/home/yhsm-ksmsrv:"; then # Version 1.0.3c-1 of this package accidentally created a home directory # for the service user usermod -d /var/cache/yubikey-ksm yhsm-ksmsrv rmdir /home/yhsm-ksmsrv fi if getent passwd yhsm-ksmsrv | grep -q ":/bin/sh$"; then # Version 1.0.3c-1 of this package set a shell on the service user, # although one is not necessary usermod -s /bin/false yhsm-ksmsrv fi fi fi ;; install|abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# debian/yhsm-tools.manpages0000644000000000000000000000001712133246250013015 0ustar utils/yhsm-*.1 debian/yhsm-validation-server.postinst0000644000000000000000000000166212133246250015412 0ustar #!/bin/sh # # see: dh_installdeb(1) # # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package set -e if [ "x$1" = "xconfigure" ]; then adduser --quiet --system --group --home /var/cache/yubikey-val --no-create-home --disabled-password --system yhsm-valsrv # yhsm-valsrv needs to be in the 'dialout' group to access /dev/ttyACM* adduser --quiet yhsm-valsrv dialout fi invoke-rc.d yhsm-validation-server restart #DEBHELPER# debian/README.source0000644000000000000000000000230212133246250011340 0ustar We describe here one way to work with the package sources. Initialize cowbuilder, for Debian sid: sudo cowbuilder --create --distribution sid --mirror ftp://ftp.se.debian.org/debian/ --debootstrapopts "--keyring=/usr/share/keyrings/debian-archive-keyring.gpg" --basepath /var/cache/pbuilder/sid.cow or for Ubuntu 12.04: sudo cowbuilder --create --distribution precise --components "main universe" --basepath /var/cache/pbuilder/precise.cow Optionally update cowbuilder: sudo cowbuilder --update --basepath /var/cache/pbuilder/sid.cow sudo cowbuilder --update --basepath /var/cache/pbuilder/precise.cow Clone the repository: git clone git@github.com:Yubico/python-pyhsm-dpkg.git Build the package: git-buildpackage --git-pristine-tar --git-builder="pdebuild --auto-debsign --pbuilder cowbuilder -- --basepath /var/cache/pbuilder/sid.cow" git-buildpackage --git-pristine-tar --git-builder="pdebuild --auto-debsign --pbuilder cowbuilder -- --basepath /var/cache/pbuilder/precise.cow" If all goes well, you should have newly built packages in /var/cache/pbuilder/result/. Update the package to a new upstream release (don't forget debian/changelog): git-import-orig --pristine-tar /path/to/new-release.tar.gz debian/compat0000644000000000000000000000000212133246250010362 0ustar 9 debian/yhsm-yubikey-ksm.manpages0000644000000000000000000000002512133246250014125 0ustar yubikey-ksm/yhsm-*.1 debian/yhsm-docs.install0000644000000000000000000000003712133246250012462 0ustar doc/* usr/share/doc/yhsm-docs/ debian/python-pyhsm.preinst0000644000000000000000000000066112133246250013254 0ustar #! /bin/sh set -e # This was added by stdeb to workaround Debian #479852. In a nutshell, # pycentral does not remove normally remove its symlinks on an # upgrade. Since we're using python-support, however, those symlinks # will be broken. This tells python-central to clean up any symlinks. if [ -e /var/lib/dpkg/info/python-pyhsm.list ] && which pycentral >/dev/null 2>&1 then pycentral pkgremove python-pyhsm fi #DEBHELPER# debian/rules0000755000000000000000000000021412133246250010241 0ustar #!/usr/bin/make -f override_dh_installchangelogs: dh_installchangelogs ChangeLog %: dh $@ --with python2 --buildsystem=python_distutils debian/python-pyhsm.install0000644000000000000000000000013212133246250013227 0ustar debian/tmp/usr/lib/python*/*-packages/*.egg-info debian/tmp/usr/lib/python*/*-packages/*/ debian/yhsm-validation-server.manpages0000644000000000000000000000002212133246250015307 0ustar yhsm-val/yhsm-*.1 debian/control0000644000000000000000000000761312133246250010576 0ustar Source: python-pyhsm Maintainer: Yubico Open Source Maintainers Uploaders: Simon Josefsson , Klas Lindfors , Dain Nilsson Section: python Priority: optional Build-Depends: python-setuptools (>= 0.6b3), debhelper (>= 9), python, python-support (>= 0.8.4) Vcs-Git: git://github.com/Yubico/python-pyhsm-dpkg.git Vcs-Browser: https://github.com/Yubico/python-pyhsm-dpkg Homepage: http://yubico.github.com/python-pyhsm Standards-Version: 3.9.4 Package: python-pyhsm Architecture: all Depends: ${python:Depends}, ${misc:Depends}, python-crypto, python-serial Suggests: python-argparse, yhsm-docs Recommends: yhsm-tools XB-Python-Version: ${python:Versions} Provides: ${python:Provides} Description: Python code for talking to a Yubico YubiHSM hardware YubiHSM is an easy to use and affordable crypto appliance that you connect to the USB port of a server. You can then store cryptographic keys on the YubiHSM and use them from the server without any possibility for an attacker to extract the crypto keys from the YubiHSM. . Supported operations include YubiKey OTP validation, AES ECB encrypt/decrypt/decrypt-compare, HMAC-SHA1 hashing (enabling OATH code validation), and Random number entropy generation. . This package contains the core Python code for interacting with the YubiHSM. Package: yhsm-docs Section: doc Priority: extra Suggests: python-pyhsm (= ${binary:Version}) Architecture: all Depends: ${misc:Depends} Description: python-pyhsm documentation Complete API documentation (in HTML format), as well as other assorted documentation regarding pyhsm and related applications. . The documentation is generated from the pydoc annotations (using epydoc) but the HTML format might be preferable since it allows you to click on references for example. Package: yhsm-tools Architecture: all Depends: ${python:Depends}, ${misc:Depends}, python-argparse, python-pyhsm (= ${binary:Version}) XB-Python-Version: ${python:Versions} Provides: ${python:Provides} Description: Common files for YubiHSM applications YubiHSM is an easy to use and affordable crypto appliance that you connect to the USB port of a server. You can then store cryptographic keys on the YubiHSM and use them from the server without any possibility for an attacker to extract the crypto keys from the YubiHSM. . Supported operations include YubiKey OTP validation, AES ECB encrypt/decrypt/decrypt-compare, HMAC-SHA1 hashing (enabling OATH code validation), and Random number entropy generation. . This package includes the following utilities : . * yhsm-keystore-unlock - Keystore unlock * yhsm-linux-add-entropy - Entropy seeder Package: yhsm-validation-server Architecture: all Depends: ${python:Depends}, ${misc:Depends}, adduser, python-pyhsm (= ${binary:Version}), python-argparse, yhsm-tools XB-Python-Version: ${python:Versions} Provides: ${python:Provides} Description: Validation server using YubiHSM This package validates YubiKey OTP's, OATH codes or password hashes using YubiHSM. . The interface is a REST API with a simple web server listening on localhost only (per default). It can function as a drop-in replacement for the traditional PHP based Yubico validation server, except that it does not provide the advanced replication features of that server. Package: yhsm-yubikey-ksm Architecture: all Depends: ${python:Depends}, ${misc:Depends}, adduser, python-pyhsm (= ${binary:Version}), python-argparse, yhsm-tools XB-Python-Version: ${python:Versions} Provides: ${python:Provides} Description: Yubikey Key Storage Module using YubiHSM Decryption backend for a Yubico validation service. Uses the YubiHSM to decrypt YubiKey OTPs and answer 'OK' or 'ERR'. . This package provides the decryption backend for a Yubico validation service. It uses the YubiHSM to decrypt YubiKey OTPs and answer 'OK' or 'ERR'. debian/copyright0000644000000000000000000000275012133246250011123 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: Python-pyhsm Source: http://yubico.github.com/python-pyhsm Files: * Copyright: Copyright (c) 2011-2013 Yubico AB License: BSD-2-clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. . THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. debian/yhsm-validation-server.init0000644000000000000000000001072312133246250014470 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: yhsm-validation-server # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: YubiHSM validation server # Description: Web server validating passwords, OTPs or OATH codes # using the YubiHSM. ### END INIT INFO # Author: Fredrik Thulin # Do NOT "set -e" # PATH should only include /usr/* if it runs after the mountnfs.sh script PATH=/sbin:/usr/sbin:/bin:/usr/bin DESC="YubiHSM validation server" NAME=yhsm-validation-server DAEMON=/usr/sbin/$NAME PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME DAEMON_ARGS="--pid-file $PIDFILE" RUNASUSER="yhsm-valsrv" PROCESS_EXECUTABLE="/usr/bin/python" # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME # Load the VERBOSE setting and other rcS variables . /lib/init/vars.sh # Define LSB log_* functions. # Depend on lsb-base (>= 3.2-14) to ensure that this file is present # and status_of_proc is working. . /lib/lsb/init-functions if [ -r /etc/default/$NAME ]; then case "x$YHSM_VAL_ENABLE" in xtrue|xfalse) ;; *) log_failure_msg "YHSM_VAL_ENABLE must be set to either 'true' or 'false'" exit 1 esac fi # # Function that starts the daemon/service # do_start() { # make the user we run our daemon as able to write the pidfile touch $PIDFILE chown $RUNASUSER $PIDFILE chmod 664 $PIDFILE if [ "x$YHSM_VAL_UNLOCK_PASSPHRASE" != "x" ]; then log_daemon_msg "Unlocking YubiHSM key store" "$NAME" echo "$YHSM_VAL_UNLOCK_PASSPHRASE" | /usr/sbin/yhsm-keystore-unlock --stdin --no-otp --device "$YHSM_VAL_DEVICE" if [ $? -ne 0 ]; then log_failure_msg "Failed unlocking YubiHSM key store" return 2 fi fi # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $PROCESS_EXECUTABLE --test -c $RUNASUSER > /dev/null \ || return 1 start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -c $RUNASUSER --background -- \ $DAEMON_ARGS \ || return 2 } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --exec $PROCESS_EXECUTABLE RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f $PIDFILE return "$RETVAL" } # # Function that sends a SIGHUP to the daemon/service # do_reload() { # # If the daemon can reload its configuration without # restarting (for example, when it is sent a SIGHUP), # then implement that here. # start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME return 0 } case "$1" in start) if [ "x$YHSM_VAL_ENABLE" != "x" ]; then if [ "x$YHSM_VAL_ENABLE" != "xtrue" ]; then [ "$VERBOSE" != no ] && log_daemon_msg "NOT starting $DESC (disabled in /etc/default/$NAME)" exit 0 fi fi [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" do_start case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; #reload|force-reload) # # If do_reload() is not implemented then leave this commented out # and leave 'force-reload' as an alias for 'restart'. # #log_daemon_msg "Reloading $DESC" "$NAME" #do_reload #log_end_msg $? #;; restart|force-reload) # # If the "reload" option is implemented then remove the # 'force-reload' alias # log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; *) #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 exit 3 ;; esac : debian/yhsm-yubikey-ksm.init0000644000000000000000000001117512133246250013305 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: yhsm-yubikey-ksm # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: YubiHSM key storage module # Description: Key storage module for YubiKey OTP validation # using the YubiHSM. ### END INIT INFO # Author: Fredrik Thulin # Do NOT "set -e" # PATH should only include /usr/* if it runs after the mountnfs.sh script PATH=/sbin:/usr/sbin:/bin:/usr/bin DESC="YubiHSM YubiKey KSM" NAME=yhsm-yubikey-ksm DAEMON=/usr/sbin/$NAME PIDFILE=/var/run/$NAME.pid SCRIPTNAME=/etc/init.d/$NAME DAEMON_ARGS="--pid-file $PIDFILE" RUNASUSER="yhsm-ksmsrv" PROCESS_EXECUTABLE="/usr/bin/python" # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 # Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME # Load the VERBOSE setting and other rcS variables . /lib/init/vars.sh # Define LSB log_* functions. # Depend on lsb-base (>= 3.2-14) to ensure that this file is present # and status_of_proc is working. . /lib/lsb/init-functions if [ -r /etc/default/$NAME ]; then case "x$YHSM_KSM_ENABLE" in xtrue|xfalse) ;; *) log_failure_msg "YHSM_KSM_ENABLE must be set to either 'true' or 'false'" exit 1 esac if [ "x$YHSM_KSM_ENABLE" = "true" ]; then if [ "x$YHSM_KSM_KEYHANDLES" = "x" ]; then log_failure_msg "YHSM_KSM_KEYHANDLES not specified in /etc/default/$NAME" exit 1 fi fi fi # # Function that starts the daemon/service # do_start() { # make the user we run our daemon as able to write the pidfile touch $PIDFILE chown $RUNASUSER $PIDFILE chmod 664 $PIDFILE if [ "x$YHSM_KSM_UNLOCK_PASSPHRASE" != "x" ]; then log_daemon_msg "Unlocking YubiHSM key store" "$NAME" echo "$YHSM_KSM_UNLOCK_PASSPHRASE" | /usr/sbin/yhsm-keystore-unlock --stdin --no-otp --device "$YHSM_KSM_DEVICE" if [ $? -ne 0 ]; then log_failure_msg "Failed unlocking YubiHSM key store" return 2 fi fi # Return # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $PROCESS_EXECUTABLE --test -c $RUNASUSER > /dev/null \ || return 1 start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -c $RUNASUSER --background -- \ $DAEMON_ARGS \ || return 2 } # # Function that stops the daemon/service # do_stop() { # Return # 0 if daemon has been stopped # 1 if daemon was already stopped # 2 if daemon could not be stopped # other if a failure occurred start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --exec $PROCESS_EXECUTABLE RETVAL="$?" [ "$RETVAL" = 2 ] && return 2 # Many daemons don't delete their pidfiles when they exit. rm -f $PIDFILE return "$RETVAL" } # # Function that sends a SIGHUP to the daemon/service # do_reload() { # # If the daemon can reload its configuration without # restarting (for example, when it is sent a SIGHUP), # then implement that here. # start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME return 0 } case "$1" in start) if [ "x$YHSM_KSM_ENABLE" != "x" ]; then if [ "x$YHSM_KSM_ENABLE" != "xtrue" ]; then [ "$VERBOSE" != no ] && log_daemon_msg "NOT starting $DESC (disabled in /etc/default/$NAME)" exit 0 fi fi [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" do_start case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" do_stop case "$?" in 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; esac ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; #reload|force-reload) # # If do_reload() is not implemented then leave this commented out # and leave 'force-reload' as an alias for 'restart'. # #log_daemon_msg "Reloading $DESC" "$NAME" #do_reload #log_end_msg $? #;; restart|force-reload) # # If the "reload" option is implemented then remove the # 'force-reload' alias # log_daemon_msg "Restarting $DESC" "$NAME" do_stop case "$?" in 0|1) do_start case "$?" in 0) log_end_msg 0 ;; 1) log_end_msg 1 ;; # Old process is still running *) log_end_msg 1 ;; # Failed to start esac ;; *) # Failed to stop log_end_msg 1 ;; esac ;; *) #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2 echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 exit 3 ;; esac : debian/yhsm-yubikey-ksm.postinst0000644000000000000000000000165412133246250014226 0ustar #!/bin/sh # # see: dh_installdeb(1) # # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package set -e if [ "x$1" = "xconfigure" ]; then adduser --quiet --system --group --home /var/cache/yubikey-ksm --no-create-home --disabled-password --system yhsm-ksmsrv # yhsm-ksmsrv needs to be in the 'dialout' group to access /dev/ttyACM* adduser --quiet yhsm-ksmsrv dialout fi invoke-rc.d yhsm-yubikey-ksm restart #DEBHELPER# debian/source/0000755000000000000000000000000012133246250010464 5ustar debian/source/format0000644000000000000000000000001412133246250011672 0ustar 3.0 (quilt) debian/watch0000644000000000000000000000015112133246250010212 0ustar version=3 http://yubico.github.io/python-pyhsm/releases.html releases/pyhsm-(\d+(\.\d+)*[a-z]?)\.tar\.gz debian/yhsm-yubikey-ksm.install0000644000000000000000000000011612133246250014001 0ustar yubikey-ksm/yhsm-import-keys usr/sbin/ yubikey-ksm/yhsm-yubikey-ksm usr/sbin/ debian/python-pyhsm.examples0000644000000000000000000000001312133246250013375 0ustar examples/*