#
#  This module decrypts and validates Yubikey static and dynamic
#  OTP tokens.
#
yubikey {
	#
	#  The length (number of ASCII bytes) of the Public-ID portion
	#  of the OTP string.
	#
	#  Yubikey defaults to a 6 byte ID (2 * 6 = 12)
#	id_length = 12

	#
	#  If true, the authorize method of rlm_yubikey will attempt to split the
	#  value of User-Password, into the user's password, and the OTP token.
	#
	#  If enabled and successful, the value of &request:User-Password will be
	#  truncated and &request:Yubikey-OTP will be added.
	#
#	split = yes

	#
	#  Decrypt mode - Tokens will be decrypted and processed locally
	#
	#  The module itself does not provide persistent storage as this
	#  would be duplicative of functionality already in the server.
	#
	#  Yubikey authentication needs two attributes retrieved from
	#  persistent storage:
	#    * &control:Yubikey-Key        - The AES key used to decrypt the OTP data.
	#                                    The Yubikey-Public-Id and/or User-Name
	#                                    attributes may be used to retrieve the key.
	#    * &control:Yubikey-Counter    - This is compared with the counter in the OTP
	#                                    data and used to prevent replay attacks.
	#                                    This attribute will also be available in
	#                                    the request list after successful
	#                                    decryption.
	#
	#  Yubikey-Counter isn't strictly required, but the server will
	#  generate warnings if it's not present when yubikey.authenticate
	#  is called.
	#
	#  These attributes are available after authorization:
	#    * &request:Yubikey-Public-ID  - The public portion of the OTP string.
	#  and additionally if 'split' is set:
	#    * &request:Yubikey-OTP        - The OTP portion of User-Password.
	#
	#  These attributes are available after authentication (if successful):
	#    * &request:Yubikey-Private-ID - The encrypted ID included in OTP data,
	#                                    must be verified if tokens share keys.
	#    * &request:Yubikey-Counter    - The last counter value (should be recorded).
	#    * &request:Yubikey-Timestamp  - Token's internal clock (mainly useful for
	#                                    debugging).
	#    * &request:Yubikey-Random     - Randomly generated value from the token.
	#
	decrypt = no

	#
	#  Validation mode - Tokens will be validated against a Yubicloud server
	#
	validate = no

	#
	#  Settings for validation mode.
	#
	validation {
		#
		#  URL of validation server, multiple URL config items may be used
		#  to list multiple servers.
		#
		# - %d is a placeholder for public ID of the token
		# - %s is a placeholder for the token string itself
		#
		#  If no URLs are listed, will default to the default URLs in the
		#  ykclient library, which point to the yubico validation servers.
		servers {
#			uri = 'https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
#			uri = 'https://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
		}

		#
		#  API Client ID
		#
		#  Must be set to your client id for the validation server.
		#
#		client_id = 00000

		#
		#  API Secret key (Base64 encoded)
		#
		#  Must be set to your API key for the validation server.
		#
#		api_key = '000000000000000000000000'

		#
		#  Connection pool parameters
		#
		pool {
			#  Connections to create during module instantiation.
			#  If the server cannot create specified number of
			#  connections during instantiation it will exit.
			#  Set to 0 to allow the server to start without the
			#  yubikey server being available.
			start = ${thread[pool].start_servers}

			#  Minimum number of connections to keep open
			min = ${thread[pool].min_spare_servers}

			#  Maximum number of connections
			#
			#  If these connections are all in use and a new one
			#  is requested, the request will NOT get a connection.
			#
			#  Setting 'max' to LESS than the number of threads means
			#  that some threads may starve, and you will see errors
			#  like 'No connections available and at max connection limit'
			#
			#  Setting 'max' to MORE than the number of threads means
			#  that there are more connections than necessary.
			max = ${thread[pool].max_servers}

			#  Number of uses before the connection is closed
			#
			#  NOTE: A setting of 0 means infinite (no limit).
			uses = 0

			#  The number of seconds to wait after the server tries
			#  to open a connection, and fails.  During this time,
			#  no new connections will be opened.
			retry_delay = 30

			#  The lifetime (in seconds) of the connection
			#
			#  NOTE: A setting of 0 means infinite (no limit).
			lifetime = 0

			#  The idle timeout (in seconds).  A connection which is
			#  unused for this length of time will be closed.
			#
			#  NOTE: A setting of 0 means infinite (no timeout).
			idle_timeout = 60

			#  Cycle over all connections in a pool instead of concentrating
			#  connection use on a few connections.
			spread = yes

			#  NOTE: All configuration settings are enforced.  If a
			#  connection is closed because of "idle_timeout",
			#  "uses", or "lifetime", then the total number of
			#  connections MAY fall below "min".  When that
			#  happens, it will open a new connection.  It will
			#  also log a WARNING message.
			#
			#  The solution is to either lower the "min" connections,
			#  or increase lifetime/idle_timeout.
		}
	}
}
