libapache2-mod-authn-yubikey for Debian
---------------------------------------


################################
# Typical apache configuration #
################################

<Directory /var/www/foobar/>
        AuthType Basic
        AuthBasicProvider yubikey
        AuthName "Please Log In using your YubiKey"
        AuthYubiKeyTimeout 30
        AuthYubiKeyTmpFile /etc/apache2/yubiDbTmp
        AuthYubiKeyUserFile /etc/apache2/yubiDb
        AuthYubiKeyExternalErrorPage Off
        Require valid-user
</Directory>



##############################
# Add a user to the database #
##############################
$ htpasswd -csb /etc/apache2/yubiDb token_id user:passwd



#####################################################################
# mod_authn_yubikey provides the following configuration directives #
#####################################################################

AuthYubiKeyTimeout (Default 43200 seconds [12h])
AuthYubiKeyTmpFile (Default conf/ykTmpDb)
AuthYubiKeyUserFile (Default conf/ykUserDb)
AuthYubiKeyRequireSecure (Default On)
AuthYubiKeyExternalErrorPage (Default Off)


* AuthYubiKeyTimeout
The AuthYubiKeyTimeout directive specifies an absolute timeout since the user
last logged in. This means, that if the timeout is set to 120 seconds, the user
has to log in again after 120 seconds of using the page. This is a hard timeout
which is not renewed as the user is working with the page.  The default value is
43200 seconds (12h)


* AuthYubiKeyTmpFile
The AuthYubiKeyTmpFile directive specifies the temporary file which is used to
store authenticated users. If a user successfully authenticates, the
authentication time is stored within this file. It is used to determine when the
user logged in last.
	The default value is $SERVER_ROOT/conf/ykTmpDb
Remember, if you specify the location of the file, mention that if you configure
it to /tmp on UNIX systems, that possibly everyone can view that file.


* AuthYubiKeyUserFile
The AuthYubiKeyUserFile directive is the file which is responsible for the
tokenid/username mapping. Additionally it is required for users to be present
with their Yubikey id within this file to access the site protected by
mod_authn_yubikey.
	The default value is $SERVER_ROOT/conf/ykUserDb


* AuthYubiKeyRequireSecure
The AuthYubiKeyRequireSecure directive takes care of users using https with your
selected target. This is especially useful if you are authenticating users with
two factors (password AND yubikey), since the password and the token itself are
just Base64 encoded when they are sent back to the server authenticating the
user.
	The default value is On (secure connection required)


* AuthYubiKeyExternalErrorPage
The AuthYubiKeyExternalErrorPage directive let’s you specify an error page
different from the built in error page, so that you are able to design your own.
By using the ErrorDocument directive within your configuration you can even
redirect the user to a site not residing on you machine.
	The default value is Off (built in error page used)

 -- Alexandre De Dommelin <adedommelin@tuxz.net>  Thu, 10 Feb 2011 20:10:21 +0000