1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
# the client section is only needed if you use the client functionality
[client]
# whether to produce some output on the console
#verbose = False
# the directory where the client stores its master secret - you might want to
# back this up
#datadir = ~/.config/sphinx
# master password optional for authentication, if it is False it protects
# against offline master pwd bruteforce attacks. The drawback is that for known
# (host,username) tuples the seeds/blobs can be changed/deleted by an attacker
# if the client masterkey is known
#rwd_keys=False
# stores a check digit of 5 bits in the rule blob, this helps to notice most
# typos of the master password, while decreasing security slightly
#validate_password=True
# userlist enables the maintenance of an encrypted blob of all records
# belonging to the same sphinx user (defined by their masterkey) and
# hostname. This enables the usage of the `list` command to the client.
# if you disable this, you have to remember your usernames in other ways.
#userlist=True
# if you have still v1 passwords on the server, they get automatically upgraded
# to v2 records. If you don't have any clients that can only do v1, then it is
# safe and nice to delete the old v1 passwords automatically. If you use for
# example androsphinx android client, it only supports v1, so you don't want to
# delete the v1 records. Default is false.
# delete_upgraded = false
# the threshold - must specify at least this many servers in the
# [servers] section
# threshold = 3
# if you still need to consult a v1 server
# address = "127.0.0.1"
# port = 2355
# the servers used by the client
[servers]
# you need at least one server. the name is freely chosen (in this case it is
# "first", but should not change, unless you want to lose access to your
# existing passwords.
[servers.first]
# the ip address of the server
address="127.0.0.1"
# the port where the server is running, 443 is nice to punch through firewalls.
port=443
# the long term signature key of the server.
ltsigkey="32byteBase64EncodedValue=="
# or alternatively if you want to store the raw binary public key in a file
# ltsigkey_path = "path/to/ltsigkey.pub"
# in case you want to use a threshold version of SPHINX you need at least 3
# servers (and the threshold is then 2)
#[servers.2nd]
#address="127.0.0.1"
#port=2355
#ltsigkey="2nd.pub"
#
#[servers.3rd]
#address="127.0.0.1"
#port=5523
#ltsigkey="3rd.pub"
# the server section is only needed if you run the oracle yourself.
[server]
# the ipv4 address the server is listening on
#address="127.0.0.1"
# the port on which the server is listening, use 443 if available, so that
# the oracle can be accessed from behind tight firewalls
#port=2355
# ssl key - no default must be specified
ssl_key="key.pem"
# ssl cert - no default must be specified
ssl_cert="cert.pem"
# tcp connection timeouts, increase in case you have bad networks, with the
# caveat that this might lead to easier resource exhaustion - blocking all
# workers.
#timeout=3
# how many worker processes can run in parallel
# max_kids=5
# the root directory where all data is stored
#datadir= "/var/lib/sphinx"
# whether to produce some output on the console
#verbose=false
# decay ratelimit after rl_decay seconds
#rl_decay= 1800
# increase hardness after rl_threshold attempts if not decaying
#rl_threshold= 1
# when checking freshness of puzzle solution, allow this extra
# gracetime in addition to the hardness max solution time
#rl_gracetime=10
# a path pointing at a long-term signing key. If this file doesn't exist,
# you can generate it by running `oracle init`, it will also generate a public
# key, which all your clients need to put in their ltsigkey configuration
# variable.
ltsigkey="ltsig.key"
# the websphinx section is only needed if you use the browser webextensions
[websphinx]
# the path of your pinentry program
pinentry=/usr/bin/pinentry
# a file where websphinx logs, this is only for dev/debug purposes
log=
# in case you use webauthn, we need to store mappings between webauthn user ids
# and webauthn public keys. it's lame, but no way around it. back up this
# directory and sync it to other hosts where you want to use the webextension
# with the same webauthn accounts.
webauthn_data_dir = "path/to/webauthn/data/dir"
|
