Yubikeys are now supported
Mike McGrath
mmcgrath at redhat.com
Fri Oct 8 02:36:44 UTC 2010
On Thu, 7 Oct 2010, Paul Wouters wrote:
> On Thu, 7 Oct 2010, Mike McGrath wrote:
>
> >>> We also decided to allow yubikeys as an authentication option for the
> >>> larger community to some hosts and services like fedorapeople.org or
> >>> https://admin.fedoraproject.org/community/. When asked for a password,
> >>> just use your yubikey to generate a otp instead. Those wishing to use one
> >>> may purchase a yubikey on their own at:
>
> > I suspect it'd be worth it to see if we could get one for Fedora.
>
> I have one and I've played with it in fedora. There is however an important
> catch. The server and the yubikey share the same AES symmetric key. This means
> that if the yubikey is used for multiple sites by one user, that user is sharing
> is his "private key" over various external sites.
>
> So if fedoraproject would accept it, and the same user uses this yubikey for
> another site, and that other site gets hacked, then fedoraproject could be
> hacked as well.
>
> I guess in a way it is like using the same password, but people might not be
> thinking of that when they have a "device" on them that they use.
>
My understanding on this is, and I reserve the right to misunderstand
this, is that once the AES key is on the yubikey, there is no way to get
it off of there. That key is just used to generate OTP's. So if an
attacker were to get an OTP they could use it to access fedora resources.
But only once (which is kind of the point of the otp). And they'd only be
able to use it once if the real user hadn't used it again making the
attack window smaller.
If you think I am wrong here please do join #fedora-admin on
irc.freenode.net and help walk me through an attack. We have staging and
development servers setup for such a purpose.
-Mike
More information about the devel
mailing list