Yubikeys are now supported

[Toshio Kuratomi]

On Thu, Oct 07, 2010 at 08:54:12PM -0400, Paul Wouters wrote:
> 
> I have one and I've played with it in fedora. There is however an important
> catch. The server and the yubikey share the same AES symmetric key. This means
> that if the yubikey is used for multiple sites by one user, that user is
> sharing is his "private key" over various external sites.
>
> So if fedoraproject would accept it, and the same user uses this yubikey for
> another site, and that other site gets hacked, then fedoraproject could be
> hacked as well.
>
> I guess in a way it is like using the same password, but people might not be
> thinking of that when they have a "device" on them that they use.
>

[..]

> 
> http://www.yubico.com/files/Security_Evaluation_2009-09-09.pdf
> 
> Section 5.2.
> 
So I see what you're saying but I think some people are misinterpreting it.

The one time passwords generated by the yubikey can safely be used with
multiple services.  The thing that is unsafe is using the same AES key with
multiple ykksm's.  Yubico runs a ykksm for people to use with some third
party websites that support yubikeys.  The fedoraproject provides its own
ykksm server.  If you use the same AES key with both of these then if one of
the servers is compromised, both are compromised.  If you only use your key
with one of the ykksm's then you can safely use your otps on other sites and
there will be no negative ramifications (other than not being able to
authenticate).

The newer yubikey hardware has provision for two AES keys but I'm not sure
how that works and whether it actually allows you to use separate keys with
separate servers.  Someone will need to look into this.

-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20101007/fe551d98/attachment.bin