Yubikeys are now supported
Paul Wouters
paul at xelerance.com
Fri Oct 8 05:06:58 UTC 2010
On Thu, 7 Oct 2010, Mike McGrath wrote:
> My understanding on this is, and I reserve the right to misunderstand
> this, is that once the AES key is on the yubikey, there is no way to get
> it off of there. That key is just used to generate OTP's. So if an
> attacker were to get an OTP they could use it to access fedora resources.
> But only once (which is kind of the point of the otp). And they'd only be
> able to use it once if the real user hadn't used it again making the
> attack window smaller.
That's right. And since fedora is not using the yubikey as an audit trail,
this is fine - anyone with root could obtain anyone AES key and "clone"
a yubikey and login as someone else.
You might only see some people who know how yubikeys work decide on
sticking to one device for multiple services which are not aware they
are sharing the same AES key.
But it is a clear distinction from say ssh public keys, where I can give
everyone my public ssh key without needing to trust the remote party at
all (provided I don't use ssh -A to their servers)
Paul
More information about the devel
mailing list