Yubikeys are now supported
Mike McLean
mikem.rtp at gmail.com
Thu Oct 7 23:25:47 UTC 2010
On Thu, Oct 7, 2010 at 5:51 PM, Paul Wouters <paul at xelerance.com> wrote:
> I have one and I've played with it in fedora. There is however an important
> catch. The server and the yubikey share the same AES symmetric key. This means
> that if the yubikey is used for multiple sites by one user, that user is sharing
> is his "private key" over various external sites.
>
> So if fedoraproject would accept it, and the same user uses this yubikey for
> another site, and that other site gets hacked, then fedoraproject could be
> hacked as well.
>
> I guess in a way it is like using the same password, but people might not be
> thinking of that when they have a "device" on them that they use.
Wow, that's a serious weakness. Are we sure about this?
More information about the infrastructure
mailing list