Yubikeys are now supported
Ricky Zhou
ricky at fedoraproject.org
Fri Oct 8 02:46:51 UTC 2010
On 2010-10-07 07:25:47 PM, Mike McLean wrote:
> On Thu, Oct 7, 2010 at 5:51 PM, Paul Wouters <paul at xelerance.com> wrote:
> > I have one and I've played with it in fedora. There is however an important
> > catch. The server and the yubikey share the same AES symmetric key. This means
> > that if the yubikey is used for multiple sites by one user, that user is sharing
> > is his "private key" over various external sites.
> >
> > So if fedoraproject would accept it, and the same user uses this yubikey for
> > another site, and that other site gets hacked, then fedoraproject could be
> > hacked as well.
> >
> > I guess in a way it is like using the same password, but people might not be
> > thinking of that when they have a "device" on them that they use.
>
> Wow, that's a serious weakness. Are we sure about this?
In order for this to happen, the user would have to explicitly take down
the generated AES key while it is being written to the key and then
submit it to the other site. I don't think this is really something we
need to worry about.
Thanks,
Ricky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20101007/cd05256f/attachment.bin
More information about the infrastructure
mailing list