Yubikeys are now supported

Maxim Burgerhout maxim at wzzrd.com
Fri Oct 8 09:47:43 UTC 2010


I am the maintainer for ykpers and libyubikey for Fedora. It's great
to see Fedora starting to use these nifty devices!

If there is anything I can do to help out and make the use of
Yubikey's in the Fedora project into a success, just holler. It might
be interesting to add a README.Fedora to the ykpers package explaining
how to configure it for both Fedora and Yubico's servers like on the
page Toshio linked to. I'll look into that later.

One question I don't think has been asked before:

Can we eventually make FAS' (beta) OpenID provider functionality work
with this? If so, there will be little use for uploading an AES key to
Yubico. Because when I use my Yubikeys to authenticate myself, I most
often do this through OpenID and there is at least one free OpenID
provider with support for Yubikeys (clavid.com). This OpenID provider
authenticates me against Yubico's servers. If we can have an OpenID
provider service in FAS that authenticates against the AES keys in
Fedora's database, I wouldn't need other providers like Clavid or even
Yubico's own servers anymore.

There would be no more need to use the same AES key for multiple
services *and* it would only require one AES key for OTP on my
Yubikey, leaving the second slot for a strong static password for e.g.
LUKS disk encryption.

But I'm not very well informed about the architecture of FAS, so maybe
this is incredibly difficult or dangerous...

Maxim Burgerhout
maxim at wzzrd.com
GPG Fingerprint
EB11 5E56 E648 9D99 E8EF 05FB C513 6FD4 1302 B48A

On Fri, Oct 8, 2010 at 08:03, Toshio Kuratomi <a.badger at gmail.com> wrote:
> On Fri, Oct 08, 2010 at 12:07:34AM -0400, Matthew Miller wrote:
>> On Thu, Oct 07, 2010 at 11:30:43PM -0400, Toshio Kuratomi wrote:
>> > The newer yubikey hardware has provision for two AES keys but I'm not sure
>> > how that works and whether it actually allows you to use separate keys with
>> > separate servers.  Someone will need to look into this.
>> Yes, separate keys -- basically two separate configurations in one device.
> After a bit of trial and error, I got this working.  I now have my
> yubikey-v2 to send a otp that's associated with fas if I hold the contact
> for  0.3 – 1.5 seconds and a otp that's registered with yubico's servers if
> I press for 2.5 – 5 seconds.  The sparsity of introductory docs on
> ykpersonalize made this harder than it should have been.  I pieced together
> the necessary information from this page:
> http://www.teaparty.net/technotes/yubikey.html
> and the official upload instructions linked from here:
> http://www.yubico.com/developers/aeskeys/
> and the user's manual
> http://yubico.com/files/YubiKey_manual-2.0.pdf
> Writing the second key slot was kinda like this:
> sudo ykpersonalize -2 -o fixed=vvXXXXXXXX  -a KEY
> -o -static-ticket -o -strong-pw1 -o -strong-pw2
> -o -man-update -o -append-cr -ouid=YYYYY
> Figuring out XXXX,KEY, and YYY were what I needed to read those documents
> for.
> -Toshio
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure

More information about the infrastructure mailing list