Yubikeys are now supported

[Mike McGrath]

On Fri, 8 Oct 2010, Maxim Burgerhout wrote:

> Hi,
>
> I am the maintainer for ykpers and libyubikey for Fedora. It's great
> to see Fedora starting to use these nifty devices!
>
> If there is anything I can do to help out and make the use of
> Yubikey's in the Fedora project into a success, just holler. It might
> be interesting to add a README.Fedora to the ykpers package explaining
> how to configure it for both Fedora and Yubico's servers like on the
> page Toshio linked to. I'll look into that later.
>
> One question I don't think has been asked before:
>
> Can we eventually make FAS' (beta) OpenID provider functionality work
> with this? If so, there will be little use for uploading an AES key to
> Yubico. Because when I use my Yubikeys to authenticate myself, I most
> often do this through OpenID and there is at least one free OpenID
> provider with support for Yubikeys (clavid.com). This OpenID provider
> authenticates me against Yubico's servers. If we can have an OpenID
> provider service in FAS that authenticates against the AES keys in
> Fedora's database, I wouldn't need other providers like Clavid or even
> Yubico's own servers anymore.
>

Actually the only thing blocking the OpenID functionality is that we never
got it fully working, it still fails on some sites.  If anyone out there
knows openid and python, please let us know.

> There would be no more need to use the same AES key for multiple
> services *and* it would only require one AES key for OTP on my
> Yubikey, leaving the second slot for a strong static password for e.g.
> LUKS disk encryption.
>

The attack Paul is talking about is only possible if people are going out
of their way to bypass the process we have in place.  The key generation
is done on the server and sent to the client, that transaction is
transient and not stored on disk.  Any multiple service authentication all
goes through the single yubikey server.


	-Mike