LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Re: Yubikeys are now supported

[Posted October 13, 2010 by jake]

From:  Toshio Kuratomi <a.badger-Re5JQEeQqe8AvxtiuMwx3w-AT-public.gmane.org>
To:  Fedora Infrastructure <infrastructure-TuqUDEhatI4ANWPb/1PvSmm0pvjS0E/A-AT-public.gmane.org>
Subject:  Re: Yubikeys are now supported
Date:  Fri, 8 Oct 2010 02:03:47 -0400
Message-ID:  <20101008060347.GB10153@unaka.lan>
Cc:  Development discussions related to Fedora <devel-TuqUDEhatI4ANWPb/1PvSmm0pvjS0E/A-AT-public.gmane.org>
Archive-link:  Article, Thread 

On Fri, Oct 08, 2010 at 12:07:34AM -0400, Matthew Miller wrote:
> On Thu, Oct 07, 2010 at 11:30:43PM -0400, Toshio Kuratomi wrote:
> > The newer yubikey hardware has provision for two AES keys but I'm not sure
> > how that works and whether it actually allows you to use separate keys with
> > separate servers.  Someone will need to look into this.
> 
> Yes, separate keys -- basically two separate configurations in one device.
> 
After a bit of trial and error, I got this working.  I now have my
yubikey-v2 to send a otp that's associated with fas if I hold the contact
for  0.3 ? 1.5 seconds and a otp that's registered with yubico's servers if
I press for 2.5 ? 5 seconds.  The sparsity of introductory docs on
ykpersonalize made this harder than it should have been.  I pieced together
the necessary information from this page:

http://www.teaparty.net/technotes/yubikey.html

and the official upload instructions linked from here:

http://www.yubico.com/developers/aeskeys/

and the user's manual

http://yubico.com/files/YubiKey_manual-2.0.pdf


Writing the second key slot was kinda like this:

sudo ykpersonalize -2 -o fixed=vvXXXXXXXX  -a KEY
-o -static-ticket -o -strong-pw1 -o -strong-pw2
-o -man-update -o -append-cr -ouid=YYYYY

Figuring out XXXX,KEY, and YYY were what I needed to read those documents
for.

-Toshio
_______________________________________________
infrastructure mailing list
infrastructure-TuqUDEhatI4ANWPb/1PvSmm0pvjS0E/A@public.gmane.org
https://admin.fedoraproject.org/mailman/listinfo/infrastr...
(Log in to post comments)

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds