User: Password:
|
|
Subscribe / Log in / New account

Re: Yubikeys are now supported

From:  Mike McGrath <mmcgrath-AT-redhat.com>
To:  Development discussions related to Fedora <devel-AT-lists.fedoraproject.org>
Subject:  Re: Yubikeys are now supported
Date:  Thu, 7 Oct 2010 22:16:43 -0500 (CDT)
Message-ID:  <alpine.LFD.2.00.1010072212220.9476@laptop1.mmcgrath.net>
Cc:  infrastructure-AT-lists.fedoraproject.org
Archive-link:  Article

On Thu, 7 Oct 2010, Ricky Zhou wrote:

> On 2010-10-07 07:25:47 PM, Mike McLean wrote:
> > On Thu, Oct 7, 2010 at 5:51 PM, Paul Wouters <paul@xelerance.com> wrote:
> > > I have one and I've played with it in fedora. There is however an important
> > > catch. The server and the yubikey share the same AES symmetric key. This means
> > > that if the yubikey is used for multiple sites by one user, that user is sharing
> > > is his "private key" over various external sites.
> > >
> > > So if fedoraproject would accept it, and the same user uses this yubikey for
> > > another site, and that other site gets hacked, then fedoraproject could be
> > > hacked as well.
> > >
> > > I guess in a way it is like using the same password, but people might not be
> > > thinking of that when they have a "device" on them that they use.
> >
> > Wow, that's a serious weakness. Are we sure about this?
> In order for this to happen, the user would have to explicitly take down
> the generated AES key while it is being written to the key and then
> submit it to the other site.  I don't think this is really something we
> need to worry about.
>

I had this atack in mind when I designed the burn script.  The key never
touches the drive during the burning process s othe attack window here,
while real, is very tiny.  Certainly safer then typing your username and
password everywhere all the time :)

	-Mike
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel



(Log in to post comments)


Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds