GitLab 10.0 Released

Posted Sep 24, 2017 11:13 UTC (Sun) by ms (subscriber, #41272)
In reply to: GitLab 10.0 Released by tialaramex
Parent article: GitLab 10.0 Released

My yubikey I always carry with me and I use it for logging into everything - basic linux login with pam with the yubikey in Challenge-Response mode, and then everything else oath mode. Any site that works with google authenticator or similar will work with yubikey oath - the algorithm is the same (aiui). So github, google, etc etc. This is though the Yubikey Neo 4 - I'm not sure how the U2F products differ.

GitLab 10.0 Released

Posted Sep 24, 2017 13:03 UTC (Sun) by dsommers (subscriber, #55274) [Link] (1 responses)

With U2F, the browser talks directly with the USB token - so neither you nor the the site implementing U2F authentication will ever have direct access to the key used to authenticate you. While with TOTP/HOTP "mode" is based on a shared key between user and server which is easily accessible at least when configuring it.

For U2F to function, the browser needs to support it. Google Chrome/Chromium supports it out-of-the-box, while with Firefox this add-on[1] works most of the time (not with Atlassian's login for some reaon)

[1] https://addons.mozilla.org/en-GB/firefox/addon/u2f-suppor...

More details on U2F can be found here:
https://developers.yubico.com/U2F/

Firefox and U2F support

Posted Sep 24, 2017 16:13 UTC (Sun) by iarenaza (subscriber, #4812) [Link]

Firefox nightly already has beta support for FIDO U2F and AFAIK, the intention is to ship stable support in FF 57. If you want to keep an eye on this, follow https://bugzilla.mozilla.org/show_bug.cgi?id=1065729

GitLab 10.0 Released

Posted Sep 25, 2017 11:16 UTC (Mon) by nix (subscriber, #2304) [Link]

> My yubikey I always carry with me and I use it for logging into everything - basic linux login with pam with the yubikey in Challenge-Response mode, and then everything else oath mode.

Likewise, only I have extra rules:

- two yubikeys, in case I lose one: one at home, hidden, the other on my keyring. The one on my keyring is obviously equivalent to physical access to my house, so I can do things like log in to home servers as root with it. Spare key in wallet not on keyring because if your keyring is plugged into a USB port you might well leave it behind by mistake

- authentication to home systems via OTP, communicating with a home-run yubiserver (it's not that I don't trust the yubicloud, it's just that if my net connection goes down I still want to be able to log in.)

- authentication to systems I run that are *not* home systems via HMAC-SHA1 challenge-response mode, as you do for everything: the benefit of this is principally that you don't need a connection to the auth server; the downside is that it dumps the next expected response in local storage: not to be done where $HOME is on NFS, at least not storing the response in the default place

- other authentication (disk decryption, etc) mostly via challenges to the HMAC-SHA1.

- plus a bit of U2F here and there (very rare in my usage).

I have never managed to get PGP token storage or PIV SSH key storage working. They all break for good the first time you use the key for anything else, and I use it for a *lot*.