[Gllug] Does the YubiKey USB security token actually work in Linux?

Progga proggaprogga at gmail.com
Sat Jun 25 00:34:36 UTC 2011


On Fri, Jun 24, 2011 at 02:05:24PM +0100, Robert McKay wrote:
> 
> Hmm.. how does this actually work then? It seems like possibly it requires
> you to hand over authentication of your servers to yubikey.. like.. you
> install a pam module that will do a web service request to

There is indeed a PAM module [0, 1] for YubiKey.

I did some more googling and found the following:
    - There is an open protocol for two factor authentication [2].  It is
      called OATH [3].  OATH uses the HOTP (HMAC-based One Time Password)
      algorithm [4].  HOTP has an RFC [5].
    - OATH/HOTP is enjoying good adoption.  YubiKey also supports it [6].
    - There is an Open Source server [7] written in Python that supports both
      YubiKey's own protocol and OATH.
    - There is even an Apache module [8] for using
      OATH-based OTP (One Time Password) for HTTP authentication.
    - The Apache module project provides some excellent explanation [9, 10] of
      how this OATH/HOTP thing works.
    - Verisign has started a whole business [11] around providing an
      authentication server for OATH-based OTP devices.  The
      idea is, company Qux pays Verisign and then people can login to company
      Qux's website using an OATH-based device.  Paypal and Ebay apparently
      has bought into it.  Of course you have to buy your device from Verisign
      partners :-)  Yubico seem to be a partner too [12]
    - Amazon webservices also supports OATH-based OTP [13].  Not sure who
      provides their authentication service.
    - There are some software-based OTP generators that also uses OATH [4].
      Some of these even run on mobile phone platforms like IPhone, Android,
      J2ME, etc.  If you have one of these, you don't need a YubiKey or similar
      OTP devices.
    - Yubico has some really nice videos about the usage of the YubiKey [14]
    - It looks to me (I could be wrong here) that if you want to login to
      ten different services who are using ten different authentication servers,
      you will need to carry around ten different OTP devices :-(
      

[0] http://www.yubico.com/web-api-clients (Scroll down to the "Yubico PAM module" section)
[1] https://github.com/Yubico/yubico-pam
[2] http://en.wikipedia.org/wiki/Two_factor_authentication
[3] http://en.wikipedia.org/wiki/Initiative_For_Open_Authentication
[4] http://en.wikipedia.org/wiki/HOTP
[5] http://www.ietf.org/rfc/rfc4226.txt
[6] http://www.yubico.com/oath-yubikey
[7] http://code.google.com/p/yubico-yubiserve/
[8] http://code.google.com/p/mod-authn-otp/
[9] http://code.google.com/p/mod-authn-otp/wiki/OneTimePasswords
[10] http://code.google.com/p/mod-authn-otp/wiki/Tokens
[11] http://www.verisign.com/authentication/two-factor-authentication/index.html
[12] http://www.yubico.com/vip
[13] http://aws.amazon.com/mfa/
[14] http://vimeo.com/yubikey/videos


--
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list