[Gllug] Does the YubiKey USB security token actually work in Linux?

Robert McKay robert at mckay.com
Fri Jun 24 13:05:24 UTC 2011 

On Fri, Jun 24, 2011 at 1:06 PM, general_email at technicalbloke.com <
general_email at technicalbloke.com> wrote:

> **
> On 24/06/11 12:22, Robert McKay wrote:
>
> On Fri, Jun 24, 2011 at 10:25 AM, Richard W.M. Jones <rich at annexia.org> <rich at annexia.org>wrote:
>
>
>  On Thu, Jun 23, 2011 at 11:54:42PM +0100, Progga wrote:
>
>  the manufacturer Yubico is claiming [4] that "The YubiKeys are also used
> by Fedora’s core team members for securing access to high security
> hosts.".  Now my question is, does any one have any experience with
> these on a Linux machine?
>
>  Yes.  I can access my Fedora account using a Yubikey, from any machine
> (Linux or otherwise) that has a USB port.
>
> It doesn't require "Linux support" as such.  The Yubikey acts as a USB
> keyboard and sends key strokes for the OTP when you press the button.
>
>
>  Isn't it rather inconvenient having to connect it to a usb port every time
> you want to log in? Do you have to disconnect the existing keyboard as well?
> Or do all keyboards just automatically get used at once?
>
> Rob
>
>
>
> They all work together so there's no need to disconnect anything, unless
> you're out of ports. I leave 2 of these (permanently connected to my monitor
> with USB extension leads) in static password mode for my main machine and
> backup machine so I never have to type my 32 character admin passwords.
> Obviously that's not that good an idea in an office environment but if
> physical security isn't an issue it's a huge timesaver. Also, naturally, the
> static password mode leaves you vulnerable to keylogging but that's what the
> OTP mode is for.
>

Hmm.. how does this actually work then? It seems like possibly it requires
you to hand over authentication of your servers to yubikey.. like.. you
install a pam module that will do a web service request to

http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s


in order to verify the one time password? That doesn't seem great.. I guess
maybe you can run your own web service as well?

Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20110624/94e49a39/attachment.html>
-------------- next part --------------
--
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list