[Gllug] Does the YubiKey USB security token actually work in Linux?

[general_email at technicalbloke.com]

On 25/06/11 10:07, James Courtier-Dutton wrote:
> On 24 June 2011 23:03, general_email at technicalbloke.com
> <general_email at technicalbloke.com> wrote:
>> On 24/06/11 15:18, Richard W.M. Jones wrote:
>>> On Fri, Jun 24, 2011 at 02:05:24PM +0100, Robert McKay wrote:
>>>> Hmm.. how does this actually work then? It seems like possibly it requires
>>>> you to hand over authentication of your servers to yubikey.. like.. you
>>>> install a pam module that will do a web service request to
>>>>
>>>> http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s
>>>>
>>>>
>>>> in order to verify the one time password? That doesn't seem great.. I guess
>>>> maybe you can run your own web service as well?
>>> It definitely does not involve any handing over of authentication to
>>> yubico, otherwise Fedora would not have gone for this.
>>>
>>> Rich.
>>>
>>
>> Actually it's both, if you leave them as they ship from the factory you
>> are able to use yubico's public authentication server and spare yourself
>> the burden of setting up your own validation server. You can write new
>> keys to them if you want to use them with your own validation server,
>> it's a v.cool system.
>>
>> Roger
> Has anyone done vulnerability analysis on the yubico?
> For example, how easy is it to duplicate a key?
> That being the method that recently highlighted problems with RSA
> security key fobs
> --
> Gllug mailing list  -  Gllug at gllug.org.uk
> http://lists.gllug.org.uk/mailman/listinfo/gllug
>


Bits and bobs, Didier Stevens has done a couple of analyses, it's
basically as safe as your computer is. It can be man in the middled if
you can give the target's browser a trusted cert of your choosing or if
you can run a keylogging trojan on the target, same as most other token
based solutions really.

Roger
--
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug