On Thu, 7 Oct 2010, Paul Wouters wrote: > On Thu, 7 Oct 2010, Mike McGrath wrote: > > >>> We also decided to allow yubikeys as an authentication option for the > >>> larger community to some hosts and services like fedorapeople.org or > >>> https://admin.fedoraproject.org/community/. When asked for a password, > >>> just use your yubikey to generate a otp instead. Those wishing to use one > >>> may purchase a yubikey on their own at: > > > I suspect it'd be worth it to see if we could get one for Fedora. > > I have one and I've played with it in fedora. There is however an important > catch. The server and the yubikey share the same AES symmetric key. This means > that if the yubikey is used for multiple sites by one user, that user is sharing > is his "private key" over various external sites. > > So if fedoraproject would accept it, and the same user uses this yubikey for > another site, and that other site gets hacked, then fedoraproject could be > hacked as well. > > I guess in a way it is like using the same password, but people might not be > thinking of that when they have a "device" on them that they use. > My understanding on this is, and I reserve the right to misunderstand this, is that once the AES key is on the yubikey, there is no way to get it off of there. That key is just used to generate OTP's. So if an attacker were to get an OTP they could use it to access fedora resources. But only once (which is kind of the point of the otp). And they'd only be able to use it once if the real user hadn't used it again making the attack window smaller. If you think I am wrong here please do join #fedora-admin on irc.freenode.net and help walk me through an attack. We have staging and development servers setup for such a purpose. -Mike _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure