I'm not a security expert but I understood that the usual way to use these keys was to have one server that the key authenticates with, and further sites would be accessible through openID or similar - so the authentication is always with one server. Using the same device with mutliple servers is possible but increases the possibility of OTP being replayed - since one server is not aware that the other has consumed the OTP. Also my Yubikey can store more than one set of 'secrets' so it's really two keys in one. I have one that authenticates against the 'official' server and the secondary key is used with a private server. Worth considering if you want to use the same physical device over multiple servers. I hope some technical details will be published about the Fedora use of Yubikeys sometime soon. -Cam On Thu, Oct 7, 2010 at 10:51 PM, Paul Wouters <paul@xxxxxxxxxxxxx> wrote: > On Thu, 7 Oct 2010, Mike McGrath wrote: > >>>> We also decided to allow yubikeys as an authentication option for the >>>> larger community to some hosts and services like fedorapeople.org or >>>> https://admin.fedoraproject.org/community/. When asked for a password, >>>> just use your yubikey to generate a otp instead. Those wishing to use one >>>> may purchase a yubikey on their own at: > >> I suspect it'd be worth it to see if we could get one for Fedora. > > I have one and I've played with it in fedora. There is however an important > catch. The server and the yubikey share the same AES symmetric key. This means > that if the yubikey is used for multiple sites by one user, that user is sharing > is his "private key" over various external sites. > > So if fedoraproject would accept it, and the same user uses this yubikey for > another site, and that other site gets hacked, then fedoraproject could be > hacked as well. > > I guess in a way it is like using the same password, but people might not be > thinking of that when they have a "device" on them that they use. > > Paul > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
