Re: Yubikeys are now supported

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 7 Oct 2010, Mike McGrath wrote:

> My understanding on this is, and I reserve the right to misunderstand
> this, is that once the AES key is on the yubikey, there is no way to get
> it off of there.  That key is just used to generate OTP's.  So if an
> attacker were to get an OTP they could use it to access fedora resources.
> But only once (which is kind of the point of the otp).  And they'd only be
> able to use it once if the real user hadn't used it again making the
> attack window smaller.

That's right. And since fedora is not using the yubikey as an audit trail,
this is fine - anyone with root could obtain anyone AES key and "clone"
a yubikey and login as someone else.

You might only see some people who know how yubikeys work decide on
sticking to one device for multiple services which are not aware they
are sharing the same AES key.

But it is a clear distinction from say ssh public keys, where I can give
everyone my public ssh key without needing to trust the remote party at
all (provided I don't use ssh -A to their servers)

Paul
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux