Hi, I am the maintainer for ykpers and libyubikey for Fedora. It's great to see Fedora starting to use these nifty devices! If there is anything I can do to help out and make the use of Yubikey's in the Fedora project into a success, just holler. It might be interesting to add a README.Fedora to the ykpers package explaining how to configure it for both Fedora and Yubico's servers like on the page Toshio linked to. I'll look into that later. One question I don't think has been asked before: Can we eventually make FAS' (beta) OpenID provider functionality work with this? If so, there will be little use for uploading an AES key to Yubico. Because when I use my Yubikeys to authenticate myself, I most often do this through OpenID and there is at least one free OpenID provider with support for Yubikeys (clavid.com). This OpenID provider authenticates me against Yubico's servers. If we can have an OpenID provider service in FAS that authenticates against the AES keys in Fedora's database, I wouldn't need other providers like Clavid or even Yubico's own servers anymore. There would be no more need to use the same AES key for multiple services *and* it would only require one AES key for OTP on my Yubikey, leaving the second slot for a strong static password for e.g. LUKS disk encryption. But I'm not very well informed about the architecture of FAS, so maybe this is incredibly difficult or dangerous... Maxim Burgerhout maxim@xxxxxxxxx ---------------- GPG Fingerprint EB11 5E56 E648 9D99 E8EF 05FB C513 6FD4 1302 B48A On Fri, Oct 8, 2010 at 08:03, Toshio Kuratomi <a.badger@xxxxxxxxx> wrote: > On Fri, Oct 08, 2010 at 12:07:34AM -0400, Matthew Miller wrote: >> On Thu, Oct 07, 2010 at 11:30:43PM -0400, Toshio Kuratomi wrote: >> > The newer yubikey hardware has provision for two AES keys but I'm not sure >> > how that works and whether it actually allows you to use separate keys with >> > separate servers. Someone will need to look into this. >> >> Yes, separate keys -- basically two separate configurations in one device. >> > After a bit of trial and error, I got this working. I now have my > yubikey-v2 to send a otp that's associated with fas if I hold the contact > for 0.3 – 1.5 seconds and a otp that's registered with yubico's servers if > I press for 2.5 – 5 seconds. The sparsity of introductory docs on > ykpersonalize made this harder than it should have been. I pieced together > the necessary information from this page: > > http://www.teaparty.net/technotes/yubikey.html > > and the official upload instructions linked from here: > > http://www.yubico.com/developers/aeskeys/ > > and the user's manual > > http://yubico.com/files/YubiKey_manual-2.0.pdf > > > Writing the second key slot was kinda like this: > > sudo ykpersonalize -2 -o fixed=vvXXXXXXXX -a KEY > -o -static-ticket -o -strong-pw1 -o -strong-pw2 > -o -man-update -o -append-cr -ouid=YYYYY > > Figuring out XXXX,KEY, and YYY were what I needed to read those documents > for. > > -Toshio > > _______________________________________________ > infrastructure mailing list > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/infrastructure > -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel