FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 10-07-2010, 08:49 PM
Bruno Wolff III
 
Default Yubikeys are now supported

On Thu, Oct 07, 2010 at 12:04:49 -0500,
Mike McGrath <mmcgrath@redhat.com> wrote:
>
> We also decided to allow yubikeys as an authentication option for the
> larger community to some hosts and services like fedorapeople.org or
> https://admin.fedoraproject.org/community/. When asked for a password,
> just use your yubikey to generate a otp instead. Those wishing to use one
> may purchase a yubikey on their own at:

While I won't make this Fudcon, I am wondering if it might be worth getting
some idea of what interest there would be for people wanting those and
getting a bulk discount and having people pay for them at a Fudcon.
It looked like even 10 got you a decent discount.
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 10-07-2010, 08:49 PM
Bruno Wolff III
 
Default Yubikeys are now supported

On Thu, Oct 07, 2010 at 12:04:49 -0500,
Mike McGrath <mmcgrath@redhat.com> wrote:
>
> We also decided to allow yubikeys as an authentication option for the
> larger community to some hosts and services like fedorapeople.org or
> https://admin.fedoraproject.org/community/. When asked for a password,
> just use your yubikey to generate a otp instead. Those wishing to use one
> may purchase a yubikey on their own at:

While I won't make this Fudcon, I am wondering if it might be worth getting
some idea of what interest there would be for people wanting those and
getting a bulk discount and having people pay for them at a Fudcon.
It looked like even 10 got you a decent discount.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-07-2010, 09:26 PM
Mike McGrath
 
Default Yubikeys are now supported

On Thu, 7 Oct 2010, Bruno Wolff III wrote:

> On Thu, Oct 07, 2010 at 12:04:49 -0500,
> Mike McGrath <mmcgrath@redhat.com> wrote:
> >
> > We also decided to allow yubikeys as an authentication option for the
> > larger community to some hosts and services like fedorapeople.org or
> > https://admin.fedoraproject.org/community/. When asked for a password,
> > just use your yubikey to generate a otp instead. Those wishing to use one
> > may purchase a yubikey on their own at:
>
> While I won't make this Fudcon, I am wondering if it might be worth getting
> some idea of what interest there would be for people wanting those and
> getting a bulk discount and having people pay for them at a Fudcon.
> It looked like even 10 got you a decent discount.
>

I do happen to know there's a 40% discount for people via this site:

http://forum.wegotserved.com/index.php/topic/9310-discount-on-yubikey-via-securitynow-podcast/

I suspect it'd be worth it to see if we could get one for Fedora.

-Mike
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-07-2010, 09:26 PM
Mike McGrath
 
Default Yubikeys are now supported

On Thu, 7 Oct 2010, Bruno Wolff III wrote:

> On Thu, Oct 07, 2010 at 12:04:49 -0500,
> Mike McGrath <mmcgrath@redhat.com> wrote:
> >
> > We also decided to allow yubikeys as an authentication option for the
> > larger community to some hosts and services like fedorapeople.org or
> > https://admin.fedoraproject.org/community/. When asked for a password,
> > just use your yubikey to generate a otp instead. Those wishing to use one
> > may purchase a yubikey on their own at:
>
> While I won't make this Fudcon, I am wondering if it might be worth getting
> some idea of what interest there would be for people wanting those and
> getting a bulk discount and having people pay for them at a Fudcon.
> It looked like even 10 got you a decent discount.
>

I do happen to know there's a 40% discount for people via this site:

http://forum.wegotserved.com/index.php/topic/9310-discount-on-yubikey-via-securitynow-podcast/

I suspect it'd be worth it to see if we could get one for Fedora.

-Mike
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 10-07-2010, 09:51 PM
Paul Wouters
 
Default Yubikeys are now supported

On Thu, 7 Oct 2010, Mike McGrath wrote:

>>> We also decided to allow yubikeys as an authentication option for the
>>> larger community to some hosts and services like fedorapeople.org or
>>> https://admin.fedoraproject.org/community/. When asked for a password,
>>> just use your yubikey to generate a otp instead. Those wishing to use one
>>> may purchase a yubikey on their own at:

> I suspect it'd be worth it to see if we could get one for Fedora.

I have one and I've played with it in fedora. There is however an important
catch. The server and the yubikey share the same AES symmetric key. This means
that if the yubikey is used for multiple sites by one user, that user is sharing
is his "private key" over various external sites.

So if fedoraproject would accept it, and the same user uses this yubikey for
another site, and that other site gets hacked, then fedoraproject could be
hacked as well.

I guess in a way it is like using the same password, but people might not be
thinking of that when they have a "device" on them that they use.

Paul
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-07-2010, 10:00 PM
Matthew Miller
 
Default Yubikeys are now supported

On Thu, Oct 07, 2010 at 12:04:49PM -0500, Mike McGrath wrote:
> Implementation work continues to be discussed and put in please but please
> direct any questions or comments to #fedora-admin on irc.freenode.net or
> the Infrastructure mailing list -


Hello, synchronicity! I was just looking at this for a work project, and my
test Yubikeys arrived today.

I'm a little disturbed by the pam module in Fedora Rawhide, though -- it
seems to segfault on success, which is non-ideal behavior for a security
module.

--
Matthew Miller <mattdm@mattdm.org>
Senior Systems Architect -- Instructional & Research Computing Services
Harvard School of Engineering & Applied Sciences
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-07-2010, 10:00 PM
Matthew Miller
 
Default Yubikeys are now supported

On Thu, Oct 07, 2010 at 12:04:49PM -0500, Mike McGrath wrote:
> Implementation work continues to be discussed and put in please but please
> direct any questions or comments to #fedora-admin on irc.freenode.net or
> the Infrastructure mailing list -


Hello, synchronicity! I was just looking at this for a work project, and my
test Yubikeys arrived today.

I'm a little disturbed by the pam module in Fedora Rawhide, though -- it
seems to segfault on success, which is non-ideal behavior for a security
module.

--
Matthew Miller <mattdm@mattdm.org>
Senior Systems Architect -- Instructional & Research Computing Services
Harvard School of Engineering & Applied Sciences
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 10-07-2010, 10:14 PM
Camilo Mesias
 
Default Yubikeys are now supported

I'm not a security expert but I understood that the usual way to use
these keys was to have one server that the key authenticates with, and
further sites would be accessible through openID or similar - so the
authentication is always with one server.

Using the same device with mutliple servers is possible but increases
the possibility of OTP being replayed - since one server is not aware
that the other has consumed the OTP.

Also my Yubikey can store more than one set of 'secrets' so it's
really two keys in one. I have one that authenticates against the
'official' server and the secondary key is used with a private server.
Worth considering if you want to use the same physical device over
multiple servers.

I hope some technical details will be published about the Fedora use
of Yubikeys sometime soon.

-Cam

On Thu, Oct 7, 2010 at 10:51 PM, Paul Wouters <paul@xelerance.com> wrote:
> On Thu, 7 Oct 2010, Mike McGrath wrote:
>
>>>> We also decided to allow yubikeys as an authentication option for the
>>>> larger community to some hosts and services like fedorapeople.org or
>>>> https://admin.fedoraproject.org/community/. *When asked for a password,
>>>> just use your yubikey to generate a otp instead. *Those wishing to use one
>>>> may purchase a yubikey on their own at:
>
>> I suspect it'd be worth it to see if we could get one for Fedora.
>
> I have one and I've played with it in fedora. There is however an important
> catch. The server and the yubikey share the same AES symmetric key. This means
> that if the yubikey is used for multiple sites by one user, that user is sharing
> is his "private key" over various external sites.
>
> So if fedoraproject would accept it, and the same user uses this yubikey for
> another site, and that other site gets hacked, then fedoraproject could be
> hacked as well.
>
> I guess in a way it is like using the same password, but people might not be
> thinking of that when they have a "device" on them that they use.
>
> Paul
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
>
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 10-07-2010, 11:25 PM
Mike McLean
 
Default Yubikeys are now supported

On Thu, Oct 7, 2010 at 5:51 PM, Paul Wouters <paul@xelerance.com> wrote:
> I have one and I've played with it in fedora. There is however an important
> catch. The server and the yubikey share the same AES symmetric key. This means
> that if the yubikey is used for multiple sites by one user, that user is sharing
> is his "private key" over various external sites.
>
> So if fedoraproject would accept it, and the same user uses this yubikey for
> another site, and that other site gets hacked, then fedoraproject could be
> hacked as well.
>
> I guess in a way it is like using the same password, but people might not be
> thinking of that when they have a "device" on them that they use.

Wow, that's a serious weakness. Are we sure about this?
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 10-07-2010, 11:25 PM
Mike McLean
 
Default Yubikeys are now supported

On Thu, Oct 7, 2010 at 5:51 PM, Paul Wouters <paul@xelerance.com> wrote:
> I have one and I've played with it in fedora. There is however an important
> catch. The server and the yubikey share the same AES symmetric key. This means
> that if the yubikey is used for multiple sites by one user, that user is sharing
> is his "private key" over various external sites.
>
> So if fedoraproject would accept it, and the same user uses this yubikey for
> another site, and that other site gets hacked, then fedoraproject could be
> hacked as well.
>
> I guess in a way it is like using the same password, but people might not be
> thinking of that when they have a "device" on them that they use.

Wow, that's a serious weakness. Are we sure about this?
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 03:59 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org