[kwlug-disc] Tightening up SSH
Chris Irwin
chris at chrisirwin.ca
Tue Jul 20 11:41:31 EDT 2010
On Tue, 2010-07-20 at 10:36 -0400, Andrew Kohlsmith (mailing lists
account) wrote:
> I read about the Yubikey after seeing the link here... it sounds almost
> perfect, but the site says that the key itself does not have any
> challenge/response mechanism.
From what I understand (I don't have one, I'm just somewhat interested)
it works somewhat similar to RSA securID fobs, I believe it is just an
incrementing hash generator. The RSA SecurIDs increment based on an
internal clock, this uses a similar mechanism but with an index counter
that doesn't require a backing battery or RTC.
> I understand that the server/client have a challenge/response (server asking
> client for Yubi passphrase, client obtaining it from the key and responding to
> server with it)... I'm gonna dig around some more... I'm liking this.
You plug it in to USB, and it generates a hash based on index++. It
shows up as a USB keyboard, so every time you press the button it
'types' the next key in.
I believe I read about a fellow who had it set up with a salt, so his
passphrase was essentially staticphrase+yubikey. That way taking the
yubikey from him was not enough, you also needed his static phrase.
Granted, that could be grabbed by a regular keylogger.
--
Chris Irwin <chris at chrisirwin.ca>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20100720/91abaeea/attachment.sig>
More information about the kwlug-disc
mailing list