> > What yubikey are you talking about? I have a password protecting my > ssh key but the yubikeys I've used (including the FIPS version) spit > out a string of characters when you touch them. No pin. >
PIV enabled ones have pins if you are using that functionality. On Mon, Mar 23, 2020 at 8:51 PM William Herrin <b...@herrin.us> wrote: > On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari <war...@kumari.net> wrote: > > Well, yes and no. With a Yubiikey the attacker has to be local to > > physically touch the button[0] - with just an SSH key, anyone who gets > > access to the machine can take my key and use it. This puts it in the > > "something you have" (not something you are) camp. > > Hi Warren, > > They're both "something you have" factors. The yubi key proves > possession better than the ssh key just like a long password proves > what-you-know better than a 4-digit PIN. But the ssh key and the yubi > key are still part of the same authentication factor. > > > > Not really -- if an attacker steals my laptop, they don't have the > > yubikey (unless I store it in the USB port). > > You make a habit of removing your yubi key from the laptop when nature > calls? No you don't. > > > > If they *do* steal both, > > they can bruteforce the SSH passphrase, but after 5 tries of guessing > > the Yubikey PIN it self-destructs. > > What yubikey are you talking about? I have a password protecting my > ssh key but the yubikeys I've used (including the FIPS version) spit > out a string of characters when you touch them. No pin. > > Regards, > Bill Herrin > > > -- > William Herrin > b...@herrin.us > https://bill.herrin.us/ >
