Maxim Burgerhout writes:
> Hi,
>
> I am the maintainer for ykpers and libyubikey for Fedora. It's great
> to see Fedora starting to use these nifty devices!
>
> If there is anything I can do to help out and make the use of
> Yubikey's in the Fedora project into a success, just holler.
Hi -- I li
Paul Wouters writes:
> On Fri, 8 Oct 2010, Nathanael D. Noblet wrote:
>
>> On 10/07/2010 10:58 PM, Paul Wouters wrote:
>>> One usage of yubikey I would like very much is as storage for the AES
>>> encryption key for disk encryption. I'd prefer the disk crypto key to
>>> not be on the disk at all,
On Fri, Oct 8, 2010 at 16:57, Matthew Miller wrote:
> On Fri, Oct 08, 2010 at 11:47:43AM +0200, Maxim Burgerhout wrote:
>> If there is anything I can do to help out and make the use of
>> Yubikey's in the Fedora project into a success, just holler. It might
>
> Fixing the pam module to not crash m
On Fri, 8 Oct 2010, Jesse Keating wrote:
>> Note that yubikeys are not (yet) usable for this. You cannot request the
>> AES key from it (AFAIK), only an OTP. And the OTP can also not be used to
>> unlock
>> an AES key on the harddisk because it is different for each activation.
>
> Can't you use
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/8/10 2:48 PM, Paul Wouters wrote:
> On Fri, 8 Oct 2010, Nathanael D. Noblet wrote:
>
>> On 10/07/2010 10:58 PM, Paul Wouters wrote:
>>> One usage of yubikey I would like very much is as storage for the AES
>>> encryption key for disk encryption.
On Fri, 8 Oct 2010, Nathanael D. Noblet wrote:
> On 10/07/2010 10:58 PM, Paul Wouters wrote:
>> One usage of yubikey I would like very much is as storage for the AES
>> encryption key for disk encryption. I'd prefer the disk crypto key to
>> not be on the disk at all, protected by just a passphras
On 10/07/2010 10:58 PM, Paul Wouters wrote:
> One usage of yubikey I would like very much is as storage for the AES
> encryption key for disk encryption. I'd prefer the disk crypto key to
> not be on the disk at all, protected by just a passphrase. It would be
> nice to have it on a yubikey instead
On Fri, Oct 8, 2010 at 08:48, Paul Wouters wrote:
> On Fri, 8 Oct 2010, Dennis Gilmore wrote:
>
>> It sounds like you do not fully understand how the yubikeys work. either that
>> or i dont understand the attack you are describing?
>
> It all comes down to this being based on symmetric crypto, no
On 2010-10-08 10:57:16 AM, Matthew Miller wrote:
> On Fri, Oct 08, 2010 at 11:47:43AM +0200, Maxim Burgerhout wrote:
> > If there is anything I can do to help out and make the use of
> > Yubikey's in the Fedora project into a success, just holler. It might
>
> Fixing the pam module to not crash mi
On Fri, Oct 08, 2010 at 11:47:43AM +0200, Maxim Burgerhout wrote:
> If there is anything I can do to help out and make the use of
> Yubikey's in the Fedora project into a success, just holler. It might
Fixing the pam module to not crash might be good. :)
Have you considerd packaging up the server
On Fri, 8 Oct 2010, Dennis Gilmore wrote:
> Even if you use your yubikey with yubicos servers. and auth against multiple
> different providers your AES key is never exposed to to any of the places that
> you auth to.
That is correct if different service providers auth the OTP against
yubicos serv
On Friday, October 08, 2010 12:06:58 am Paul Wouters wrote:
> On Thu, 7 Oct 2010, Mike McGrath wrote:
> > My understanding on this is, and I reserve the right to misunderstand
> > this, is that once the AES key is on the yubikey, there is no way to get
> > it off of there. That key is just used to
On Fri, 8 Oct 2010, Maxim Burgerhout wrote:
> Hi,
>
> I am the maintainer for ykpers and libyubikey for Fedora. It's great
> to see Fedora starting to use these nifty devices!
>
> If there is anything I can do to help out and make the use of
> Yubikey's in the Fedora project into a success, just h
Hi,
I am the maintainer for ykpers and libyubikey for Fedora. It's great
to see Fedora starting to use these nifty devices!
If there is anything I can do to help out and make the use of
Yubikey's in the Fedora project into a success, just holler. It might
be interesting to add a README.Fedora to
On Fri, Oct 08, 2010 at 12:07:34AM -0400, Matthew Miller wrote:
> On Thu, Oct 07, 2010 at 11:30:43PM -0400, Toshio Kuratomi wrote:
> > The newer yubikey hardware has provision for two AES keys but I'm not sure
> > how that works and whether it actually allows you to use separate keys with
> > separ
On Thu, 7 Oct 2010, Mike McGrath wrote:
> My understanding on this is, and I reserve the right to misunderstand
> this, is that once the AES key is on the yubikey, there is no way to get
> it off of there. That key is just used to generate OTP's. So if an
> attacker were to get an OTP they could
On Thu, 7 Oct 2010, Toshio Kuratomi wrote:
> The one time passwords generated by the yubikey can safely be used with
> multiple services. The thing that is unsafe is using the same AES key with
> multiple ykksm's. Yubico runs a ykksm for people to use with some third
> party websites that suppor
On Thu, Oct 07, 2010 at 11:30:43PM -0400, Toshio Kuratomi wrote:
> The newer yubikey hardware has provision for two AES keys but I'm not sure
> how that works and whether it actually allows you to use separate keys with
> separate servers. Someone will need to look into this.
Yes, separate keys -
On Thu, Oct 07, 2010 at 08:54:12PM -0400, Paul Wouters wrote:
>
> I have one and I've played with it in fedora. There is however an important
> catch. The server and the yubikey share the same AES symmetric key. This means
> that if the yubikey is used for multiple sites by one user, that user is
On Thu, 7 Oct 2010, Ricky Zhou wrote:
> On 2010-10-07 07:25:47 PM, Mike McLean wrote:
> > On Thu, Oct 7, 2010 at 5:51 PM, Paul Wouters wrote:
> > > I have one and I've played with it in fedora. There is however an
> > > important
> > > catch. The server and the yubikey share the same AES symmetr
On 2010-10-07 07:25:47 PM, Mike McLean wrote:
> On Thu, Oct 7, 2010 at 5:51 PM, Paul Wouters wrote:
> > I have one and I've played with it in fedora. There is however an important
> > catch. The server and the yubikey share the same AES symmetric key. This
> > means
> > that if the yubikey is use
On Thu, 7 Oct 2010, Paul Wouters wrote:
> On Thu, 7 Oct 2010, Mike McGrath wrote:
>
> >>> We also decided to allow yubikeys as an authentication option for the
> >>> larger community to some hosts and services like fedorapeople.org or
> >>> https://admin.fedoraproject.org/community/. When asked f
On Thu, 7 Oct 2010, Mike McLean wrote:
>> I guess in a way it is like using the same password, but people might not be
>> thinking of that when they have a "device" on them that they use.
>
> Wow, that's a serious weakness. Are we sure about this?
http://www.yubico.com/files/Security_Evaluation_2
On 10/7/2010 12:04, Mike McGrath wrote:
> http://fedoraproject.org/wiki/Infrastruture/Yubikey
^^
Typo alert! ;)
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
On Thu, Oct 7, 2010 at 5:51 PM, Paul Wouters wrote:
> I have one and I've played with it in fedora. There is however an important
> catch. The server and the yubikey share the same AES symmetric key. This means
> that if the yubikey is used for multiple sites by one user, that user is
> sharing
>
I'm not a security expert but I understood that the usual way to use
these keys was to have one server that the key authenticates with, and
further sites would be accessible through openID or similar - so the
authentication is always with one server.
Using the same device with mutliple servers is
On Thu, Oct 07, 2010 at 12:04:49PM -0500, Mike McGrath wrote:
> Implementation work continues to be discussed and put in please but please
> direct any questions or comments to #fedora-admin on irc.freenode.net or
> the Infrastructure mailing list -
Hello, synchronicity! I was just looking at thi
On Thu, 7 Oct 2010, Mike McGrath wrote:
>>> We also decided to allow yubikeys as an authentication option for the
>>> larger community to some hosts and services like fedorapeople.org or
>>> https://admin.fedoraproject.org/community/. When asked for a password,
>>> just use your yubikey to genera
On Thu, 7 Oct 2010, Bruno Wolff III wrote:
> On Thu, Oct 07, 2010 at 12:04:49 -0500,
> Mike McGrath wrote:
> >
> > We also decided to allow yubikeys as an authentication option for the
> > larger community to some hosts and services like fedorapeople.org or
> > https://admin.fedoraproject.org/c
On Thu, Oct 07, 2010 at 12:04:49 -0500,
Mike McGrath wrote:
>
> We also decided to allow yubikeys as an authentication option for the
> larger community to some hosts and services like fedorapeople.org or
> https://admin.fedoraproject.org/community/. When asked for a password,
> just use your
The Fedora Infrastructure team is happy to announce support for the
hardware key authentication device, the yubikey. Users will be able to
use their own yubikeys to access some Fedora services, like
fedorapeople.org or some web services.
Why have we done this? The main purpose was to provide mu
31 matches
Mail list logo
