[kwlug-disc] Tightening up SSH

Chris Irwin chris at chrisirwin.ca
Tue Jul 20 11:41:31 EDT 2010


On Tue, 2010-07-20 at 10:36 -0400, Andrew Kohlsmith (mailing lists
account) wrote:

> I read about the Yubikey after seeing the link here... it sounds almost 
> perfect, but the site says that the key itself does not have any 
> challenge/response mechanism.

From what I understand (I don't have one, I'm just somewhat interested)
it works somewhat similar to RSA securID fobs, I believe it is just an
incrementing hash generator. The RSA SecurIDs increment based on an
internal clock, this uses a similar mechanism but with an index counter
that doesn't require a backing battery or RTC.

> I understand that the server/client have a challenge/response (server asking 
> client for Yubi passphrase, client obtaining it from the key and responding to 
> server with it)... I'm gonna dig around some more... I'm liking this.

You plug it in to USB, and it generates a hash based on index++. It
shows up as a USB keyboard, so every time you press the button it
'types' the next key in.

I believe I read about a fellow who had it set up with a salt, so his
passphrase was essentially staticphrase+yubikey. That way taking the
yubikey from him was not enough, you also needed his static phrase.
Granted, that could be grabbed by a regular keylogger.

-- 
Chris Irwin <chris at chrisirwin.ca>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://astoria.ccjclearline.com/pipermail/kwlug-disc_kwlug.org/attachments/20100720/91abaeea/attachment.bin>


More information about the kwlug-disc_kwlug.org mailing list