On Tue, Mar 24, 2009 at 22:28, Robert G. Brown <[email protected]> wrote: > On Tue, 24 Mar 2009, Billy Crook wrote: >> Both can be integrated with PAM. Yubikeys go for $25 (less in >> quantity). Their server side software is Free Software, hosted on >> Google Code. http://code.google.com/u/simon75j/ > > Have you tried either or both of them? > rgb
I've considered the former, but I wouldn't have the patience to hand type something unique every time, so I just keep long passphrases and regularly change them. As for the latter, I purchased a few yubikeys to play with a month ago, and have personalized (re-keyed) one. Sort of... Their GNU+Linux personalization tool has a ways to go. I worked with them to get it to compile under 64bit distributions. While the tool will "allow" you to choose a passphrase and random seed, it did not as of a couple weeks ago provide any means of directly assigning an AES key. I spoke with a developer there, and they are going to implement that in the immediate future, along with some sort of official format for storing key data (in databases or .ssh/authorized_yubikeys files). They seem to have focused mostly on Windows for the programming tool though. To program them in GNU+Linux, one must first unload the usbhid module, or load it in a quirks mode, because the module otherwise locks the device and it's not accessible to the personalization tool even as root. They're working on that as well. As of right now, their current version of the personalization tool didn't compile. As of yet, I've only made real use of them with their factory-programmed keys, to authenticate to yubico's openid provider. Other people to whom I have given some yubikeys have been using the pam module on their servers so ssh with a one time password, with much success. They are of course, usnig yubico to authenticate the OTPs. I plan to check back every few weeks to watch the progress on their Free Software tools for personalization, and eventually use mine as additional factors of authentication for ssh and openvpn. From what I understand they do entirely intend for users to be able to operate completely independent from yubico without having to pay for software licenses. They even publish their enterprisey 'yubikey management server' for administering your user's yubikeys, pam modules, re-keying tools, the actual authentication code, and many other things on that Google Code page. I've not tested most of it. Your mileage may vary. I'd like to hear what others think of these little gadgets as well. Here's what a few from my 'demo key' look like: ecebedeeefegeheiejekecebhvbcdiiiirfekttdkvlfhbuldbgedtlc ecebedeeefegeheiejekecebhktreuklveuvgbhhfcrlfduvjrvinbtc ecebedeeefegeheiejekecebcvfkvtbnhhtifgckuffffklcnjbjcbdu -Billy _______________________________________________ Beowulf mailing list, [email protected] To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
