> On 10 Feb 2018, at 20:16, joevio...@gmail.com wrote:
> 
> Yubikey can have different modes of authentication.  I remember looking at 
> the work of adubois last year as a possible solution.
> My Yubikey has a slot used for Challenge/Response, which is MUCH easier to 
> work with when you have multiple systems and devices.
> 
> I guess YubicoOTP would require something like a custom PAM module... but 
> with Challenge/Response, my solution was to use the built-in pam_exec.so to 
> run a very short script when authenticating.

My solution is a custom PAM module with password + OTP and master password (to 
use if compromised USB VM).
This OTP slot of the Yubikey is then dedicated for 1 Qubes. 
I made sure you can’t forget the yubikey in the slot, the OTP is transmitted to 
USBVM when key is pressed and transmitted to Dom0 when you remove the key. 
If on key removal you are not authenticated you have to assume that USBVM is 
compromised and may be used for hold and replay attack. You have to go to a 
secure area, login with master password, destroy USBVM and reinstall front-end 
+ re-initialise the PAM. 
If you press by mistake the yubikey, I think you have also a risk of compromise 
and have to do the same. 

The challenge response is more practical but I feel less secure (I might be 
wrong), I have not looked deeply into it. Influencing the generation of the 
challenge (to be the same as a previous one) via clock. 
> 
> The only dependency is to install ykpers on sys-usb as it uses ykchalresp.
> 
> https://gist.github.com/Joeviocoe/929ebde1066a22491bf93ccc9d6c0ba3
> 
> -- 
> You received this message because you are subscribed to a topic in the Google 
> Groups "qubes-users" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/qubes-users/BkdTuXZZnwE/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> qubes-users+unsubscr...@googlegroups.com.
> To post to this group, send email to qubes-users@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/qubes-users/e5d1abf4-4627-4a09-927c-ec4294cc481d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/EF1BE37B-21E0-44BE-866C-2BE99DD1726E%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to