> On 10 Feb 2018, at 20:16, joevio...@gmail.com wrote: > > Yubikey can have different modes of authentication. I remember looking at > the work of adubois last year as a possible solution. > My Yubikey has a slot used for Challenge/Response, which is MUCH easier to > work with when you have multiple systems and devices. > > I guess YubicoOTP would require something like a custom PAM module... but > with Challenge/Response, my solution was to use the built-in pam_exec.so to > run a very short script when authenticating.
My solution is a custom PAM module with password + OTP and master password (to use if compromised USB VM). This OTP slot of the Yubikey is then dedicated for 1 Qubes. I made sure you can’t forget the yubikey in the slot, the OTP is transmitted to USBVM when key is pressed and transmitted to Dom0 when you remove the key. If on key removal you are not authenticated you have to assume that USBVM is compromised and may be used for hold and replay attack. You have to go to a secure area, login with master password, destroy USBVM and reinstall front-end + re-initialise the PAM. If you press by mistake the yubikey, I think you have also a risk of compromise and have to do the same. The challenge response is more practical but I feel less secure (I might be wrong), I have not looked deeply into it. Influencing the generation of the challenge (to be the same as a previous one) via clock. > > The only dependency is to install ykpers on sys-usb as it uses ykchalresp. > > https://gist.github.com/Joeviocoe/929ebde1066a22491bf93ccc9d6c0ba3 > > -- > You received this message because you are subscribed to a topic in the Google > Groups "qubes-users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/qubes-users/BkdTuXZZnwE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to firstname.lastname@example.org. > To view this discussion on the web visit > https://groups.google.com/d/msgid/qubes-users/e5d1abf4-4627-4a09-927c-ec4294cc481d%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/EF1BE37B-21E0-44BE-866C-2BE99DD1726E%40gmail.com. For more options, visit https://groups.google.com/d/optout.