> On Mar 23, 2020, at 8:48 PM, William Herrin wrote:
>> If they *do* steal both,
>> they can bruteforce the SSH passphrase, but after 5 tries of guessing
>> the Yubikey PIN it self-destructs.
>
> What yubikey are you talking about? I have a password protecting my
> ssh key but the yubikeys
To give it a mention, I’m a big fan of Duo Security. Auth requests are sent
out-of-band to an authenticated app on your mobile device, you verify the
request, then that’s sent back to the duo server and then to the requestor.
I’ve used it with ssh and radius and it worked well.
Microsoft’s
>
> What yubikey are you talking about? I have a password protecting my
> ssh key but the yubikeys I've used (including the FIPS version) spit
> out a string of characters when you touch them. No pin.
>
PIV enabled ones have pins if you are using that functionality.
On Mon, Mar 23, 2020 at 8:51
How about a new technology I have heard about called sqrl. See
https://sqrl.grc.com for more information. It overcomes a lot of the
problems discussed here.
On Mon, 23 Mar 2020 22:22:18 -0400,
Michael Loftis wrote:
>
> [1 ]
> On Mon, Mar 23, 2020 at 20:08 Michael Loftis wrote:
>
> >
> >
> >
On Mon, Mar 23, 2020 at 20:08 Michael Loftis wrote:
>
>
> On Mon, Mar 23, 2020 at 18:50 William Herrin wrote:
>
>> On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari wrote:
>> > Well, yes and no. With a Yubiikey the attacker has to be local to
>> > physically touch the button[0] - with just an SSH
On Mon, Mar 23, 2020 at 18:50 William Herrin wrote:
> On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari wrote:
> > Well, yes and no. With a Yubiikey the attacker has to be local to
> > physically touch the button[0] - with just an SSH key, anyone who gets
> > access to the machine can take my key
On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari wrote:
> Well, yes and no. With a Yubiikey the attacker has to be local to
> physically touch the button[0] - with just an SSH key, anyone who gets
> access to the machine can take my key and use it. This puts it in the
> "something you have" (not
On Mon, Mar 23, 2020 at 7:57 PM William Herrin wrote:
>
> > On 3/23/20 3:53 PM, Sabri Berisha wrote:
> > In my experience, yubikeys are not very secure. I know of someone in my
> > team who would generate a few hundred tokens during a meeting and save the
> > output in a text file. Then they'd
> On 3/23/20 3:53 PM, Sabri Berisha wrote:
> In my experience, yubikeys are not very secure. I know of someone in my team
> who would generate a few hundred tokens during a meeting and save the output
> in a text file. Then they'd have a small python script which was triggered by
> a hotkey on
On Mon, Mar 23, 2020 at 7:34 PM George Michaelson wrote:
>
> I don't see SKEY style OTP lists as inherently bad. "its how you do
> it" which concerns me, not that it is done.
>
trust your users to always ALWAYS find the worst way to use the product.
Note the label on bleach bottles: "Do not
I don't see SKEY style OTP lists as inherently bad. "its how you do
it" which concerns me, not that it is done.
-G
On Tue, Mar 24, 2020 at 9:33 AM Christopher Morrow
wrote:
>
> On Mon, Mar 23, 2020 at 7:00 PM Michael Thomas wrote:
> >
> > On 3/23/20 3:53 PM, Sabri Berisha wrote:
> >
> > Hi,
>
On Mon, Mar 23, 2020 at 7:00 PM Michael Thomas wrote:
>
> On 3/23/20 3:53 PM, Sabri Berisha wrote:
>
> Hi,
>
> In my experience, yubikeys are not very secure. I know of someone in my team
> who would generate a few hundred tokens during a meeting and save the output
> in a text file. Then
12 matches
Mail list logo