[talk] [nycbug-talk] Reducing password fatigue on OpenBSD (or any BSD)

Isaac (.ike) Levy ike at blackskyresearch.net
Mon Apr 20 23:50:04 EDT 2015


Raising this thread,

On 11/11/13 13:34, Eric Radman wrote:
> On Mon, Nov 11, 2013 at 12:19:34PM -0500, Raul Cuza wrote:
>> > On Sat, Nov 9, 2013 at 8:41 PM, Eric Radman <ericshane at eradman.com> wrote:
>>> > >
>>> > > Are there any well-respected practices for keying off of data stored on
>>> > > a USB stick? How might one collapse two of these steps in a reasonably
>>> > > secure way?
>> > 
>> > It seems like any automation between the volume decryption and getting
>> > s*$+ done would leave you vulnerable in some way. It is not like a
>> > unique code can be generated on the output of one step that can be
>> > part of the input of the next step.
> I agree, but isn't this basically what single sign-on systems do?
>  
>> > What about something like the Yubi key? It means you have to have a
>> > USB port (which you do not seem to be opposed to) and you don't have
>> > to type your passphrase(s) over and over. See
>> > http://geekyschmidt.com/2010/12/27/yubikey-and-my-desire-to-beat-the-feds-to-hspd12-compliance
>> > for a post about it.
> Thanks, this is exactly what I was looking for. <bcallah> also suggested
> this on IRC. YubiKey is brilliant because generating one-time keys can
> be used as a replacement for passwords OR as an inexpensive way to set
> up two-factor authentication.
> (http://undeadly.org/cgi?action=article&sid=20130616112437)
> 
> Eric

Just started playing with a Yubikey.  Didn't really understand the thing
at first.

And then it hit me: this is the cheap, easily introspectable, hardware
auth token I've been dying for for like a decade...

- No batteries (like RSA keys)
- No special software API (it shows up as a USB keyboard)

I'm not sure I grok the U2F spec versions, but the OTP versions are
outright the coolest little thing I've seen in a while...

--
First thought, has anyone done/seen/hacked-up anything to use Yubikeys
as a RADIUS auth server?  I mean, everything but the keys themselves,
would be FOSS...
(I'm not talking about their cloud service, I'm talking about using
their open libs to hook PAM and make FreeRADIUS run...)
https://developers.yubico.com/yubico-pam/YubiKey_and_FreeRADIUS_via_PAM.html

Has anyone done any of this?
(In light of my post yesterday on VPN's, this Yubikey has me totally
captivated.)

Best,
.ike






More information about the talk mailing list