[talk] [nycbug-talk] Reducing password fatigue on OpenBSD (or any BSD)
Isaac (.ike) Levy
ike at blackskyresearch.net
Mon Apr 20 23:50:04 EDT 2015
Raising this thread,
On 11/11/13 13:34, Eric Radman wrote:
> On Mon, Nov 11, 2013 at 12:19:34PM -0500, Raul Cuza wrote:
>> > On Sat, Nov 9, 2013 at 8:41 PM, Eric Radman <ericshane at eradman.com> wrote:
>>> > >
>>> > > Are there any well-respected practices for keying off of data stored on
>>> > > a USB stick? How might one collapse two of these steps in a reasonably
>>> > > secure way?
>> >
>> > It seems like any automation between the volume decryption and getting
>> > s*$+ done would leave you vulnerable in some way. It is not like a
>> > unique code can be generated on the output of one step that can be
>> > part of the input of the next step.
> I agree, but isn't this basically what single sign-on systems do?
>
>> > What about something like the Yubi key? It means you have to have a
>> > USB port (which you do not seem to be opposed to) and you don't have
>> > to type your passphrase(s) over and over. See
>> > http://geekyschmidt.com/2010/12/27/yubikey-and-my-desire-to-beat-the-feds-to-hspd12-compliance
>> > for a post about it.
> Thanks, this is exactly what I was looking for. <bcallah> also suggested
> this on IRC. YubiKey is brilliant because generating one-time keys can
> be used as a replacement for passwords OR as an inexpensive way to set
> up two-factor authentication.
> (http://undeadly.org/cgi?action=article&sid=20130616112437)
>
> Eric
Just started playing with a Yubikey. Didn't really understand the thing
at first.
And then it hit me: this is the cheap, easily introspectable, hardware
auth token I've been dying for for like a decade...
- No batteries (like RSA keys)
- No special software API (it shows up as a USB keyboard)
I'm not sure I grok the U2F spec versions, but the OTP versions are
outright the coolest little thing I've seen in a while...
--
First thought, has anyone done/seen/hacked-up anything to use Yubikeys
as a RADIUS auth server? I mean, everything but the keys themselves,
would be FOSS...
(I'm not talking about their cloud service, I'm talking about using
their open libs to hook PAM and make FreeRADIUS run...)
https://developers.yubico.com/yubico-pam/YubiKey_and_FreeRADIUS_via_PAM.html
Has anyone done any of this?
(In light of my post yesterday on VPN's, this Yubikey has me totally
captivated.)
Best,
.ike
More information about the talk
mailing list