[talk] [nycbug-talk] Reducing password fatigue on OpenBSD (or any BSD)

Isaac (.ike) Levy ike at blackskyresearch.net
Mon Apr 20 23:50:04 EDT 2015

Raising this thread,

On 11/11/13 13:34, Eric Radman wrote:
> On Mon, Nov 11, 2013 at 12:19:34PM -0500, Raul Cuza wrote:
>> > On Sat, Nov 9, 2013 at 8:41 PM, Eric Radman <ericshane at eradman.com> wrote:
>>> > >
>>> > > Are there any well-respected practices for keying off of data stored on
>>> > > a USB stick? How might one collapse two of these steps in a reasonably
>>> > > secure way?
>> > 
>> > It seems like any automation between the volume decryption and getting
>> > s*$+ done would leave you vulnerable in some way. It is not like a
>> > unique code can be generated on the output of one step that can be
>> > part of the input of the next step.
> I agree, but isn't this basically what single sign-on systems do?
>> > What about something like the Yubi key? It means you have to have a
>> > USB port (which you do not seem to be opposed to) and you don't have
>> > to type your passphrase(s) over and over. See
>> > http://geekyschmidt.com/2010/12/27/yubikey-and-my-desire-to-beat-the-feds-to-hspd12-compliance
>> > for a post about it.
> Thanks, this is exactly what I was looking for. <bcallah> also suggested
> this on IRC. YubiKey is brilliant because generating one-time keys can
> be used as a replacement for passwords OR as an inexpensive way to set
> up two-factor authentication.
> (http://undeadly.org/cgi?action=article&sid=20130616112437)
> Eric

Just started playing with a Yubikey.  Didn't really understand the thing
at first.

And then it hit me: this is the cheap, easily introspectable, hardware
auth token I've been dying for for like a decade...

- No batteries (like RSA keys)
- No special software API (it shows up as a USB keyboard)

I'm not sure I grok the U2F spec versions, but the OTP versions are
outright the coolest little thing I've seen in a while...

First thought, has anyone done/seen/hacked-up anything to use Yubikeys
as a RADIUS auth server?  I mean, everything but the keys themselves,
would be FOSS...
(I'm not talking about their cloud service, I'm talking about using
their open libs to hook PAM and make FreeRADIUS run...)

Has anyone done any of this?
(In light of my post yesterday on VPN's, this Yubikey has me totally


More information about the talk mailing list