sommer
commented
12 years ago Should be straightforward. I don't have one, though.
Closed drew1horn closed 11 years ago
sommer
commented
12 years ago Should be straightforward. I don't have one, though.
drew1horn
commented
12 years ago After a bit of chatting with Yubico they are willing to provide you the the YubiKey passwordsafe bundle.
sommer
commented
12 years ago Thanks. Got it in the mail today. I'll see if I can make it work
sommer
commented
12 years ago I've just pushed ea94ee6b1badb92092ad4112fab9f408b94aa579 to a new "yubikey" branch.
This adds a new "use hw token" button to the initial password dialog. When this button is pressed, the currently-entered password is (after some pre-processing) fed to a YubiKey. The result (after some post-processing) is then used as the new password.
For this to work, slot 2 of the first present YubiKey has to be configured to respond to variable-length HMAC-SHA1 requests using a static private key.
Let me know if this is what you had in mind.
drew1horn
commented
12 years ago Works when I run as root.
Otherwise:
$ ./loxodo.py Traceback (most recent call last): File "/home/drew/Desktop/loxodo/src/frontends/wx/loadframe.py", line 135, in _on_use_hw_token YK = yubico.find_yubikey() File "/home/drew/Desktop/loxodo/src/yubico/yubikey.py", line 143, in find_key return YubiKeyUSBHID(debug=debug, skip=skip) File "/home/drew/Desktop/loxodo/src/yubico/yubikey_usb_hid.py", line 83, in init if not self._open(skip): File "/home/drew/Desktop/loxodo/src/yubico/yubikey_usb_hid.py", line 385, in _open self._usb_handle.setConfiguration(1) usb.USBError: could not set config 1: Operation not permitted
What order do we press the buttons:
Have you looked at all the options at: http://demo.yubico.com/php-yubico/
I imagine it wouldn't take long to find someone who wants each of them. Although personally I would be happy with only a couple of them.
Might want to provide option for a using a validation server. Possibly:
Although the Free YubiCloud service requires an internet connection
Our robust OTP validation servers are arranged in a distributed failover configuration located at five different secure datacenters around the globe, all servers synchronized to each other making sure that there is no single point of failure and that responses are serviced in a timely manner, independent from where around the world validation request is sent. Each backend server is equipped with YubiHSM Hardware Security Module(s) in order to make sure that all secret keys are fully protected and stored encrypted at all times. Yubikeys from the Yubico store comes ready to use with the YubiCloud (no programming of the keys required).
I'd like to be able to associate multiple yubikeys with a vault so it's not catastrophic if a key is lost or destroyed.
On Mon, Jul 2, 2012 at 3:06 AM, Christoph Sommer < reply@reply.github.com
wrote:
I've just pushed d2528659a43450131047a7af144dfa5c8e37eb83 to a new "yubikey" branch.
This adds a new "use hw token" button to the initial password dialog. When this button is pressed, the currently-entered password is (after some pre-processing) fed to a YubiKey. The result (after some post-processing) is then used as the new password.
For this to work, slot 2 of the first present YubiKey has to be configured to respond to variable-length HMAC-SHA1 requests using a static private key.
Let me know if this is what you had in mind.
Reply to this email directly or view it on GitHub: https://github.com/sommer/loxodo/issues/14#issuecomment-6703536
Drew Einhorn
"You can see a lot by just looking." -- Yogi Berra
sommer
commented
12 years ago If accessing the YubiKey on Linux works only as root, it is not automatically detected as a device that regular users should have full access to. If your system uses udev, you can create a file /etc/udev/rules.d/45-yubikey.rules with the following contents:
SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", GROUP="plugdev"This will make sure that all users in group "plugdev" (which you might need to add your user to) have full access to any YubiKey that is being plugged in.
With regard to other authentication modes, I'm afraid that unlocking a Loxodo vault with other means won't be possible. Any authentication that ends with asking the Yubico servers for authorization does nothing to protect the actual data in the vault. An attacker is highly likely to just steal the vault file, then use their own software to get to the data (which would just skip any authorization step).
This is why Loxodo uses the YubiKey to derive one (very long) password from another (that you enter): it is the long password that provides all security, nothing else. This also means that it makes no difference if the long password is generated by a YubiKey or entered manually -- if you are worried about losing your YubiKey, you can simply write down or store this (long) password somewhere safe.
drew1horn
commented
12 years ago The udev incantation solved the non-root access problem.
I'll take a closer look at other authentication modes. I'm hoping that it is you, not I, that is misunderstanding them, and they just provide other paths to the same kind of very long password string, which is encrypted as it passes over the internet. I'll spend some time reading documentation and chatting with Yubico tech support. I'd be shocked to discover that it is that easy to bypass their security using any of their authentication modes.
On Thu, Jul 5, 2012 at 1:06 PM, Christoph Sommer < reply@reply.github.com
wrote:
If accessing the YubiKey on Linux works only as root, it is not automatically detected as a device that regular users should have full access to. If your system uses udev, you can create a file /etc/udev/rules.d/45-yubikey.rules with the following contents:
SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010",GROUP="plugdev"
This will make sure that all users in group "plugdev" (which you might need to add your user to) have full access to any YubiKey that is being plugged in.
With regard to other authentication modes, I'm afraid that unlocking a Loxodo vault with other means won't be possible. Any authentication that ends with asking the Yubico servers for authorization does nothing to protect the actual data in the vault. An attacker is highly likely to just steal the vault file, then use their own software to get to the data (which would just skip any authorization step).
This is why Loxodo uses the YubiKey to derive one (very long) password from another (that you enter): it is the long password that provides all security, nothing else. This also means that it makes no difference if the long password is generated by a YubiKey or entered manually -- if you are worried about losing your YubiKey, you can simply write down or store this (long) password somewhere safe.
Reply to this email directly or view it on GitHub: https://github.com/sommer/loxodo/issues/14#issuecomment-6787634
Drew Einhorn
"You can see a lot by just looking." -- Yogi Berra
http://www.yubico.com/developers-intro