<?xml version="1.0" encoding="UTF-8"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en-gb">
<link rel="self" type="application/atom+xml" href="https://forum.yubico.com/feed.php?f=3&amp;t=2622" />

<title>Yubico Forum</title>
<subtitle>...visit our web-store at</subtitle>
<link href="https://forum.yubico.com/index.php" />
<updated>2017-04-14T06:27:56+01:00</updated>

<author><name><![CDATA[Yubico Forum]]></name></author>
<id>https://forum.yubico.com/feed.php?f=3&amp;t=2622</id>
<entry>
<author><name><![CDATA[saso]]></name></author>
<updated>2017-04-14T06:27:56+01:00</updated>
<published>2017-04-14T06:27:56+01:00</published>
<id>https://forum.yubico.com/viewtopic.php?t=2622&amp;p=9548#p9548</id>
<link href="https://forum.yubico.com/viewtopic.php?t=2622&amp;p=9548#p9548"/>
<title type="html"><![CDATA[Re: What is the risk of verbose_otp when using OpenSSH?]]></title>

<content type="html" xml:base="https://forum.yubico.com/viewtopic.php?t=2622&amp;p=9548#p9548"><![CDATA[
Hello Matthew,<br /><br />Thanks!<br /><br />Since Yubico OTP is input as USB keyboard, I think that keylogging is also possible without the verbose_otp option.<br />Is it wrong..?<br /><br />When using two factor authentication with Publickey Authentication and Yubico OTP, the change with verbose_otp option will only display used OTP on the terminal.<br /><br />Best,<br />saso<p>Statistics: Posted by <a href="https://forum.yubico.com/memberlist.php?mode=viewprofile&amp;u=4767">saso</a> — Fri Apr 14, 2017 6:27 am</p><hr />
]]></content>
</entry>
<entry>
<author><name><![CDATA[mattlegitt]]></name></author>
<updated>2017-04-13T18:03:58+01:00</updated>
<published>2017-04-13T18:03:58+01:00</published>
<id>https://forum.yubico.com/viewtopic.php?t=2622&amp;p=9547#p9547</id>
<link href="https://forum.yubico.com/viewtopic.php?t=2622&amp;p=9547#p9547"/>
<title type="html"><![CDATA[Re: What is the risk of verbose_otp when using OpenSSH?]]></title>

<content type="html" xml:base="https://forum.yubico.com/viewtopic.php?t=2622&amp;p=9547#p9547"><![CDATA[
Hello saso,<br /><br />Setting the verbose_otp option is not recommended and can open your system to keylogging as it will also send and record the password along with the otp string.<br /><br />Best Regards,<br />Matthew<br />Yubico Support<p>Statistics: Posted by <a href="https://forum.yubico.com/memberlist.php?mode=viewprofile&amp;u=4123">mattlegitt</a> — Thu Apr 13, 2017 6:03 pm</p><hr />
]]></content>
</entry>
<entry>
<author><name><![CDATA[saso]]></name></author>
<updated>2017-04-13T12:54:09+01:00</updated>
<published>2017-04-13T12:54:09+01:00</published>
<id>https://forum.yubico.com/viewtopic.php?t=2622&amp;p=9545#p9545</id>
<link href="https://forum.yubico.com/viewtopic.php?t=2622&amp;p=9545#p9545"/>
<title type="html"><![CDATA[What is the risk of verbose_otp when using OpenSSH?]]></title>

<content type="html" xml:base="https://forum.yubico.com/viewtopic.php?t=2622&amp;p=9545#p9545"><![CDATA[
Hello,<br /><br />Thanks for great products!<br /><br />In <a href="https://github.com/Yubico/yubico-pam" class="postlink">README</a>, It says that verbose_otp can not be used in OpenSSH.<br />However, verbose_otp option can be used with OpenSSH_5.3p1 <img src="https://forum.yubico.com/images/smilies/icon_e_smile.gif" alt=":)" title="Smile" /><br /><br />And in README,<br />&gt; You are advised to not use this, if you are using two factor authentication because that will display your password on the screen.<br /><br />What is the risk of verbose_otp when using OpenSSH?<br />Even if the used one-time password leaks out, it seems to be no problem because validation server does not accept OTP.<br /><br />Thanks.<p>Statistics: Posted by <a href="https://forum.yubico.com/memberlist.php?mode=viewprofile&amp;u=4767">saso</a> — Thu Apr 13, 2017 12:54 pm</p><hr />
]]></content>
</entry>
</feed>