Yubico Forum

I just installed the yubico-pam module and got it working ok. However looking at the source, it seems very naive:

/etc/pam.d/su
auth sufficient pam_yubico.so id=5180 key=redacted= url=http://127.0.0.1:5000/wsapi/verify?id=%d&otp=%s debug

In one window:
$ nc -l 5000

In another:
$ su
Yubikey for `root':
[press key]

In nc window:
$ nc -l 5000
GET /wsapi/verify?id=5180&otp=redacted&h=redacted=&nonce=ghqhmsiewomlmbetmeptpimowjdnxlcd HTTP/1.1
User-Agent: ykclient/2.4
Host: 127.0.0.1:5000
Accept: */*

type:
status=OK

In su window:
#

What am I supposed to do to make this secure? i.e. prevent a man in the middle returning status=OK for anything.

The solution is to use a Validation protocol version 2.0 client.

Version 2.0 uses either either a shared key (HMAC checksums), SSL or both to provide integrity in the requests/responses to the validation servers.

http://code.google.com/p/yubikey-val-se ... rotocolV20

I've integrated various patches from contributors updating the yubico-c-client to the v2.0 specification. This is now ready for testing, which I haven't gotten around to yet. The plan is to release yubico-c-client v2.4 (last release was 2.3) _without_ these patches (as a more stable release), and then aim to release 2.5 _with_ these patches fairly quickly.

It looks like you've compiled yubico-c-client from source? You are most welcome to help testing this new branch :

$ git clone git://github.com/Yubico/yubico-c-client.git -b feature/v2.0_validation

/Fredrik

Ok, I understand now. I'll give it a go. Bit of a huge gaping hole though!

Yes, definitely. Validation protocol 2.0 has been available for a long time, but unfortunately updating the c-client was lagging behind.

Anyways, I've been working on (and testing) the 2.0-branch today, and it seems to work now (HMAC signing was broken this morning).

Please bring any issues to my attention - preferably in the yubico-devel google group. http://groups.google.com/group/yubico-devel

/Fredrik