Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:11 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Wed Feb 23, 2011 8:27 pm 
Offline

Joined: Wed Feb 23, 2011 8:19 pm
Posts: 2
I just installed the yubico-pam module and got it working ok. However looking at the source, it seems very naive:

/etc/pam.d/su
auth sufficient pam_yubico.so id=5180 key=redacted= url=http://127.0.0.1:5000/wsapi/verify?id=%d&otp=%s debug

In one window:
$ nc -l 5000

In another:
$ su
Yubikey for `root':
[press key]

In nc window:
$ nc -l 5000
GET /wsapi/verify?id=5180&otp=redacted&h=redacted=&nonce=ghqhmsiewomlmbetmeptpimowjdnxlcd HTTP/1.1
User-Agent: ykclient/2.4
Host: 127.0.0.1:5000
Accept: */*

type:
status=OK

In su window:
#

What am I supposed to do to make this secure? i.e. prevent a man in the middle returning status=OK for anything.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Feb 24, 2011 8:09 am 
The solution is to use a Validation protocol version 2.0 client.

Version 2.0 uses either either a shared key (HMAC checksums), SSL or both to provide integrity in the requests/responses to the validation servers.

http://code.google.com/p/yubikey-val-se ... rotocolV20

I've integrated various patches from contributors updating the yubico-c-client to the v2.0 specification. This is now ready for testing, which I haven't gotten around to yet. The plan is to release yubico-c-client v2.4 (last release was 2.3) _without_ these patches (as a more stable release), and then aim to release 2.5 _with_ these patches fairly quickly.

It looks like you've compiled yubico-c-client from source? You are most welcome to help testing this new branch :

$ git clone git://github.com/Yubico/yubico-c-client.git -b feature/v2.0_validation

/Fredrik


Top
  
Reply with quote  
PostPosted: Thu Feb 24, 2011 9:32 am 
Offline

Joined: Wed Feb 23, 2011 8:19 pm
Posts: 2
Fredrik-at-Yubico wrote:
The solution is to use a Validation protocol version 2.0 client.


Ok, I understand now. I'll give it a go. Bit of a huge gaping hole though!


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 24, 2011 3:20 pm 
Yes, definitely. Validation protocol 2.0 has been available for a long time, but unfortunately updating the c-client was lagging behind.

Anyways, I've been working on (and testing) the 2.0-branch today, and it seems to work now (HMAC signing was broken this morning).

Please bring any issues to my attention - preferably in the yubico-devel google group. http://groups.google.com/group/yubico-devel

/Fredrik


Top
  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group