| Yubico Forum https://forum.yubico.com/ |
|
| yubico-pam and response verification https://forum.yubico.com/viewtopic.php?f=8&t=639 |
Page 1 of 1 |
| Author: | yaramo [ Wed Feb 23, 2011 8:27 pm ] |
| Post subject: | yubico-pam and response verification |
I just installed the yubico-pam module and got it working ok. However looking at the source, it seems very naive: /etc/pam.d/su auth sufficient pam_yubico.so id=5180 key=redacted= url=http://127.0.0.1:5000/wsapi/verify?id=%d&otp=%s debug In one window: $ nc -l 5000 In another: $ su Yubikey for `root': [press key] In nc window: $ nc -l 5000 GET /wsapi/verify?id=5180&otp=redacted&h=redacted=&nonce=ghqhmsiewomlmbetmeptpimowjdnxlcd HTTP/1.1 User-Agent: ykclient/2.4 Host: 127.0.0.1:5000 Accept: */* type: status=OK In su window: # What am I supposed to do to make this secure? i.e. prevent a man in the middle returning status=OK for anything. |
|
| Author: | Fredrik-at-Yubico [ Thu Feb 24, 2011 8:09 am ] |
| Post subject: | Re: yubico-pam and response verification |
The solution is to use a Validation protocol version 2.0 client. Version 2.0 uses either either a shared key (HMAC checksums), SSL or both to provide integrity in the requests/responses to the validation servers. http://code.google.com/p/yubikey-val-se ... rotocolV20 I've integrated various patches from contributors updating the yubico-c-client to the v2.0 specification. This is now ready for testing, which I haven't gotten around to yet. The plan is to release yubico-c-client v2.4 (last release was 2.3) _without_ these patches (as a more stable release), and then aim to release 2.5 _with_ these patches fairly quickly. It looks like you've compiled yubico-c-client from source? You are most welcome to help testing this new branch : $ git clone git://github.com/Yubico/yubico-c-client.git -b feature/v2.0_validation /Fredrik |
|
| Author: | yaramo [ Thu Feb 24, 2011 9:32 am ] |
| Post subject: | Re: yubico-pam and response verification |
Fredrik-at-Yubico wrote: The solution is to use a Validation protocol version 2.0 client. Ok, I understand now. I'll give it a go. Bit of a huge gaping hole though! |
|
| Author: | Fredrik-at-Yubico [ Thu Feb 24, 2011 3:20 pm ] |
| Post subject: | Re: yubico-pam and response verification |
Yes, definitely. Validation protocol 2.0 has been available for a long time, but unfortunately updating the c-client was lagging behind. Anyways, I've been working on (and testing) the 2.0-branch today, and it seems to work now (HMAC signing was broken this morning). Please bring any issues to my attention - preferably in the yubico-devel google group. http://groups.google.com/group/yubico-devel /Fredrik |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|