tdlk wrote:
I'm using my yubikey for openid and keygenius =) love it.
Always nice to hear
Quote:
Now I have some questions:
1) How many power-ups do I have? (non-volatile counter)
Hard to say. Assuming Yubico OTP mode, the Yubikey counts up the first time an OTP is generated after power up. Then the session counter counts up
The use counter is limted to 15 bits, which today seems a bit stupid, trying to stuff bits as tight as possible. But, assuming even five power-ups per day, 365 days per year it will still take 32768 / 5 / 365 = 18 years for the counter to get stuck. I strongly doubt that it will ever happen to any [normal] user...
In OATH-HOTP mode, the counter is 16-bits, thereby expanding to double that number. OTOH, in HOTP mode, the non-volatile counter counts up every time the Yubikey is used.
Quote:
2) Is it reset when a new AES/OTP config is programmed?
Yes. If the counter eventually would hit the wall, the key can always be re-configured. Then the counter is back at zero again.
Quote:
3) Do the session/global counters wrap-around eventually?
4) How many OTPs can I generate per power-up (e.g. 48h coding session =) )?
In Yubico OTP mode, the counter gets stuck at 32767. In HOTP mode, it wraps from 65535 -> 0.
The session counter is 8 bits wide, giving 256 counts per power up cycle. If this counter wraps, the use counter is incremented, thereby avoiding a clash.
Quote:
5) Chicken & Egg problems: is it possible to use yubikey OTP for pam logins into Gnome Desktop? Encrypted home partition? How to solve this if pam is used to unlock gnome-keyring, gnome-keyring stores WiFi passwords, and WiFi is needed to connect to yubico server to authenticate pam? Also what about using pam to access gpg keys and encrypted home? any suggestions. Or shall I use static passwords for this?
Seems like a static password would be best here. You can always use the second configuration for that.
Best regards,
JakobE
Hardware- and firmware guy @ Yubico
Login
FAQ
Search
