Hello,
I have Yubikey Std and want to use it for remote ssh login. As far as I know, the existing method is with cloud server or similar solution with local/private installation of "cloud" login server. I have idea for more simple and useful solution (not sure whether it already exists). I will explain it from user viewpoint:
1. When connected on ssh/telnet/local console, you get "Username:" prompt; 2. If you enter normal username, Password: prompt follows for regular login; 3. If you click on Yubikey configured for OTP, the long string "ccccccblr....." is entered for username. Here is the modified module/library - it recognizes the YC OTP user name (from the length + starting cccc..) and allows or denies the access (without Password prompt line). Linux module keeps increasing counter for OTP in protected file and the AES shared secret; 4. The module/software calculates the counter from OTP username and if the value is greather than stored value, the login is successful.
There is no cloud or other 3rd party or local server. The only security risk is from replay attack - if the same YC is used on 2+ servers. The advantage of all this is ability to login to remote server from unsafe terminal without risk of keyboard loggers.
The question is: If such module already exists, where to find it?
|