Yubico Forum
https://forum.yubico.com/

What is the risk of verbose_otp when using OpenSSH?
https://forum.yubico.com/viewtopic.php?f=3&t=2622
Page 1 of 1

Author:  saso [ Thu Apr 13, 2017 12:54 pm ]
Post subject:  What is the risk of verbose_otp when using OpenSSH?

Hello,

Thanks for great products!

In README, It says that verbose_otp can not be used in OpenSSH.
However, verbose_otp option can be used with OpenSSH_5.3p1 :)

And in README,
> You are advised to not use this, if you are using two factor authentication because that will display your password on the screen.

What is the risk of verbose_otp when using OpenSSH?
Even if the used one-time password leaks out, it seems to be no problem because validation server does not accept OTP.

Thanks.

Author:  mattlegitt [ Thu Apr 13, 2017 6:03 pm ]
Post subject:  Re: What is the risk of verbose_otp when using OpenSSH?

Hello saso,

Setting the verbose_otp option is not recommended and can open your system to keylogging as it will also send and record the password along with the otp string.

Best Regards,
Matthew
Yubico Support

Author:  saso [ Fri Apr 14, 2017 6:27 am ]
Post subject:  Re: What is the risk of verbose_otp when using OpenSSH?

Hello Matthew,

Thanks!

Since Yubico OTP is input as USB keyboard, I think that keylogging is also possible without the verbose_otp option.
Is it wrong..?

When using two factor authentication with Publickey Authentication and Yubico OTP, the change with verbose_otp option will only display used OTP on the terminal.

Best,
saso

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/