[clug] Yubikeys - group purchase?
Robert Edwards
bob at cs.anu.edu.au
Wed Apr 29 23:41:14 GMT 2009
steve jenkin wrote:
> Robert Edwards wrote on 29/4/09 3:47 PM:
>
>> Yeah, I am aware of all these sorts of things. What I am after is
>> a way of playing with a Yubikey secured server (eg. web server) from
>> a PDA. So the PDA somehow needs to be able to generate Yubikey-like
>> OTPs.
>>
>> Cheers,
>>
>> Bob Edwards.
>
> Bob,
>
> Please excuse my naiveté, but wouldn't a phone/PDA App that implemented
> a One Time Password, like S/Key, fit the bill?
>
It would fit _a_ bill, but not _the_ bill.
Let me start all over from the top.
I want to deploy a OTP-secured infrastructure: remote logins over
SSH, web authentication, VPNs etc. Yubikeys are great for that. So, I
set up my Yubikey authentication service, configure my apps, issue my
users with their Yubikeys and away I go...
Some of my users (including myself) access some of these services using
a PDA style device (in my case, my Nokia E71 mobile phone). I cannot
use a Yubikey with this device - it does not provide a USB-host port,
and, if it did, I would still need some sort of adaptor cable...
So, I would like to be able to "pretend" that it has a Yubikey attached
to it. The Yubikey protocol is completely open (one of it's great
attractions), so no problem implementing the protocol in hardware or
in software (it's actually very simple). The fact that extant Yubikeys
appear as USB HID keyboard devices is somewhat irrelevant.
Yes, there are other solutions for generating OTPs, but I particularly
don't want to have to configure a parallel authentication system just
to support PDAs...
As for someone losing their PDA, I would deal with that they same as
if they lost their Yubikey - disable the account on the authentication
server. If a PDA were to be hacked into over the network (bluetooth,
wireless, HSDPA, etc.), again, I can disable the "Yubikey" account on
the server and not issue a new one until the owner junks their dodgy
PDA.
After a bit more research, I can't find an extant implementation of
the Yubikey protocol for any sort of PDA, so now's it time to start
looking into doing it myself... at least for Symbian OS - I don't
want to have to play the Apple iTunes game in order to (legally) get
my own app onto my own iPhone (assuming I had one...).
Cheers,
Bob Edwards.
More information about the linux
mailing list