[clug] Yubikeys on Linux
Jason Stokes
glasper9 at yahoo.com.au
Fri Jun 12 05:23:12 GMT 2009
I was thinking last night that it would be nice if the protocol for reprogramming
demanded that you provide another key -- perhaps the existing UID of the device --
before allowing reprogramming. The suggested fix of requiring the user
to hold down the key a certain amount of time in order to reprogram is
absolutely insufficient, as it would be trivial to induce a naive user to do
this with a screen message or such. Relying on the user not to fall
for something like that is insufficient -- look at phishing attacks.
I would not use a yubikey for a shippable application with such a
vulnerability.
----- Original Message ----
From: steve jenkin <sjenkin at canb.auug.org.au>
To: CLUG List <linux at lists.samba.org>
Sent: Friday, 12 June, 2009 1:35:30 PM
Subject: Re: [clug] Yubikeys on Linux
Robert Edwards wrote on 12/6/09 10:23 AM:
> As to having someone opportunisticly reprogram your yubikey on
> insertion - this is a real threat at the moment. Locking the
> reprogramming with a password would fix it, as long as you don't
> "lose" that password...
> Cheers,
>
> Bob Edwards.
If what you're saying is correct (I haven't looked at the site), it is a
major vulnerability.
Allowing Silent & Promiscuous Reprogramming?!?!
They gotta fix that...
As you've pointed out, there's at least one simple & effective process.
--
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA
sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
--
linux mailing list
linux at lists.samba.org
https://lists.samba.org/mailman/listinfo/linux
Need a Holiday? Win a $10,000 Holiday of your choice. Enter now.http://us.lrd.yahoo.com/_ylc=X3oDMTJxN2x2ZmNpBF9zAzIwMjM2MTY2MTMEdG1fZG1lY2gDVGV4dCBMaW5rBHRtX2xuawNVMTEwMzk3NwR0bV9uZXQDWWFob28hBHRtX3BvcwN0YWdsaW5lBHRtX3BwdHkDYXVueg--/SIG=14600t3ni/**http%3A//au.rd.yahoo.com/mail/tagline/creativeholidays/*http%3A//au.docs.yahoo.com/homepageset/%3Fp1=other%26p2=au%26p3=mailtagline
More information about the linux
mailing list