crypto frobs

Warren Kumari warren at kumari.net
Tue Mar 24 00:15:22 UTC 2020


On Mon, Mar 23, 2020 at 7:57 PM William Herrin <bill at herrin.us> wrote:
>
> > On 3/23/20 3:53 PM, Sabri Berisha wrote:
> > In my experience, yubikeys are not very secure. I know of someone in my team who would generate a few hundred tokens during a meeting and save the output in a text file. Then they'd have a small python script which was triggered by a hotkey on my macbook to push "keyboard" input. They did this because the org they were working for would make you use yubikey auth for pretty much everything, including updating a simple internal Jira ticket.
>
> Meh. Here's a better example of bad:
>
> SSH Key Auth + Yubi key.
>
> This isn't two-factor authentication folks, it's just 1-factor: what
> you have.

Well, yes and no. With a Yubiikey the attacker  has to be local to
physically touch the button[0] - with just an SSH key, anyone who gets
access to the machine can take my key and use it. This puts it in the
"something you have" (not something you are) camp.

> You have an ssh private key. You have a yubi key. Same
> factor. Either one proves you have possession of something only the
> user should have. Proving two does not appreciably change the
> probability that you are you.
>
> For two factor auth, you actually have to use an additional factor.
> Something from the what you know factor (e.g. a password) or the what
> you are factor (e.g. a fingerprint).
>
> Just like a password and a pin isn't two factor. It's exactly the same
> as having a single longer password and subject to the same general
> types of compromise.

Not really -- if an attacker steals my laptop, they don't have the
yubikey (unless I store it in the USB port). If they *do* steal both,
they can bruteforce the SSH passphrase, but after 5 tries of guessing
the Yubikey PIN it self-destructs.
This makes it very different to a longer passphrase.

W
[0]: Yes, obviously an attacker who has root on a machine could trojan
the ssh binary, change the OS to make it play Nyancat through the
speaker, etc... but that's true for any solution...

>
> Regards,
> Bill Herrin
>
> --
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf



More information about the NANOG mailing list