crypto frobs
John Kinsella
jlk at thrashyour.com
Tue Mar 24 15:39:27 UTC 2020
To give it a mention, I’m a big fan of Duo Security. Auth requests are sent out-of-band to an authenticated app on your mobile device, you verify the request, then that’s sent back to the duo server and then to the requestor. I’ve used it with ssh and radius and it worked well.
Microsoft’s Authenticator app is interesting - a number is displayed in the app you’re trying to authenticate to, and you have to pick the same number in the app to prove before the app authenticates the request…but I don’t see that tech as being adopted by the networking folks...
In the end it comes down to what you need to secure, and how much effort you’re going to put into it. A yubikey/etc mitigates a risk of credential theft in a cheap, portable way that is frequently Good Enough.
John
> On Mar 24, 2020, at 2:55 AM, John Covici <covici at ccs.covici.com> wrote:
>
> How about a new technology I have heard about called sqrl. See
> https://sqrl.grc.com for more information. It overcomes a lot of the
> problems discussed here.
>
> On Mon, 23 Mar 2020 22:22:18 -0400,
> Michael Loftis wrote:
>>
>> [1 <text/plain; UTF-8 (quoted-printable)>]
>> On Mon, Mar 23, 2020 at 20:08 Michael Loftis <mloftis at wgops.com> wrote:
>>
>>>
>>>
>>> On Mon, Mar 23, 2020 at 18:50 William Herrin <bill at herrin.us> wrote:
>>>
>>>> On Mon, Mar 23, 2020 at 5:16 PM Warren Kumari <warren at kumari.net> wrote:
>>>>> Well, yes and no. With a Yubiikey the attacker has to be local to
>>>>> physically touch the button[0] - with just an SSH key, anyone who gets
>>>>> access to the machine can take my key and use it. This puts it in the
>>>>> "something you have" (not something you are) camp.
>>>>
>>>> Hi Warren,
>>>>
>>>> They're both "something you have" factors. The yubi key proves
>>>> possession better than the ssh key just like a long password proves
>>>> what-you-know better than a 4-digit PIN. But the ssh key and the yubi
>>>> key are still part of the same authentication factor.
>>>>
>>>>
>>>>> Not really -- if an attacker steals my laptop, they don't have the
>>>>> yubikey (unless I store it in the USB port).
>>>>
>>>> You make a habit of removing your yubi key from the laptop when nature
>>>> calls? No you don't.
>>>>
>>>>
>>>>> If they *do* steal both,
>>>>> they can bruteforce the SSH passphrase, but after 5 tries of guessing
>>>>> the Yubikey PIN it self-destructs.
>>>>
>>>> What yubikey are you talking about? I have a password protecting my
>>>> ssh key but the yubikeys I've used (including the FIPS version) spit
>>>> out a string of characters when you touch them. No pin.
>>>>
>>>
>>> The yubikey does many things depending on how it’s configured. None of
>>> mine use the touch to spit out OTP mode, that is the factory mode though
>>> yes. Other modes can be password protected (it uses the PIN nomenclature
>>> which is confusing, it definitely accepts ASCII and nay even take binary
>>> data as a PIN depending on mode of operation) — it can present as industry
>>> standard smart card ( I have one with a pin/password for code signing in
>>> Visual Studio f/ex...along with a backup kept locked elsewhere)
>>>
>>
>>
>> Replying to myself to clarify a bit... the PKI/SSL private keys are on the
>> Yubikey, password protected, signing is accomplished by VS passing the bits
>> to be signed to the smart card application on the yubikey, which requires a
>> password to enable/unlock. On the yubikey Depending on configuration this
>> is a just once operation typically. So each signing op requires a password
>> entry. But it could be configured diffferebtly. By only keeping the private
>> keys on the yubikey it’s something you have (the yubikey) and something you
>> know (the password)... the yubikey (barring software bugs obviously) will
>> not expose the private key, it only does the signing op.
>>
>> That same yubikey has a separate app and trust store in OpenGPG mode, which
>> does signing for ssh pubkey auth, with a different private key. Same key
>> also does FIDO, another application with another key store.
>>
>> The same key doing all that could also have a “long touch” to spit out an
>> OTP.
>>
>>
>>
>>>> Regards,
>>>> Bill Herrin
>>>>
>>>>
>>>> --
>>>> William Herrin
>>>> bill at herrin.us
>>>> https://bill.herrin.us/
>>>>
>>> --
>>
>> "Genius might be described as a supreme capacity for getting its possessors
>> into trouble of all kinds."
>> -- Samuel Butler
>> [2 <text/html; UTF-8 (quoted-printable)>]
>
> --
> Your life is like a penny. You're going to lose it. The question is:
> How do
> you spend it?
>
> John Covici wb2una
> covici at ccs.covici.com
More information about the NANOG
mailing list