crypto frobs

Rob Seastrom rs-lists at seastrom.com
Tue Mar 24 19:25:00 UTC 2020



> On Mar 23, 2020, at 8:48 PM, William Herrin <bill at herrin.us> wrote:

>> If they *do* steal both,
>> they can bruteforce the SSH passphrase, but after 5 tries of guessing
>> the Yubikey PIN it self-destructs.
> 
> What yubikey are you talking about? I have a password protecting my
> ssh key but the yubikeys I've used (including the FIPS version) spit
> out a string of characters when you touch them. No pin.

https://www.yubico.com/products/identifying-your-yubikey/ <https://www.yubico.com/products/identifying-your-yubikey/>

The (presumably) Yubico OTP/OATH/HOTP string from a Yubikey that you may have picked up six years ago on a lark  doesn’t even begin to scratch the surface.

The integration with FIDO2 in the low-end models in OpenSSH 8.2 in particular is very spiffy (and not to be confused with PIV or OpenPGP mode.

-r


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200324/eb4a5ac7/attachment.html>


More information about the NANOG mailing list