[Beowulf] One time password generators...
billycrook at gmail.com
Tue Mar 24 21:31:22 PDT 2009
On Tue, Mar 24, 2009 at 22:28, Robert G. Brown <rgb at phy.duke.edu> wrote:
> On Tue, 24 Mar 2009, Billy Crook wrote:
>> Both can be integrated with PAM. Yubikeys go for $25 (less in
>> quantity). Their server side software is Free Software, hosted on
>> Google Code. http://code.google.com/u/simon75j/
> Have you tried either or both of them?
I've considered the former, but I wouldn't have the patience to hand
type something unique every time, so I just keep long passphrases and
regularly change them.
As for the latter, I purchased a few yubikeys to play with a month
ago, and have personalized (re-keyed) one. Sort of... Their
GNU+Linux personalization tool has a ways to go. I worked with them
to get it to compile under 64bit distributions. While the tool will
"allow" you to choose a passphrase and random seed, it did not as of a
couple weeks ago provide any means of directly assigning an AES key.
I spoke with a developer there, and they are going to implement that
in the immediate future, along with some sort of official format for
storing key data (in databases or .ssh/authorized_yubikeys files).
They seem to have focused mostly on Windows for the programming tool
though. To program them in GNU+Linux, one must first unload the
usbhid module, or load it in a quirks mode, because the module
otherwise locks the device and it's not accessible to the
personalization tool even as root. They're working on that as well.
As of right now, their current version of the personalization tool
As of yet, I've only made real use of them with their
factory-programmed keys, to authenticate to yubico's openid provider.
Other people to whom I have given some yubikeys have been using the
pam module on their servers so ssh with a one time password, with much
success. They are of course, usnig yubico to authenticate the OTPs.
I plan to check back every few weeks to watch the progress on their
Free Software tools for personalization, and eventually use mine as
additional factors of authentication for ssh and openvpn. From what I
understand they do entirely intend for users to be able to operate
completely independent from yubico without having to pay for software
licenses. They even publish their enterprisey 'yubikey management
server' for administering your user's yubikeys, pam modules, re-keying
tools, the actual authentication code, and many other things on that
Google Code page. I've not tested most of it. Your mileage may vary.
I'd like to hear what others think of these little gadgets as well.
Here's what a few from my 'demo key' look like:
More information about the Beowulf