Any plans for YubiKey support?
Closed this issue · 7 comments
Should be straightforward. I don't have one, though.
After a bit of chatting with Yubico they are willing to provide you the the YubiKey passwordsafe bundle.
Thanks. Got it in the mail today. I'll see if I can make it work
I've just pushed ea94ee6 to a new "yubikey" branch.
This adds a new "use hw token" button to the initial password dialog. When this button is pressed, the currently-entered password is (after some pre-processing) fed to a YubiKey. The result (after some post-processing) is then used as the new password.
For this to work, slot 2 of the first present YubiKey has to be configured to respond to variable-length HMAC-SHA1 requests using a static private key.
Let me know if this is what you had in mind.
Works when I run as root.
Otherwise:
$ ./loxodo.py
Traceback (most recent call last):
File "/home/drew/Desktop/loxodo/src/frontends/wx/loadframe.py", line 135,
in _on_use_hw_token
YK = yubico.find_yubikey()
File "/home/drew/Desktop/loxodo/src/yubico/yubikey.py", line 143, in
find_key
return YubiKeyUSBHID(debug=debug, skip=skip)
File "/home/drew/Desktop/loxodo/src/yubico/yubikey_usb_hid.py", line 83,
in init
if not self._open(skip):
File "/home/drew/Desktop/loxodo/src/yubico/yubikey_usb_hid.py", line 385,
in _open
self._usb_handle.setConfiguration(1)
usb.USBError: could not set config 1: Operation not permitted
What order do we press the buttons:
- on the yubikey, and
- "use hw token"
- "New"
- "Open"
Have you looked at all the options at: http://demo.yubico.com/php-yubico/
I imagine it wouldn't take long to find someone who wants each of them.
Although personally I would be happy with only a couple of them.
Might want to provide option for a using a validation server. Possibly:
- Free YubiCloutd Service (Requires Internet Connection)
- Open Source Validation Server running on:
- Local Network, or
- Localhost
Although the Free YubiCloud service requires an internet connection
Our robust OTP validation servers are arranged in a distributed failover
configuration located at five different secure datacenters around the
globe, all servers synchronized to each other making sure that there is no
single point of failure and that responses are serviced in a timely manner,
independent from where around the world validation request is sent. Each
backend server is equipped with YubiHSM Hardware Security Module(s) in
order to make sure that all secret keys are fully protected and stored
encrypted at all times. Yubikeys from the Yubico store comes ready to use
with the YubiCloud (no programming of the keys required).
I'd like to be able to associate multiple yubikeys with a vault so it's not
catastrophic if a key is lost or destroyed.
On Mon, Jul 2, 2012 at 3:06 AM, Christoph Sommer <
reply@reply.github.com
wrote:
I've just pushed d252865 to a new
"yubikey" branch.This adds a new "use hw token" button to the initial password dialog. When
this button is pressed, the currently-entered password is (after some
pre-processing) fed to a YubiKey. The result (after some post-processing)
is then used as the new password.For this to work, slot 2 of the first present YubiKey has to be configured
to respond to variable-length HMAC-SHA1 requests using a static private key.Let me know if this is what you had in mind.
Reply to this email directly or view it on GitHub:
#14 (comment)
Drew Einhorn
"You can see a lot by just looking."
-- Yogi Berra
If accessing the YubiKey on Linux works only as root, it is not automatically detected as a device that regular users should have full access to. If your system uses udev, you can create a file /etc/udev/rules.d/45-yubikey.rules with the following contents:
SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", GROUP="plugdev"
This will make sure that all users in group "plugdev" (which you might need to add your user to) have full access to any YubiKey that is being plugged in.
With regard to other authentication modes, I'm afraid that unlocking a Loxodo vault with other means won't be possible. Any authentication that ends with asking the Yubico servers for authorization does nothing to protect the actual data in the vault. An attacker is highly likely to just steal the vault file, then use their own software to get to the data (which would just skip any authorization step).
This is why Loxodo uses the YubiKey to derive one (very long) password from another (that you enter): it is the long password that provides all security, nothing else. This also means that it makes no difference if the long password is generated by a YubiKey or entered manually -- if you are worried about losing your YubiKey, you can simply write down or store this (long) password somewhere safe.
The udev incantation solved the non-root access problem.
I'll take a closer look at other authentication modes. I'm hoping that it
is you, not I, that is misunderstanding them, and they just provide other
paths to the same kind of very long password string, which is encrypted as
it passes over the internet. I'll spend some time reading documentation
and chatting with Yubico tech support. I'd be shocked to discover that it
is that easy to bypass their security using any of their authentication
modes.
On Thu, Jul 5, 2012 at 1:06 PM, Christoph Sommer <
reply@reply.github.com
wrote:
If accessing the YubiKey on Linux works only as root, it is not
automatically detected as a device that regular users should have full
access to. If your system uses udev, you can create a file
/etc/udev/rules.d/45-yubikey.rules with the following contents:SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010",GROUP="plugdev"
This will make sure that all users in group "plugdev" (which you might
need to add your user to) have full access to any YubiKey that is being
plugged in.With regard to other authentication modes, I'm afraid that unlocking a
Loxodo vault with other means won't be possible. Any authentication that
ends with asking the Yubico servers for authorization does nothing to
protect the actual data in the vault. An attacker is highly likely to just
steal the vault file, then use their own software to get to the data (which
would just skip any authorization step).This is why Loxodo uses the YubiKey to derive one (very long) password
from another (that you enter): it is the long password that provides all
security, nothing else. This also means that it makes no difference if the
long password is generated by a YubiKey or entered manually -- if you are
worried about losing your YubiKey, you can simply write down or store this
(long) password somewhere safe.
Reply to this email directly or view it on GitHub:
#14 (comment)
Drew Einhorn
"You can see a lot by just looking."
-- Yogi Berra