> On 10 Feb 2018, at 20:16,
joev...@gmail.com wrote:
>
> Yubikey can have different modes of authentication. I remember looking at the work of adubois last year as a possible solution.
> My Yubikey has a slot used for Challenge/Response, which is MUCH easier to work with when you have multiple systems and devices.
>
> I guess YubicoOTP would require something like a custom PAM module... but with Challenge/Response, my solution was to use the built-in pam_exec.so to run a very short script when authenticating.
My solution is a custom PAM module with password + OTP and master password (to use if compromised USB VM).
This OTP slot of the Yubikey is then dedicated for 1 Qubes.
I made sure you can’t forget the yubikey in the slot, the OTP is transmitted to USBVM when key is pressed and transmitted to Dom0 when you remove the key.
If on key removal you are not authenticated you have to assume that USBVM is compromised and may be used for hold and replay attack. You have to go to a secure area, login with master password, destroy USBVM and reinstall front-end + re-initialise the PAM.
If you press by mistake the yubikey, I think you have also a risk of compromise and have to do the same.
The challenge response is more practical but I feel less secure (I might be wrong), I have not looked deeply into it. Influencing the generation of the challenge (to be the same as a previous one) via clock.
> --
> You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/qubes-users/BkdTuXZZnwE/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
qubes-users...@googlegroups.com.
> To post to this group, send email to
qubes...@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/e5d1abf4-4627-4a09-927c-ec4294cc481d%40googlegroups.com.
> For more options, visit
https://groups.google.com/d/optout.