Yubico PAM 2.9 (IMPORTANT)
36 views
Skip to first unread message
Fredrik Thulin
Nov 17, 2011, 3:38:04 PM11/17/11
to yubico-devel
There is a bug in all current versions (<= 2.6) of ykclient (a.k.a.
yubico c client) that makes it require opt-in to validate the
validation servers HMAC-SHA-1 signature rather than opt-out.
We will release version 2.7 of ykclient shortly, but in order to make
Yubico PAM secure even with ykclient <= 2.6, we hereby release Yubico
PAM 2.9 that explicitly asks ykclient to verify signatures.
Get it from
http://code.google.com/p/yubico-pam/downloads/list
or from my PPA (https://launchpad.net/~fredrikt/+archive/yubico) if
you are using Ubuntu.
/Fredrik
yubico c client) that makes it require opt-in to validate the
validation servers HMAC-SHA-1 signature rather than opt-out.
We will release version 2.7 of ykclient shortly, but in order to make
Yubico PAM secure even with ykclient <= 2.6, we hereby release Yubico
PAM 2.9 that explicitly asks ykclient to verify signatures.
Get it from
http://code.google.com/p/yubico-pam/downloads/list
or from my PPA (https://launchpad.net/~fredrikt/+archive/yubico) if
you are using Ubuntu.
/Fredrik
Fredrik Thulin
Nov 17, 2011, 4:44:52 PM11/17/11
to yubico-devel
On Nov 17, 9:38 pm, Fredrik Thulin <fredrikyub...@gmail.com> wrote:
> There is a bug in all current versions (<= 2.6) of ykclient (a.k.a.
> yubico c client) that makes it require opt-in to validate the
> validation servers HMAC-SHA-1 signature rather than opt-out.
>
> We will release version 2.7 of ykclient shortly, but in order to make
> Yubico PAM secure even with ykclient <= 2.6, we hereby release Yubico
> PAM 2.9 that explicitly asks ykclient to verify signatures.
Sorry, I forgot to give due credit in the announcement.
> There is a bug in all current versions (<= 2.6) of ykclient (a.k.a.
> yubico c client) that makes it require opt-in to validate the
> validation servers HMAC-SHA-1 signature rather than opt-out.
>
> We will release version 2.7 of ykclient shortly, but in order to make
> Yubico PAM secure even with ykclient <= 2.6, we hereby release Yubico
> PAM 2.9 that explicitly asks ykclient to verify signatures.
This rather serious issue was reported and patched by Dominic
Rutherford <dom...@rutherfordfamily.co.uk>. Thanks!
/Fredrik
Reply all
Reply to author
Forward
0 new messages