nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: crypto frobs

From: Rob Seastrom <rs-lists () seastrom com>
Date: Tue, 24 Mar 2020 15:25:00 -0400



On Mar 23, 2020, at 8:48 PM, William Herrin <bill () herrin us> wrote:



If they *do* steal both,
they can bruteforce the SSH passphrase, but after 5 tries of guessing
the Yubikey PIN it self-destructs.


What yubikey are you talking about? I have a password protecting my
ssh key but the yubikeys I've used (including the FIPS version) spit
out a string of characters when you touch them. No pin.


https://www.yubico.com/products/identifying-your-yubikey/ <https://www.yubico.com/products/identifying-your-yubikey/>

The (presumably) Yubico OTP/OATH/HOTP string from a Yubikey that you may have picked up six years ago on a lark  
doesn’t even begin to scratch the surface.

The integration with FIDO2 in the low-end models in OpenSSH 8.2 in particular is very spiffy (and not to be confused 
with PIV or OpenPGP mode.

-r
Previous By Date Next
Previous By Thread Next

Current thread: