Talk:YubiKey

From ArchWiki
Revision as of 21:31, 24 December 2018 by Lahwaacz (talk | contribs) (→‎Configuration Protection: remove closed discussion)
Jump to navigation Jump to search

Updated Two-factor authentication with SSH

I've updated the section to match how yubico-pam's configuration currently works. The instructions are mostly taken from https://developers.yubico.com/yubico-pam/ and https://developers.yubico.com/yubico-pam/Yubikey_and_SSH_via_PAM.html , this is how I set up my machine.

The default Yubico server is contacted over https. Still, the documentation suggests using the API ID instead of id=1, but no API key, which to me seems like a semi-HMAC way of doing things. Should I change the section for general PAM setup accordingly? Would mean that users will generally have to generate the key pair.

Lcts (talk) 17:47, 14 April 2017 (UTC)

I've left it at id=APIID for now, just in case id=1 is insecure. It makes the two sections kind of identical, but I don't know enough about HMAC/https to decide if id=1 is OK. Please advise. Lcts (talk) 18:25, 14 April 2017 (UTC)
For completeness sake, I added the id=1 way of connecting back in - it might be of interest for people planning to set up their own servers - but added a warning. If someone knows that the warning is unwarrented, they should feel free to remove it.
I still don't really see the point of using the Client ID without the key in Yubico's default, but if that's how they advise to do it, OK. As of now, all three methods work even if the Yubico documentation only describes the first. Lcts (talk) 14:49, 15 April 2017 (UTC)