On 2025-09-02, Robert Alessi <alessi@robertalessi.net> wrote:
> I wouldn't mind either but the thing is one can't assume
> login_yubikey(8) will remain in base.[1] A good reason to keep it would
> be to allow ssh login from a machine where yubikey otp can be used.
careful with login_yubikey for ssh; there's no good way to sync the
counter files, so replay detection is only per-machine. (concretely:
if someone captures your otp from one login, they can login to other
machines using the same key until you've logged in to them too).
this is a shortcoming of login_yubikey(8) - other yk otp-based login
methods (e.g. using radius to auth at a central location that checks
coubters) are possible.
--
Please keep replies on the mailing list.
No comments:
Post a Comment