Interest in One-Time Password tokens?

William Stearns wstearns at pobox.com
Tue Oct 19 21:09:46 EDT 2010 

Good evening, all,
 	Quick summary for the busy: I'm interested in getting, as a
group, One Time Password (*) generators to provide an alternative to
static passwords with all their security issues.  The Yubikey (
http://yubico.com/products/yubikey/ ) works with Linux, Mac OS/X,
Windows and other OS's.  In bulk, they sell for $16-$20 each.

 	After an intrusion on one of it's servers partially attributed
to a keylogged password, a discussion started at the Fedora Project
about providing One Time Password generators to its members.  While
traditional OTP devices would have been prohibitively expensive, an
alternative came up - the Yubikey.

 	This OTP device looks like an even smaller version of a thumb
drive, and also plugs into a USB port.  When you press the sole button
on the top it acts like a USB keyboard and spits out a single-use 44
character password and line feed.  Setting it up is a matter of
configuring one's servers to accept these one-time passwords; their wiki
( http://wiki.yubico.com/wiki/index.php/Main_Page ) has good coverage of
what's already supported in this open-source uber-friendly project.  The
PAM authentication module approach used on Linux really shines;
integrating this into Linux logins means installing one piece of
open-source code and adding a single line to one or more text files in
/etc/pam.d/ .  I was able to get a Linux system to let me log in on the
console, X, and the gnome screensaver today with one of these.

 	OTP devices used to be up in the hundreds of dollars.  A device
such as this provides security benefits similar to the older, more
expensive devices, especially when combined with a pin, certificate, or
static password.

 	Even at $30 each with shipping they're a good price, but I'd
like to pool orders if there's enough interest.  If we can come up with 
interest in getting 50, the price goes down to $16 each (I'll cover the
shipping).  If that's still too much, name your price for one key and
I'll cover the rest.  :-)  I'll arrange to mail the devices to each
Linux user group when they come in.

 	If you're interested, please send me your name, how many you'd
like to buy and the name and address for your group leader.  For
Dartmouth users, your Hinman box is fine.  I'll include a note on
getting payment to me in the package.

 	I'll place an order before the end of October to get them here
before November meetings.

 	Cheers,
 	- Bill Stearns, DLSLUG member


* Even if captured (sniffers and keystroke loggers come to mind),
a one-time password has no value once it's used.

More information: http://lwn.net/SubscriberLink/409851/b33f66c40e0bf7bc/



---------------------------------------------------------------------------
         "I don't care to belong to any club that will have me as a
member."
         -- Groucho Marx
--------------------------------------------------------------------------
William Stearns (wstearns at pobox.com, tools and papers: www.stearns.org)
Top-notch computer security training at www.sans.org , www.giac.net
--------------------------------------------------------------------------

More information about the gnhlug-discuss mailing list