Skip to content

Category: Security

Yubikey PIV for SSH on Macs

We generally use Duo for two factor authentication, including SSH. We have some scenarios where people would like to use two factor authentication, but Duo is considered too intrusive. For example, when using Duo for SSH-based git push and git pull there's no Duo prompt, it only works with Duo push, and you have to unlock your phone, tap on the Duo notification, then tap on 'approve'. You may also need to make changes to your git server; with GitLab we have to use a non-suid copy of login_duo, with a second configuration file, and manually update the git account's authorized_keys file to use login_duo for every SSH key (that needs to use two factor):

command="/usr/sbin/login_duo_git -c \
  /etc/security/login_duo_git.conf -f alice \
  /home/git/gitlab-shell/bin/gitlab-shell key-2",... \
  ssh-rss AAAA...

I've had a few Yubikeys lying around, and I finally decided to try one for SSH. I found Thomas Habets' Yubikey 4 for SSH with physical presence proof instructions for Linux, and modified them to work on Macs. I've tested with OS X 10.11 (El Capitan) and macOS 10.12 (Sierra), but if you're using an older version of OS X you should upgrade, or follow Yubikey's instructions to ensure that Yubikeys are recognized.

Comments closed


The 11th unconference formerly known as the Internet Identity Workshop (and now known simply as IIW) was held at the Computer History Museum, Nov 2-4.…

Comments closed

Burton Analyst Discussion on Hypervisor Security and Compliance Standards

I scheduled a one hour Analyst discussion with Trent Henry of Burton Group on the subject of trends in Hypervisor Security;  with respect to getting the apprprate balance of risk mitigation (i.e. threat vs. investment in threat response using technology and practice).

Specifically, my query to setup the discussion was:

"The costs associated with deploying and maintaining completely separate physical visualization infrastructures, for applications which access sensitive data, is making it extremely difficult to make a server virtualization service financially viable.  We are revisiting the risk assessment vs. systems design and administration criteria, to consider whether good (enough) security could be reasonably provided with less onerous and costly controls."



I took a quick look at using SSL with MySQL, and it turns out to be reasonably simple to enable SSL for transport level encryption, while still using username and password for authentication. Read on for some links to useful articles for MySQL, Java, Perl, Ruby on Rails and some sad news about PHP.

Comments closed