Title Required
RSS Channel: Comments on: Setting up a YubiKey on Linux is a mess, and it really shouldn’t be
Exploring the Future of Computing
Generator:https://wordpress.org/?v=6.5.5
Docs:http://blogs.law.harvard.edu/tech/rss

By: Wondercool2
In reply to <a href="https://www.osnews.com/story/139174/setting-up-a-yubikey-on-linux-is-a-mess-and-it-really-shouldnt-be/#comment-10438021">tingo</a>. It really depends on your needs. I don't need NFC or Bio. Most versions can be had in USB-C, USB-A or both. I have several but even the cheapest (5 euro!) works for me. I am not versed in all the security protocols and generally buy the cheapest (2 for 25 euro stuff). No complaints with any of them.

By: Alfman
In reply to <a href="https://www.osnews.com/story/139174/setting-up-a-yubikey-on-linux-is-a-mess-and-it-really-shouldnt-be/#comment-10438027">Kochise</a>. Kochise, <blockquote>Got a Tuxedo Linux laptop with fingerprint reader, and guess what ? Only supported on Windows. Linux is not ready, yet</blockquote> IMHO the FOSS community is fairly good at reverse engineering certain hardware classes like networking, printers, and cameras, but with specialty devices and/or ancillary functions it become more hit and miss. Many of my computers don't have drivers for the fan controllers under linux even though I'd like to have control over thermal solutions. A fujitsu laptop I own also has a finger scanner that won't work under linux. This is really the fault of the manufacturers. Alt OS users live with this catch-22. If their platform had more market share, it would be officially supported. However gaining marketshare is very difficult without any official support.

By: Alfman
In reply to <a href="https://www.osnews.com/story/139174/setting-up-a-yubikey-on-linux-is-a-mess-and-it-really-shouldnt-be/#comment-10438024">mbq</a>. mbq, <blockquote>Except they aren’t — fingerprint is not an exact value, it is fuzzy-matched by certain descriptors, so it cannot by hashed. Forging a fake finger from them is not an obvious or easy task, but still.</blockquote> There are fuzzy hashing algorithms that allow for variations, but they're not in the same class as cryptographic hashes. While not for fingerprints, these links explain the concepts. https://www.meshsecurity.io/blog/fuzzyhashing https://en.wikipedia.org/wiki/Fuzzy_hashing Think of fitting analog values into more granular buckets and using a lot more hashes to allow some of them to mismatch. Android and other fingerprint applications require the user to input many fingerprint samples to capture more analog variations. <blockquote> // Initialization fingerhash = new FuzzHash for i = 0 to 10 fingerprint = capture_fingerprint() AddHash(fingerhash,fingerprint) next fingerhash // saved fingerprint hash </blockquote> <blockquote> // Authentication fingerprint = capture_fingerprint() if FuzzyMatch(fingerhash, fingerprint) then // match else // not match end if </blockquote> Of course this has genuinely useful applications. Unfortunately though some sources aren't very honest about biometric risks, and may claim that fingerprints cannot be recreated using the hashed data points. Such assertions involve a slight of hand at best and complete deception at worst.... https://www.universalstudioshollywood.com/web/en/us/faqs/biometrics A fingerprint hash can be reversed by brute forcing inputs that pass the matching algorithm. Fuzzy matching functions might not even be cryptographically sound and there could be analytic solutions, but even if we assume the hashes are cryptographic quality one-way hashes, the brute forcing technique still works... <blockquote> for i = 1 to 1000000000 // however many fingerprints needed to generate fingerprints that differ by less than the scanner's ability to differentiate matches from non-matches // keep in mind that arbitrarily high differentiation will implicitly lead to a lot of false negative matches rendering the scheme useless for real world applications. fingerprint = GenerateSyntheticFingerprint(i) if FuzzyMatch(fingerhash, fingerprint) then // found matching candidate, can find more or stop else // not match end if next </blockquote> So when Universal says this... <blockquote>No. A complete fingerprint is not necessary for thorough identity verification, and no fingerprint images are ever recorded. Turnstile sensors match the grid points that were taken in your original scan and transfer them to the number series the system assigned to you. As this information is stored as a number only, a fingerprint image cannot be recreated and privacy is maintained.</blockquote> Mathematically speaking, it absolutely is possible to recreate fingerprint images from the features they collect, the only question is whether they have enough bits of data to do so <i>completely</i> or <i>partially</i>. For all we know they might have kept all the bits, but let's give them the benefit of doubt and say they throw away 50% of the bits... 1) Throwing away bits reduces the ability to discern matching fingerprints from non-matching ones simply because there is less data to go on (ie higher false positives). Throwing away bits implies less security. 2) Throwing away some bits removes finer details but it doesn't prevent you from generating fingerprint images that match the bits they've kept. 3) Non-overlapping bits are cumulative. Different samples and/or different databases could be recombined. While hashes work a bit differently, it could be visualized in this way: One scanner throws away the left hand side of the fingerprint while another scanner throws away the bottom. Each sample only keeps 50% of the bits, but they only partially overlap and together they can recreate 75% of the fingerprint. 4) Throwing away bits doesn't necessarily throw away all the information corresponding to those bits when there is redundancy in the pattern. Say we throw away 50 puzzle pieces from a 500 piece puzzle...we factually threw away 10% of the pieces, but did we loose 10% of the information about the remaining shapes? No, actually. Much of the information about a piece's possible shapes can be derived from the other shapes we have. In fact this is the basis for both lossy and lossless compression algorithms. I find this to be such an interesting topic, but I feel there are too many people trying to sugarcoat biometric technology and hashes as a secure yet privacy protecting panacea, They'll gloss over lots of facts. PS. This is a long post, hopefully I've taken care of the formatting issues.

By: Kochise
Got a Tuxedo Linux laptop with fingerprint reader, and guess what ? Only supported on Windows. Linux is not ready, yet.

By: Jeeves
In reply to <a href="https://www.osnews.com/story/139174/setting-up-a-yubikey-on-linux-is-a-mess-and-it-really-shouldnt-be/#comment-10438007">subsider34</a>. While you can use FIDO2 with SSH, I'd recommend just using the OpenPGP card app on the yubikey and store your ssh key in the auth slot. Presumably you already have some method in place to provision public keys to VMs to login, so it should just be a drop-in solution.

By: Jeeves
I get that this is frustrating, but this is not a thing either KDE or Gnome can address by themselves, and they really shouldn't try. Your desktop environment should 1000% not be touching your PAM configuration and if it did it would likely be a never ending nightmare of security vulnerabilities in the making. Ultimately, this has to be something each distribution must address for themselves and I suspect there are a hell of a lot of other usability issues that come much higher in the priority queue than this one. I use a Yubikey for my desktops, and I have it tuned just the way I like it. Just touch to log in to the display manager, pin + touch for shell access, sudo and polkit. I just keep the PAM configs for my setup on usb flash and copy-paste them to new machines as required. While this isn't perhaps terribly newbie friendly, it's not exactly a chore either.

By: mbq
In reply to <a href="https://www.osnews.com/story/139174/setting-up-a-yubikey-on-linux-is-a-mess-and-it-really-shouldnt-be/#comment-10437998">Drumhellar</a>. Except they aren't -- fingerprint is not an exact value, it is fuzzy-matched by certain descriptors, so it cannot by hashed. Forging a fake finger from them is not an obvious or easy task, but still.

By: sukru
In reply to <a href="https://www.osnews.com/story/139174/setting-up-a-yubikey-on-linux-is-a-mess-and-it-really-shouldnt-be/#comment-10438022">sukru</a>. which usually did not* work (need that edit button)

By: sukru
Am I the only one who looks at the instructions and think: <b>wow, these are entirely reasonable</b> Someone coming from the early HOWTO days, which usually did work, or required downloading 20 things manually resolving their version conflicts, this is almost "straightforward". Download a tool, add this as a PAM authentication method, sign some certificates, and it works. Not even requires updating firmware or binary blobs. What happened to Linux users?

By: tingo
In reply to <a href="https://www.osnews.com/story/139174/setting-up-a-yubikey-on-linux-is-a-mess-and-it-really-shouldnt-be/#comment-10437991">Wondercool2</a>. Wow, they have a lot of products available. Which one would you recommend?

By: Setting up a YubiKey on Linux is a mess, and it really shouldn’t be – Open World News
[…] Author: Thom Holwerda Source […]

By: Mote
> There’s really no solid reason for me to want this other than that it just feels cool and futuristic to me (yes, even in this, the year of our lord 2024). I have no state secrets, no secret Swiss bank accounts, no whistleblower material to protect, and my computers rarely leave the house – I just want it because it’s possible and cooler than typing in my password. You are, however, a possible attack vector through which your family/friends/other acquaintances could be scammed. Using a usb 2fa key for email and other internet accounts, which only requires that the account in question supports it (no exotic installations on your part), would significantly reduce the risk of passwords and 2fa codes getting fished.

By: Alfman
In reply to <a href="https://www.osnews.com/story/139174/setting-up-a-yubikey-on-linux-is-a-mess-and-it-really-shouldnt-be/#comment-10438007">subsider34</a>. subsider34, <blockquote>I recently ran headfirst into this issue when I got a YubiKey in the hopes of making it easier and more secure to manage lots of Linux VMs (surprise! It’s actually harder). As far as I can tell, there is only one terminal or ssh program that has figured out a way to make this simple to setup and deploy:</blockquote> You could use ssh-copy-id to automatically authenticate sessions from the host into the guests. This works out of the box. I imagine a YubiKey solution would have to be installed in every single guest VM.

By: subsider34
I recently ran headfirst into this issue when I got a YubiKey in the hopes of making it easier and more secure to manage lots of Linux VMs (surprise! It's actually harder). As far as I can tell, there is only one terminal or ssh program that has figured out a way to make this simple to setup and deploy: Terminus (https://termius.com/). They'll configure your security key, generate certificates, securely distribute them, and login using them, all using a simple GUI wizard (https://support.termius.com/hc/en-us/articles/5618120162457-Using-FIDO2-for-SSH-authentication). If only they didn't know they were the only people around who've figured this out and put it behind a $10/month subscription fee.

By: Alfman
In reply to <a href="https://www.osnews.com/story/139174/setting-up-a-yubikey-on-linux-is-a-mess-and-it-really-shouldnt-be/#comment-10437998">Drumhellar</a>. Drumhellar, <blockquote>I’m pretty sure they don’t actually store your fingerprint. Instead, they store a one-way hash of your fingerprint, so it is impossible to recreate the original fingerprint from the stored hash.</blockquote> That's true. However, similarly to how password hashes can be brute forced, fingerprint hashes can be brute forced too. (I've successfully used hashcat to brute force gravatar email hashes just to prove it could be done). Fingerprint scanners may be able to distinguish between a million fingerprints, that's hardly a challenge for modern computers. Technically you can increase precision required to trigger a fingerprint match in order to increase the computational complexity, but you'll end up increasing the false negatives because fingerprint scans are not precise and matches are fuzzy by their analog nature. IMHO if someone were to publish their bio metric hashes, I think someone would be able to crack it. It helps if hashes are kept locally on device and never sent upstream to providers. Local copies could still be breached, but IMHO it's far harder for a hacker to compromise millions of individual devices versus one database containing millions of fingerprint hashes. Even barring the reversibility of hashes though, we leave copies of our fingerprints all around us: tables, door handles, mice, phones, touch screens, HD video footage... unless you take extraordinary measures 24x7, your probably vulnerable. https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands If course, Thom outlined his use case being for casual security only....and that's fair enough. After all most of our stuff isn't that interesting. But because bio-metrics can't be changed and once they are leaked. It becomes risky to use them again for for more secure contexts. We have businesses using biometric for trivial matters, such as theme parks... https://insidethemagic.net/2020/09/universal-orlando-resort-fingerprints-kj1/ Our school district intended to collect student fingerprints These things could be valuable hacker targets.

By: Bill Shooter of Bul
I have tried this before, I've used fingerprint readers, smart card readers, and yes yubikey. I'm back to using password on linux. Why? Its a royal, royal pain in the behind. Even when implemented correctly its still a terrible solution prone to breaking. I thought it was absurdly difficult years ago and it hasn't changed.