Just looked. From what I read the phishing attack would really only work for accounts that someone would have to goto a web page for login (which could be faked) and get the details. But for ssh login there is not the same risk.
Thanks
On Feb 26, 2020, at 11:34 AM, Jeffrey Paul sneak@sneak.berlin wrote:
The phished credentials are generally used immediately to take over the account.
-- Jeffrey Paul sneak@sneak.berlin
On Wed, Feb 26, 2020, at 10:26 AM, deepend wrote: Would be interested in hearing more information on how someone is phishing a code that is only valid for like 30 seconds? Is there more to that story then just phishing?
Thanks
On Feb 26, 2020, at 11:09 AM, Jeffrey Paul sneak@sneak.berlin wrote:
Note that for U2F you also need ssh client support, so this would require a lot of people to recompile their ssh client.
Due to the fact that those six digit numeric 2FA codes (TOTP) are phishable, I recommend sticking with a split-key system like U2F or plain ol’ ssh keys. The latter is widely supported, even on things like iPads and the like, and needs no special client support.
If you are using a full Yubikey for U2F (and not the cheaper blue U2F-only Yubikey), you can use the Yubikey in a smart card mode to generate and store an old-style SSH keypair. This is what I do and it works great.
Best, -sneak
-- Jeffrey Paul +1 312 361 0355 (voice, sms, Signal) This message content should be treated as confidential, and if you are an attorney, should be handled as privileged.
On Feb 26, 2020, at 09:58, ngp ngp@tilde.club wrote:
On Wed Feb 26, 2020 at 10:50 AM, deepend wrote: Found a file mentioning that Fido/U2F auth being available in 8.1. But some websites say it came in 8.2. Not sure who to believe.
Tilde club currently runs Fedora 30.
Fedora 30 appears to be up to OpenSSH 8.0p1, so either way it's not available :/