How not to sell me something — Why I won’t be maintaining Yubikey software directly in Gentoo

You probably remember my previous notes about WordPress, FTP and the problem with security. At the end after a (boring) set up session I was able to get vsftpd provide FTPS service, which should be usable both by WordPress and by Dreamweaver, so that my friend the webmaster can upload through it directly.

This is important because as it happens I have another prospective customer who’s going to run WordPress, and FTPS now start to look more interesting than SSH, as it doesn’t require me to give shell access to the server either.

Unfortunately I’m a bit worried (maybe more than I should be) for the use of standard passwords rather than certificates or keypairs for authentication. Which meant I went tried to think of other alternatives.. of which there are mostly two: Google Authenticator and YubiKey .

The latter I knew by name already because I proxy-maintain the required software for Brant, and I know it’s outdated already and would require a new maintainer who can deal with those packages – I already posted about hardware-related maintenance for what it’s worth – so it was my first choice: while it meant I had to spend some money, it would have solved my problem and improved Gentoo, even if just for a tiny bit. The price for YubiKey devices is also low enough that, if I felt like providing more FTPS access to customers, I could simply bill it to them without many complaints.

So I went on the manufacturer’s (Yubico’s) website and tried to buy two of them (one for me to test and set up, and one to give my friend to access the server); despite publishing the prices in dollars, they sell through Sweden and UK, which means they are part of EU’s VAT area, and me being a registered business within EU, I should receive a reverse-charge invoice by stating my own VAT ID… never had much of a problem with it, as many of my suppliers are sparse through Europe, I registered for the “foreign-enabled” registry right when I opened business — don’t ask me why Italian (and Spanish as far as I can tell) business owners are not enabled by default to have intra-union suppliers.

Now trouble starts: since, as I just noted, not all VAT IDs are valid to use for intra-union trade, there has to be a way to ensure you’re dealing with an acceptable party. This is implemented through VIES the VAT Information Exchange System which, for what concerns Italian businesses, only tells you a boolean result of valid/invalid (and not the full registration data that most other states seem to provide). I knew VIES from a previous business agreement, but I never cared much. Turns out though that most e-Shops I encountered validate the VAT ID after order completed — or in the case of Amazon it seems like they check their internal database as well as VIES.

Yubico instead validates the request through VIES at the time of registration:

VAT Number could not be validated with VIES at this time. This typically happens when the service is under maintenance. Please retry after some time. For urgent orders, please contact order@yubico.com

Considering that the VIES website has a long disclaimer (which I can’t quote here for reasons that will be clear in a moment) stating that they do not guarantee the availability of the service at any time, and only seem to guarantee the validity of the data to the extent that the law ask them to (which probably means “as long as the states’ own databases are correct”), relying on such a service for registration is .. bad.

The VIES website is indeed down since at least 11am today (over four hours ago as I write this); for a moment they also gave me an interesting page (which I forgot to save), telling me that there were too many requests’ failures from “my IP address” … listing an IP address in the 2128 range — my actual IP address is in the 948 range.

What’s the end result here? I’ll probably waste some more time trying to get Google Authenticator; Yubico basically lost a customer and a (possible) contributor by trying and failing to be smarter and won’t have a dedicated maintainer in Gentoo in the near future. It’s sad, because it seems to be easily the most cost- and time-effective solution out there (Google Authenticator is free, but it requires a greater investment of time, and time is money as we all should know).

5 thoughts on “How not to sell me something — Why I won’t be maintaining Yubikey software directly in Gentoo

  1. I have two yubikeys myself. They are really nice.I was looking at making some ebuilds for the required packages (libyubikey, yubico-c-client, yubico-pam) but as yubico-pam doesn’t compile on gentoo (http://code.google.com/p/yu… I have left it for the time being.

    Like

  2. Some of the packages you list are already present and “just” need bumping and fixing.. as I said I’d have done so myself if I could get the keys, but for now I have to wait, hoping that Yubico does good on what they said over Twitter (fix the registration process) so that I can actually get a couple of them.As long as VIES is involved, I won’t bother trying to register/order them.. so either they send me a sample or someone else will have to take care of the ebuilds’ updates..

    Like

  3. You write that FTPS spares you having to grant shell access – do you also count OpenSSHs sftp-only as shell access?This way you can use SFTP, OpenSSH keys and all its goodies (without having to run yet another potentially vulnerable service, i.e. vsftpd) and still grant only basic file transfer permissions without giving out real shell access.OpenSSH’s sftponly also supports chrooting users/groups directly.

    Like

  4. Hi Diego,We invite you to take a look at Duo Security! We’re Hardened Gentoo users (and OpenSSH authors) ourselves, and believe we have a better solution than either GAuth or Yubikey – see the nice writeup of our solution in last month’s Linux Format magazine:http://www.duosecurity.com/

    Like

  5. Google authenticator is fairly simple to set up (if you have a supported phone). I’ve got a live package in my dev overlay. After that it’s just hooking it up into pam. (I use it for non-local logins on my laptop, when not using public private key auth)

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s