hello, On Wed, Mar 09, 2005 at 01:38:22AM +0100, David Härdeman wrote: > o when the usb key is inserted, the user is prompted for a password to > the encrypted loopback file which is then mounted, the ssh keys within > are fed to ssh agent, and the file is unmounted again.
you could easily extend the script i wrote to unencrypt/loop-mount a filesystem-in-a-file without too much effort. prod me enough and i might do it myself. > o hopefully, in combination with libpam-usb and/or libpam-mount, it > would be possible to reduce the number of password prompts to one. you should only need a password for encrypted things. since the hotplug script runs as root you can have that take care of all the other details. so, as long as you have either an unencrypted ext2 filesystem-file with encrypted ssh-keys or vice versa, you should only need one password. > Bonus stuff: > > o It would be a neat trick to have the keys which were once loaded from > the usb key into the ssh agent automatically removed from the agent > when the key is removed from the computer (meaning you could quickly > yank the key, go for lunch, return, reinsert it and continue working). my script already does this. in fact, it's selective enough to leave other keys that it didn't load still in memory. this was a little tricky to accomplish, and is done by copying the public key into a temporary location (under /var/cache/keyloader/pubkeys/$USER), and when the device is removed those keys are passed to ssh-add -d. > o check both at insertion time and at "first login" time for the usb key > (so that the key can be either inserted from boot or inserted during an > existing session). that would be nice, though a quick workaround is to remove and re-insert the key :). > o a /dev/udev.d file which is run after the node is created that does > the necessary root-level setup and then calls > > o a user-specific script which loads the keys (and prompts for necessary > passwords) etc. better watch out where root and the user cross paths... sean --
signature.asc
Description: Digital signature