Quoting Fredrik Thulin ([email protected]): > Hi > > [repost after properly registering e-mail address] > > I'm sending this message to see if there is any interest of > collaboration regarding development of multi-factor protection of user > data.
I'm interested, yes. > I'm currently experimenting with using YubiKey USB tokens with > HMAC-SHA1 challenge-response to unlock my encrypted home directory > (disclaimer: I work for Yubico). Cool, two or three years ago I was just about set to place an order for some of these keys (group order to make them cheaper :). Something happened, forget what... > I'm glad to report that I've got a proof of concept working. We have a > PAM module for doing OTP validated logins that has recently been > extended to also support offline authentication using the > challenge-response mode available since YubiKey 2.2. > > Today, I made that PAM module store an authentication token (currently > the result of a static challenge) upon successful validation which > meant that pam_ecryptfs would not get my login password from PAM > anymore, but rather get the result of the challenge-response. > > After that, it was simply a matter of rewrapping my ecryptfs > passphrase to get it protected by something I have (my YubiKey) plus > something I know (my password, part of the challenge) and voila, two > factor authenticated eCryptfs! > > This is a list of things I see that would benefit of discussion : > > * Is it a sufficiently good design to base the passphrase passing on > PAM authtok's? (Not sure what you mean. I'll take another look after I clear some things off my plate) > * Would this require any additions to ecryptfs at all? For example to > not complicate password changing beyond requiring the YubiKey to be > inserted at the time of password changing? > > * Is it a show stopper that you can't unlock your eCryptfs data > remotely? Or is it perhaps a feature? Depends who you ask :) For me it would be a feature. > * What should be used as challenge? The username alone isn't enough to > salt the hash. > > The code is available on Github. > > $ git clone -b feature/chalresp_authtok_generation \ > git://github.com/fredrikt/yubico-pam.git Thanks, I'd like to take a look, though probably won't have time during this week. > More information is available in the source code, see the commit : > > https://github.com/fredrikt/yubico-pam/commit/476767a5cb59fa0bb27ad2d99e276c0066cd044b > > I'm sure there is more to say, but it's late where I am. Good night. Winning :) thanks. -serge
signature.asc
Description: Digital signature
_______________________________________________ Mailing list: https://launchpad.net/~ecryptfs-users Post to : [email protected] Unsubscribe : https://launchpad.net/~ecryptfs-users More help : https://help.launchpad.net/ListHelp
