On Tue, Mar 15, 2011 at 2:57 PM, Serge E. Hallyn <[email protected]> wrote: ... >> This is a list of things I see that would benefit of discussion : >> >> * Is it a sufficiently good design to base the passphrase passing on >> PAM authtok's? > > (Not sure what you mean. I'll take another look after I clear some > things off my plate)
I'm thinking there might be security concerns with passing the unprotected pass phrase from one PAM module to another for example, and that perhaps passing it through PAM places unwanted restrictions on the passphrase. eCryptfs seems to support 64 chars pass phrases. The YubiKey currently "only" produces 20 bytes HMAC-SHA1, so I can just hex encode that into 40 bytes to avoid problems with special bytes (null, linefeed, perhaps others), but the best design would allow for passing the full 64 bytes binary clean I guess... or more in case eCryptfs ever gets support for even longer pass phrases. /Fredrik _______________________________________________ Mailing list: https://launchpad.net/~ecryptfs-users Post to : [email protected] Unsubscribe : https://launchpad.net/~ecryptfs-users More help : https://help.launchpad.net/ListHelp
