Quoting Fredrik Thulin ([email protected]): ... > > So with that in mind, here's how I might prefer to go about it. The > > yubikey supports two 'configs' or 'slots'. I propose we exploit that. > > First we use config 1 for OTP challenge-response - but we only use that > > to authenticate to the system. > > Oh yes, definitely. Sorry for not mentioning that - I focused on the > ecryptfs related things in my original post.
Ok, that makes all the difference :) I agree the static passphrase has its problems with someone able to just sneakily plug it into their own laptop to steal the passphrase :) > Yes, a user with a Yubikey would most likely use OTP validation to log > in to the system. Cool. Now the other thing I don't like is having the username:pwd pushed to the yubikey, only bc it's usb and i dunno, I can just see someone coming up with a sneaky way to grab that. Does it help at all to have send sha1sum(username:pwd) to the yubikey instead? It also helps with your concerns about sufficent salt, right? -serge _______________________________________________ Mailing list: https://launchpad.net/~ecryptfs-users Post to : [email protected] Unsubscribe : https://launchpad.net/~ecryptfs-users More help : https://help.launchpad.net/ListHelp
