ecryptfs-users team mailing list archive
-
ecryptfs-users team
-
Mailing list archive
-
Message #00086
hardware token
Hi
[repost after properly registering e-mail address]
I'm sending this message to see if there is any interest of
collaboration regarding development of multi-factor protection of user
data.
I'm currently experimenting with using YubiKey USB tokens with
HMAC-SHA1 challenge-response to unlock my encrypted home directory
(disclaimer: I work for Yubico).
I'm glad to report that I've got a proof of concept working. We have a
PAM module for doing OTP validated logins that has recently been
extended to also support offline authentication using the
challenge-response mode available since YubiKey 2.2.
Today, I made that PAM module store an authentication token (currently
the result of a static challenge) upon successful validation which
meant that pam_ecryptfs would not get my login password from PAM
anymore, but rather get the result of the challenge-response.
After that, it was simply a matter of rewrapping my ecryptfs
passphrase to get it protected by something I have (my YubiKey) plus
something I know (my password, part of the challenge) and voila, two
factor authenticated eCryptfs!
This is a list of things I see that would benefit of discussion :
* Is it a sufficiently good design to base the passphrase passing on
PAM authtok's?
* Would this require any additions to ecryptfs at all? For example to
not complicate password changing beyond requiring the YubiKey to be
inserted at the time of password changing?
* Is it a show stopper that you can't unlock your eCryptfs data
remotely? Or is it perhaps a feature?
* What should be used as challenge? The username alone isn't enough to
salt the hash.
The code is available on Github.
$ git clone -b feature/chalresp_authtok_generation \
git://github.com/fredrikt/yubico-pam.git
More information is available in the source code, see the commit :
https://github.com/fredrikt/yubico-pam/commit/476767a5cb59fa0bb27ad2d99e276c0066cd044b
I'm sure there is more to say, but it's late where I am. Good night.
/Fredrik
Follow ups