← Back to team overview

ecryptfs-users team mailing list archive

hardware token

 

Hi

[repost after properly registering e-mail address]

I'm sending this message to see if there is any interest of
collaboration regarding development of multi-factor protection of user
data.

I'm currently experimenting with using YubiKey USB tokens with
HMAC-SHA1 challenge-response to unlock my encrypted home directory
(disclaimer: I work for Yubico).

I'm glad to report that I've got a proof of concept working. We have a
PAM module for doing OTP validated logins that has recently been
extended to also support offline authentication using the
challenge-response mode available since YubiKey 2.2.

Today, I made that PAM module store an authentication token (currently
the result of a static challenge) upon successful validation which
meant that pam_ecryptfs would not get my login password from PAM
anymore, but rather get the result of the challenge-response.

After that, it was simply a matter of rewrapping my ecryptfs
passphrase to get it protected by something I have (my YubiKey) plus
something I know (my password, part of the challenge) and voila, two
factor authenticated eCryptfs!

This is a list of things I see that would benefit of discussion :

* Is it a sufficiently good design to base the passphrase passing on
PAM authtok's?

* Would this require any additions to ecryptfs at all? For example to
not complicate password changing beyond requiring the YubiKey to be
inserted at the time of password changing?

* Is it a show stopper that you can't unlock your eCryptfs data
remotely? Or is it perhaps a feature?

* What should be used as challenge? The username alone isn't enough to
salt the hash.

The code is available on Github.

 $ git clone -b feature/chalresp_authtok_generation \
        git://github.com/fredrikt/yubico-pam.git

More information is available in the source code, see the commit :

https://github.com/fredrikt/yubico-pam/commit/476767a5cb59fa0bb27ad2d99e276c0066cd044b

I'm sure there is more to say, but it's late where I am. Good night.

/Fredrik



Follow ups