ecryptfs-users team mailing list archive

["Serge E. Hallyn" <serge.hallyn@xxxxxxxxxx>]

Quoting Fredrik Thulin (fredrik@xxxxxxxxxx):
> Hi
> 
> [repost after properly registering e-mail address]
> 
> I'm sending this message to see if there is any interest of
> collaboration regarding development of multi-factor protection of user
> data.

I'm interested, yes.

> I'm currently experimenting with using YubiKey USB tokens with
> HMAC-SHA1 challenge-response to unlock my encrypted home directory
> (disclaimer: I work for Yubico).

Cool, two or three years ago I was just about set to place an order for
some of these keys (group order to make them cheaper :).  Something
happened, forget what...

> I'm glad to report that I've got a proof of concept working. We have a
> PAM module for doing OTP validated logins that has recently been
> extended to also support offline authentication using the
> challenge-response mode available since YubiKey 2.2.
> 
> Today, I made that PAM module store an authentication token (currently
> the result of a static challenge) upon successful validation which
> meant that pam_ecryptfs would not get my login password from PAM
> anymore, but rather get the result of the challenge-response.
> 
> After that, it was simply a matter of rewrapping my ecryptfs
> passphrase to get it protected by something I have (my YubiKey) plus
> something I know (my password, part of the challenge) and voila, two
> factor authenticated eCryptfs!
> 
> This is a list of things I see that would benefit of discussion :
> 
> * Is it a sufficiently good design to base the passphrase passing on
> PAM authtok's?

(Not sure what you mean.  I'll take another look after I clear some
things off my plate)

> * Would this require any additions to ecryptfs at all? For example to
> not complicate password changing beyond requiring the YubiKey to be
> inserted at the time of password changing?
> 
> * Is it a show stopper that you can't unlock your eCryptfs data
> remotely? Or is it perhaps a feature?

Depends who you ask :)  For me it would be a feature.

> * What should be used as challenge? The username alone isn't enough to
> salt the hash.
> 
> The code is available on Github.
> 
>  $ git clone -b feature/chalresp_authtok_generation \
>         git://github.com/fredrikt/yubico-pam.git

Thanks, I'd like to take a look, though probably won't have time during
this week.

> More information is available in the source code, see the commit :
> 
> https://github.com/fredrikt/yubico-pam/commit/476767a5cb59fa0bb27ad2d99e276c0066cd044b
> 
> I'm sure there is more to say, but it's late where I am. Good night.

Winning  :)

thanks.
-serge

Attachment: signature.asc
Description: Digital signature