ecryptfs-users team mailing list archive
-
ecryptfs-users team
-
Mailing list archive
-
Message #00087
Re: hardware token
Quoting Fredrik Thulin (fredrik@xxxxxxxxxx):
> Hi
>
> [repost after properly registering e-mail address]
>
> I'm sending this message to see if there is any interest of
> collaboration regarding development of multi-factor protection of user
> data.
I'm interested, yes.
> I'm currently experimenting with using YubiKey USB tokens with
> HMAC-SHA1 challenge-response to unlock my encrypted home directory
> (disclaimer: I work for Yubico).
Cool, two or three years ago I was just about set to place an order for
some of these keys (group order to make them cheaper :). Something
happened, forget what...
> I'm glad to report that I've got a proof of concept working. We have a
> PAM module for doing OTP validated logins that has recently been
> extended to also support offline authentication using the
> challenge-response mode available since YubiKey 2.2.
>
> Today, I made that PAM module store an authentication token (currently
> the result of a static challenge) upon successful validation which
> meant that pam_ecryptfs would not get my login password from PAM
> anymore, but rather get the result of the challenge-response.
>
> After that, it was simply a matter of rewrapping my ecryptfs
> passphrase to get it protected by something I have (my YubiKey) plus
> something I know (my password, part of the challenge) and voila, two
> factor authenticated eCryptfs!
>
> This is a list of things I see that would benefit of discussion :
>
> * Is it a sufficiently good design to base the passphrase passing on
> PAM authtok's?
(Not sure what you mean. I'll take another look after I clear some
things off my plate)
> * Would this require any additions to ecryptfs at all? For example to
> not complicate password changing beyond requiring the YubiKey to be
> inserted at the time of password changing?
>
> * Is it a show stopper that you can't unlock your eCryptfs data
> remotely? Or is it perhaps a feature?
Depends who you ask :) For me it would be a feature.
> * What should be used as challenge? The username alone isn't enough to
> salt the hash.
>
> The code is available on Github.
>
> $ git clone -b feature/chalresp_authtok_generation \
> git://github.com/fredrikt/yubico-pam.git
Thanks, I'd like to take a look, though probably won't have time during
this week.
> More information is available in the source code, see the commit :
>
> https://github.com/fredrikt/yubico-pam/commit/476767a5cb59fa0bb27ad2d99e276c0066cd044b
>
> I'm sure there is more to say, but it's late where I am. Good night.
Winning :)
thanks.
-serge
Attachment:
signature.asc
Description: Digital signature
Follow ups
References