ecryptfs-users team mailing list archive

Thread
Date

Re: hardware token

To: "Serge E. Hallyn" <serge.hallyn@xxxxxxxxxx>
From: Fredrik Thulin <fredrik@xxxxxxxxxx>
Date: Tue, 15 Mar 2011 19:59:35 +0100
Cc: ecryptfs-users <ecryptfs-users@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <20110315135712.GB17423@peq.hallyn.com>

On Tue, Mar 15, 2011 at 2:57 PM, Serge E. Hallyn
<serge.hallyn@xxxxxxxxxx> wrote:
...
>> This is a list of things I see that would benefit of discussion :
>>
>> * Is it a sufficiently good design to base the passphrase passing on
>> PAM authtok's?
>
> (Not sure what you mean.  I'll take another look after I clear some
> things off my plate)

I'm thinking there might be security concerns with passing the
unprotected pass phrase from one PAM module to another for example,
and that perhaps passing it through PAM places unwanted restrictions
on the passphrase.

eCryptfs seems to support 64 chars pass phrases. The YubiKey currently
"only" produces 20 bytes HMAC-SHA1, so I can just hex encode that into
40 bytes to avoid problems with special bytes (null, linefeed, perhaps
others), but the best design would allow for passing the full 64 bytes
binary clean I guess... or more in case eCryptfs ever gets support for
even longer pass phrases.

/Fredrik

References

hardware token
From: Fredrik Thulin, 2011-03-15
Re: hardware token
From: Serge E. Hallyn, 2011-03-15