ecryptfs-users team mailing list archive

[Dustin Kirkland <kirkland@xxxxxxxxxx>]

On Tue, Mar 15, 2011 at 8:57 AM, Serge E. Hallyn
<serge.hallyn@xxxxxxxxxx> wrote:
> Quoting Fredrik Thulin (fredrik@xxxxxxxxxx):
>> Hi
>>
>> [repost after properly registering e-mail address]
>>
>> I'm sending this message to see if there is any interest of
>> collaboration regarding development of multi-factor protection of user
>> data.
>
> I'm interested, yes.

Hi Fredrik,

>From the questions I get, I can say that there is at least some
interest from eCryptfs users out there.

I posted in my blog a quick-n-dirty way to get 2-factor authentication
working with encrypted-home:
 * http://blog.dustinkirkland.com/2009/03/ubuntu-encrypted-home-with-2-factor.html

Basically, you move your ~/.ecryptfs/wrapped-passphrase to a usb key,
and symlink ~/.ecryptfs/wrapped-passphrase to wherever udev mounts
that usb key.  At this point, you'll have to have that USB key plugged
in (and udev will have to have mounted it) such that you can log in
and see your data.

>> I'm currently experimenting with using YubiKey USB tokens with
>> HMAC-SHA1 challenge-response to unlock my encrypted home directory
>> (disclaimer: I work for Yubico).

Interesting.  That sounds cryptographically more complex than the
quick/dirty hack I mentioned above.

> Cool, two or three years ago I was just about set to place an order for
> some of these keys (group order to make them cheaper :).  Something
> happened, forget what...
>
>> I'm glad to report that I've got a proof of concept working. We have a
>> PAM module for doing OTP validated logins that has recently been
>> extended to also support offline authentication using the
>> challenge-response mode available since YubiKey 2.2.
>>
>> Today, I made that PAM module store an authentication token (currently
>> the result of a static challenge) upon successful validation which
>> meant that pam_ecryptfs would not get my login password from PAM
>> anymore, but rather get the result of the challenge-response.
>>
>> After that, it was simply a matter of rewrapping my ecryptfs
>> passphrase to get it protected by something I have (my YubiKey) plus
>> something I know (my password, part of the challenge) and voila, two
>> factor authenticated eCryptfs!
>>
>> This is a list of things I see that would benefit of discussion :
>>
>> * Is it a sufficiently good design to base the passphrase passing on
>> PAM authtok's?
>
> (Not sure what you mean.  I'll take another look after I clear some
> things off my plate)

I think so, but I'd like to hear Serge's opinion on the matter.

>> * Would this require any additions to ecryptfs at all? For example to
>> not complicate password changing beyond requiring the YubiKey to be
>> inserted at the time of password changing?
>>
>> * Is it a show stopper that you can't unlock your eCryptfs data
>> remotely? Or is it perhaps a feature?
>
> Depends who you ask :)  For me it would be a feature.

Yeah, I think this is the "feature" of your approach.  However, this
is going to require very, very, very clear documentation and user
culling.  Too many users get involved with eCryptfs already, who have
no idea what's going on, and a few of them eventually lose their data
because they don't record their generated mount passphrase, or
something.

>> * What should be used as challenge? The username alone isn't enough to
>> salt the hash.
>>
>> The code is available on Github.
>>
>>  $ git clone -b feature/chalresp_authtok_generation \
>>         git://github.com/fredrikt/yubico-pam.git
>
> Thanks, I'd like to take a look, though probably won't have time during
> this week.
>
>> More information is available in the source code, see the commit :
>>
>> https://github.com/fredrikt/yubico-pam/commit/476767a5cb59fa0bb27ad2d99e276c0066cd044b
>>
>> I'm sure there is more to say, but it's late where I am. Good night.
>
> Winning  :)

Hehe.  Thanks for the pointers, Fredrik.  Would you know how to do the
debian packaging necessary to get your pam module installable from the
Ubuntu archive?

-- 
:-Dustin

Dustin Kirkland
Ubuntu Core Developer