ecryptfs-users team mailing list archive

Thread
Date

Re: hardware token

To: Fredrik Thulin <fredrik@xxxxxxxxxx>
From: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx>
Date: Sun, 10 Apr 2011 09:17:09 -0500
Cc: ecryptfs-users <ecryptfs-users@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <BANLkTin3JaUcDXxOOj-EPon=69hFa02gxA@mail.gmail.com>
User-agent: Mutt/1.5.21 (2010-09-15)

Quoting Fredrik Thulin (fredrik@xxxxxxxxxx):
...
> > So with that in mind, here's how I might prefer to go about it.  The
> > yubikey supports two 'configs' or 'slots'.  I propose we exploit that.
> > First we use config 1 for OTP challenge-response - but we only use that
> > to authenticate to the system.
> 
> Oh yes, definitely. Sorry for not mentioning that - I focused on the
> ecryptfs related things in my original post.

Ok, that makes all the difference :)

I agree the static passphrase has its problems with someone able to
just sneakily plug it into their own laptop to steal the passphrase :)

> Yes, a user with a Yubikey would most likely use OTP validation to log
> in to the system.

Cool.  Now the other thing I don't like is having the username:pwd
pushed to the yubikey, only bc it's usb and i dunno, I can just see
someone coming up with a sneaky way to grab that.  Does it help at
all to have send sha1sum(username:pwd) to the yubikey instead?  It also
helps with your concerns about sufficent salt, right?

-serge

Follow ups

Re: hardware token
From: Fredrik Thulin, 2011-04-10

References

hardware token
From: Fredrik Thulin, 2011-03-15
Re: hardware token
From: Serge Hallyn, 2011-04-10
Re: hardware token
From: Fredrik Thulin, 2011-04-10