ecryptfs-users team mailing list archive
-
ecryptfs-users team
-
Mailing list archive
-
Message #00094
Re: hardware token
Quoting Fredrik Thulin (fredrik@xxxxxxxxxx):
...
> > So with that in mind, here's how I might prefer to go about it. The
> > yubikey supports two 'configs' or 'slots'. I propose we exploit that.
> > First we use config 1 for OTP challenge-response - but we only use that
> > to authenticate to the system.
>
> Oh yes, definitely. Sorry for not mentioning that - I focused on the
> ecryptfs related things in my original post.
Ok, that makes all the difference :)
I agree the static passphrase has its problems with someone able to
just sneakily plug it into their own laptop to steal the passphrase :)
> Yes, a user with a Yubikey would most likely use OTP validation to log
> in to the system.
Cool. Now the other thing I don't like is having the username:pwd
pushed to the yubikey, only bc it's usb and i dunno, I can just see
someone coming up with a sneaky way to grab that. Does it help at
all to have send sha1sum(username:pwd) to the yubikey instead? It also
helps with your concerns about sufficent salt, right?
-serge
Follow ups
References