Florian Philipp wrote:
> Hi!
>
> Now that my initrd-script is ready and provides me with
the means to
> encrypt partitions with a gpg-encrypted key-file [1],
I'd like to use
> the very same file for user authentication.
>
> It would be even better if gpg-agent could get it right
from the user
> authentication (pam) to use it for as many services as
possible, ssh,
> gpg, gnome-keyring (?), sudo (?), password database.
>
> I think what I really want is something like a poor
man's version of
> smartcard authentication.
>
> Could you please give me some hints? I'd be pleased to
hear any
> comments, criticism and recommendations on that issue.
>
> Thanks in advance!
>
> Florian Philipp
>
> [1] basically 1k of random data, encrypted with 3DES by
gpg
emerge pam_usb
The latest version of pam_usb uses the usb serial number of
the drive,
the older one uses an encrypted key in a hidden directory
and can be
used with more than just a usb key (basically any mountable
device would
work).
I would also recommend checking out how to make your own
custom rules in
udev. This can let you auto-mount the device on connect, or
run a
command on connect, etc..
Between the two you should be able to make a good auth
function. If you
know any C/C++ you could combine the two into a custom setup
(e.g. using
the contents of a file on the key, decrypted via the serial
number to
get your gpg data..., or use your imagination.)
Good luck,
Chris Frederick
--
gentoo-security lists.gentoo.org mailing list
|
