Florian Philipp wrote:
> Hi!
> 
> Now that my initrd-script is ready and provides me with the means to
> encrypt partitions with a gpg-encrypted key-file [1], I'd like to use
> the very same file for user authentication.
> 
> It would be even better if gpg-agent could get it right from the user
> authentication (pam) to use it for as many services as possible, ssh,
> gpg, gnome-keyring (?), sudo (?), password database.
> 
> I think what I really want is something like a poor man's version of
> smartcard authentication. 
> 
> Could you please give me some hints? I'd be pleased to hear any
> comments, criticism and recommendations on that issue.
> 
> Thanks in advance!
> 
> Florian Philipp
> 
> [1] basically 1k of random data, encrypted with 3DES by gpg

emerge pam_usb

The latest version of pam_usb uses the usb serial number of the drive, 
the older one uses an encrypted key in a hidden directory and can be 
used with more than just a usb key (basically any mountable device would 
work).

I would also recommend checking out how to make your own custom rules in 
udev.  This can let you auto-mount the device on connect, or run a 
command on connect, etc..

Between the two you should be able to make a good auth function.  If you 
know any C/C++ you could combine the two into a custom setup (e.g. using 
the contents of a file on the key, decrypted via the serial number to 
get your gpg data..., or use your imagination.)

Good luck,
Chris Frederick
-- 
gentoo-security@g.o mailing list