Gentoo Archives: gentoo-security

From: Chris Frederick <cdf123@××××××.net>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] User authentication with key-file and gpg-agent
Date: Mon, 03 Mar 2008 19:24:01
In Reply to: [gentoo-security] User authentication with key-file and gpg-agent by Florian Philipp
Florian Philipp wrote:
> Hi! > > Now that my initrd-script is ready and provides me with the means to > encrypt partitions with a gpg-encrypted key-file [1], I'd like to use > the very same file for user authentication. > > It would be even better if gpg-agent could get it right from the user > authentication (pam) to use it for as many services as possible, ssh, > gpg, gnome-keyring (?), sudo (?), password database. > > I think what I really want is something like a poor man's version of > smartcard authentication. > > Could you please give me some hints? I'd be pleased to hear any > comments, criticism and recommendations on that issue. > > Thanks in advance! > > Florian Philipp > > [1] basically 1k of random data, encrypted with 3DES by gpg
emerge pam_usb The latest version of pam_usb uses the usb serial number of the drive, the older one uses an encrypted key in a hidden directory and can be used with more than just a usb key (basically any mountable device would work). I would also recommend checking out how to make your own custom rules in udev. This can let you auto-mount the device on connect, or run a command on connect, etc.. Between the two you should be able to make a good auth function. If you know any C/C++ you could combine the two into a custom setup (e.g. using the contents of a file on the key, decrypted via the serial number to get your gpg data..., or use your imagination.) Good luck, Chris Frederick -- gentoo-security@l.g.o mailing list