[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Cryptography] Does anyone here know PAM?



On Tue, Apr 4, 2017 at 10:04 AM, Phillip Hallam-Baker
<phill at hallambaker.com> wrote:
> This is a call for technical assistance with a crypto project. Hopefully it
> will be of wider benefit if successful.
>
> The Mathematical Mesh has the goal of making computers easier to use by

You mean
http://www.prismproof.org/

> making them more secure. Note the order. While there are some times that it
> is appropriate for a cryptographic key to require the user to enter a PIN or
> the like to use it, that cannot be the default requirement, nor is it
> acceptable to just leave private keys sitting on disk unencrypted.
>
> Windows and OSX both provide features that cause private keys and other
> credentials to be unlocked automatically using the user's password as a PIN.
> I want to achieve the same on Ubuntu. I am happy if the solution can also be
> carried across to other Linux and FreeBSD but don't have resources to cover
> anything else.

Various tools / ports / projects in both Linux and BSD do exist that will
get you magical login encrypted homedirs. OSX also has it.

Now that per dataset crypto keying is in ZFS, you might expect to see
some uniform use of it spread across everything except Windows.

http://open-zfs.org/wiki/ZFS-Native_Encryption
https://youtu.be/frnLiXclAMo
https://drive.google.com/file/d/0B5hUzsxe4cdmU3ZTRXNxa2JIaDQ/view?usp=sharing

http://pefs.io/
https://github.com/glk/pefs
https://wiki.freebsd.org/PEFS
http://glebkurtsou.blogspot.com/search/label/pefs

You could find other implementations, FUSE, PAM, login, etc here...
https://www.freebsd.org/ports/categories-grouped.html

Linux does bunch of things with FUSE / PAM / dmcrypt.
Even the old NFS crypto loopback still exists.

> The authentication mechanism is PAM. So far, the only documentation I have
> found has been of the barely more comprehensible than the code variety.

https://en.wikipedia.org/wiki/OpenPAM
http://www.openpam.org/
https://www.freebsd.org/cgi/man.cgi?apropos=1&query=pam
https://www.freebsd.org/cgi/man.cgi?query=pam.conf

> * Is hooking PAM the way to go

Probably, or quite commonly.
More tricky is defining and detecting whatever is considered to be a
logout state, timeout, loss of human user, etc.

> or should I try to make use of an encrypted
> directory mechanism instead?

If that is what you want as part of an outcome, then yes.

> * If PAM is the way to go, where might I find a working example for using
> the login password to unlock a private keystore?

See above links.
Other people will probably post others.

> * Has someone already done this for GPG Agent?

Probably.

> In addition, one of the layered applications, Mesh/Confirm offers two factor
> authentication (among other things) so an example showing how to integrate a
> network authentication mechanism would be useful.
>
> The architecture I am thinking of would be:
>
> 1) User logs in with password.
>
> 2) Password is passed to the unlock keys mechanism which uses it to unlock a
> master key.
>
> 3) Processes running under the master key account can request unlocking of
> profile data stored under it.
>
> Of course, it is quite possible that the magic required to bridge the gap
> between 2 and 3 means effectively recreating GPGAgent.