Re: Key management using a USB key

[David Härdeman <david@2gen.com>]

On Tue, Mar 08, 2005 at 02:30:06AM -0500, sean finney wrote:
> well, me wanting to do things the "right way" it ended up being a pretty
> long script and i didn't think the list would appreciate random shell
> scripts flying around.  but, i'll go ahead and put it online:
>
> http://www.seanius.net/linux/keyloader/usb-storage

Thanks Sean and everyone else for contributing. Based on the above 
script and the suggestions from everyone else, I've got a basic idea of 
how I'd want this to work:


o usb key contains a vfat filesystem with two special files, one
 names the user for the "keychain", while the other is a storage 
 file to be used as a loopback drive.

o use the keychain script sean mentioned to keep one ssh-agent running 
 per user no matter how many sessions (which has other advantages than 
 those relating to usb key management).

o when the usb key is inserted, the user is prompted for a password to 
 the encrypted loopback file which is then mounted, the ssh keys within
 are fed to ssh agent, and the file is unmounted again.


Pros:

o the ssh key only exists in the memory of the ssh agent (except for a 
 short time period when the loopback file is mounted)

o hopefully, in combination with libpam-usb and/or libpam-mount, it 
 would be possible to reduce the number of password prompts to one.

o vfat filesystem means that the key is usable on most OS:es (as a 
 normal data carrier) and that it can be easilly backed up and 
 recreated. Meanwhile the loopback file allows for the features one 
 expect in a unixy system such as proper permissions etc.


Cons:

o Only I've come up with so far is that there will be some dependencies 
 which might not be available on any host computer. And that the keys 
 wont be usable at all should one need to use them on a windows computer 
 (if they are locked into a ext2-loopback file that is).


Bonus stuff:

o It would be a neat trick to have the keys which were once loaded from 
 the usb key into the ssh agent automatically removed from the agent 
 when the key is removed from the computer (meaning you could quickly 
 yank the key, go for lunch, return, reinsert it and continue working).

o gpg-agent support in the same manner as ssh-agent would be neat. I 
 understand that this requires gnupg 2.0 though.

o check both at insertion time and at "first login" time for the usb key 
 (so that the key can be either inserted from boot or inserted during an 
 existing session).

I'll probably keep the main vfat partition mounted for access to 
 general data stored on the key while it is inserted, a neat trick 
 would then be to automatically remove the keys from the ssh agent 
 which were once upon a time loaded 


I have started working on some scripts to do the above.

Currently, they consist of three parts:

o a udev rule file which gives a special device node to the usb key

o a /dev/udev.d file which is run after the node is created that does 
 the necessary root-level setup and then calls

o a user-specific script which loads the keys (and prompts for necessary 
 passwords) etc.


I think this setup should allow all the bonus stuff to be implemented as 
well.

The only real problem I've found so far is bug 290324 
(http://bugs.debian.org/290324) which makes it hard to have 
"user-mounted-dm-crypt-over-loopback-device" goodness, and the patch 
attached to that bug seems to have bitrotted a bit.

I'll get back to you when I have something real to show.

Regards,
David