Re: Key management using a USB key
On Tue, Mar 08, 2005 at 02:30:06AM -0500, sean finney wrote:
well, me wanting to do things the "right way" it ended up being a pretty
long script and i didn't think the list would appreciate random shell
scripts flying around. but, i'll go ahead and put it online:
http://www.seanius.net/linux/keyloader/usb-storage
Thanks Sean and everyone else for contributing. Based on the above
script and the suggestions from everyone else, I've got a basic idea of
how I'd want this to work:
o usb key contains a vfat filesystem with two special files, one
names the user for the "keychain", while the other is a storage
file to be used as a loopback drive.
o use the keychain script sean mentioned to keep one ssh-agent running
per user no matter how many sessions (which has other advantages than
those relating to usb key management).
o when the usb key is inserted, the user is prompted for a password to
the encrypted loopback file which is then mounted, the ssh keys within
are fed to ssh agent, and the file is unmounted again.
Pros:
o the ssh key only exists in the memory of the ssh agent (except for a
short time period when the loopback file is mounted)
o hopefully, in combination with libpam-usb and/or libpam-mount, it
would be possible to reduce the number of password prompts to one.
o vfat filesystem means that the key is usable on most OS:es (as a
normal data carrier) and that it can be easilly backed up and
recreated. Meanwhile the loopback file allows for the features one
expect in a unixy system such as proper permissions etc.
Cons:
o Only I've come up with so far is that there will be some dependencies
which might not be available on any host computer. And that the keys
wont be usable at all should one need to use them on a windows computer
(if they are locked into a ext2-loopback file that is).
Bonus stuff:
o It would be a neat trick to have the keys which were once loaded from
the usb key into the ssh agent automatically removed from the agent
when the key is removed from the computer (meaning you could quickly
yank the key, go for lunch, return, reinsert it and continue working).
o gpg-agent support in the same manner as ssh-agent would be neat. I
understand that this requires gnupg 2.0 though.
o check both at insertion time and at "first login" time for the usb key
(so that the key can be either inserted from boot or inserted during an
existing session).
I'll probably keep the main vfat partition mounted for access to
general data stored on the key while it is inserted, a neat trick
would then be to automatically remove the keys from the ssh agent
which were once upon a time loaded
I have started working on some scripts to do the above.
Currently, they consist of three parts:
o a udev rule file which gives a special device node to the usb key
o a /dev/udev.d file which is run after the node is created that does
the necessary root-level setup and then calls
o a user-specific script which loads the keys (and prompts for necessary
passwords) etc.
I think this setup should allow all the bonus stuff to be implemented as
well.
The only real problem I've found so far is bug 290324
(http://bugs.debian.org/290324) which makes it hard to have
"user-mounted-dm-crypt-over-loopback-device" goodness, and the patch
attached to that bug seems to have bitrotted a bit.
I'll get back to you when I have something real to show.
Regards,
David
Reply to: