[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Key management using a USB key

On Tue, Mar 08, 2005 at 02:30:06AM -0500, sean finney wrote:
well, me wanting to do things the "right way" it ended up being a pretty
long script and i didn't think the list would appreciate random shell
scripts flying around.  but, i'll go ahead and put it online:


Thanks Sean and everyone else for contributing. Based on the above script and the suggestions from everyone else, I've got a basic idea of how I'd want this to work:

o usb key contains a vfat filesystem with two special files, one
names the user for the "keychain", while the other is a storage file to be used as a loopback drive.

o use the keychain script sean mentioned to keep one ssh-agent running per user no matter how many sessions (which has other advantages than those relating to usb key management).

o when the usb key is inserted, the user is prompted for a password to the encrypted loopback file which is then mounted, the ssh keys within
 are fed to ssh agent, and the file is unmounted again.


o the ssh key only exists in the memory of the ssh agent (except for a short time period when the loopback file is mounted)

o hopefully, in combination with libpam-usb and/or libpam-mount, it would be possible to reduce the number of password prompts to one.

o vfat filesystem means that the key is usable on most OS:es (as a normal data carrier) and that it can be easilly backed up and recreated. Meanwhile the loopback file allows for the features one expect in a unixy system such as proper permissions etc.


o Only I've come up with so far is that there will be some dependencies which might not be available on any host computer. And that the keys wont be usable at all should one need to use them on a windows computer (if they are locked into a ext2-loopback file that is).

Bonus stuff:

o It would be a neat trick to have the keys which were once loaded from the usb key into the ssh agent automatically removed from the agent when the key is removed from the computer (meaning you could quickly yank the key, go for lunch, return, reinsert it and continue working).

o gpg-agent support in the same manner as ssh-agent would be neat. I understand that this requires gnupg 2.0 though.

o check both at insertion time and at "first login" time for the usb key (so that the key can be either inserted from boot or inserted during an existing session).

I'll probably keep the main vfat partition mounted for access to general data stored on the key while it is inserted, a neat trick would then be to automatically remove the keys from the ssh agent which were once upon a time loaded

I have started working on some scripts to do the above.

Currently, they consist of three parts:

o a udev rule file which gives a special device node to the usb key

o a /dev/udev.d file which is run after the node is created that does the necessary root-level setup and then calls

o a user-specific script which loads the keys (and prompts for necessary passwords) etc.

I think this setup should allow all the bonus stuff to be implemented as well.

The only real problem I've found so far is bug 290324 (http://bugs.debian.org/290324) which makes it hard to have "user-mounted-dm-crypt-over-loopback-device" goodness, and the patch attached to that bug seems to have bitrotted a bit.

I'll get back to you when I have something real to show.


Reply to: