Re: Key management using a USB key

To: debian-devel@lists.debian.org
Subject: Re: Key management using a USB key
From: sean finney <seanius@debian.org>
Date: Tue, 8 Mar 2005 20:00:36 -0500
Message-id: <[🔎] 20050309010036.GA4072@seanius.net>
In-reply-to: <[🔎] 20050309003821.GA20218@hardeman.nu>
References: <[🔎] 20050307234645.GA8450@hardeman.nu> <[🔎] 20050308054659.GA20957@seanius.net> <[🔎] 20050308055229.GB4913@mauritius.dodds.net> <[🔎] 20050308073006.GA21952@seanius.net> <[🔎] 20050309003821.GA20218@hardeman.nu>

hello,

On Wed, Mar 09, 2005 at 01:38:22AM +0100, David Härdeman wrote:
> o when the usb key is inserted, the user is prompted for a password to 
>  the encrypted loopback file which is then mounted, the ssh keys within
>  are fed to ssh agent, and the file is unmounted again.

you could easily extend the script i wrote to unencrypt/loop-mount
a filesystem-in-a-file without too much effort.  prod me enough and
i might do it myself.

> o hopefully, in combination with libpam-usb and/or libpam-mount, it 
>  would be possible to reduce the number of password prompts to one.

you should only need a password for encrypted things.  since the hotplug
script runs as root you can have that take care of all the other
details.  so, as long as you have either an unencrypted ext2
filesystem-file with encrypted ssh-keys or vice versa, you should only
need one password.

> Bonus stuff:
> 
> o It would be a neat trick to have the keys which were once loaded from 
>  the usb key into the ssh agent automatically removed from the agent 
>  when the key is removed from the computer (meaning you could quickly 
>  yank the key, go for lunch, return, reinsert it and continue working).

my script already does this.  in fact, it's selective enough to leave
other keys that it didn't load still in memory.  this was a little
tricky to accomplish, and is done by copying the public key into a
temporary location (under /var/cache/keyloader/pubkeys/$USER), and
when the device is removed those keys are passed to ssh-add -d.

> o check both at insertion time and at "first login" time for the usb key 
>  (so that the key can be either inserted from boot or inserted during an 
>  existing session).

that would be nice, though a quick workaround is to remove and re-insert
the key :).

> o a /dev/udev.d file which is run after the node is created that does 
>  the necessary root-level setup and then calls
> 
> o a user-specific script which loads the keys (and prompts for necessary 
>  passwords) etc.

better watch out where root and the user cross paths...

	sean

--

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Key management using a USB key
  - From: Andreas Tille <tillea@rki.de>

References:
- Key management using a USB key
  - From: David Härdeman <david@2gen.com>
- Re: Key management using a USB key
  - From: sean finney <seanius@debian.org>
- Re: Key management using a USB key
  - From: Steve Langasek <vorlon@debian.org>
- Re: Key management using a USB key
  - From: sean finney <seanius@debian.org>
- Re: Key management using a USB key
  - From: David Härdeman <david@2gen.com>

Prev by Date: Re: Key management using a USB key
Next by Date: Re: gcc-3.3 3.3.5-9 C++ ABI problem.
Previous by thread: Re: Key management using a USB key
Next by thread: Re: Key management using a USB key
Index(es):
- Date
- Thread