[Cryptography] Does anyone here know PAM?

Phillip Hallam-Baker phill at hallambaker.com
Tue Apr 4 10:04:41 EDT 2017 

This is a call for technical assistance with a crypto project. Hopefully it
will be of wider benefit if successful.

The Mathematical Mesh has the goal of making computers easier to use by
making them more secure. Note the order. While there are some times that it
is appropriate for a cryptographic key to require the user to enter a PIN
or the like to use it, that cannot be the default requirement, nor is it
acceptable to just leave private keys sitting on disk unencrypted.

Windows and OSX both provide features that cause private keys and other
credentials to be unlocked automatically using the user's password as a
PIN. I want to achieve the same on Ubuntu. I am happy if the solution can
also be carried across to other Linux and FreeBSD but don't have resources
to cover anything else.

The authentication mechanism is PAM. So far, the only documentation I have
found has been of the barely more comprehensible than the code variety.


So the main questions are:

* Is hooking PAM the way to go or should I try to make use of an encrypted
directory mechanism instead?

* If PAM is the way to go, where might I find a working example for using
the login password to unlock a private keystore?

* Has someone already done this for GPG Agent?

In addition, one of the layered applications, Mesh/Confirm offers two
factor authentication (among other things) so an example showing how to
integrate a network authentication mechanism would be useful.


The architecture I am thinking of would be:

1) User logs in with password.

2) Password is passed to the unlock keys mechanism which uses it to unlock
a master key.

3) Processes running under the master key account can request unlocking of
profile data stored under it.


Of course, it is quite possible that the magic required to bridge the gap
between 2 and 3 means effectively recreating GPGAgent.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170404/35992653/attachment.html>

More information about the cryptography mailing list