[Cryptography] Any PAM experts out there?

Wed Aug 30 10:49:19 EDT 2017

So I now have the Mesh at a very advanced stage. If it wasn't for a patent
expiry issue I would be pushing the Mesh/Recrypt code this week. I now have
practical three key cryptography running. What this means is that I can add
crypto to an application without the user being barely aware of a change
(other than for the better).

One of my objectives is to tie the code to the native platform features for
key storage. So if the user is using password to log in on Windows or OSX,
we make use of the platform keystore because that is unlocked by the O/S
using the user's password. Not perfect security but pretty good (I will get
to good-to-great later).

Unfortunately, I don't know how to do this on the Linux platforms. One
option would be to use GPGAgent but that means we end up with
crypto-platforms calling crypto-platforms. What I would prefer is to be
able to simulate the Windows/OSX keystores. The simplest way to do that
would be to create an encrypted directory in the user's home directory and
automatically decrypt it using the password.

Has anyone got a setup already written that I could crib (with attribution
naturally).

Longer term, I want to be able to use my watch or phone to unlock the
machine. This will enable me to make use of the split key crypto that I do
a lot of to create a strong binding.

One killer app that I came up with and will implement next week is a random
password generator and a generic password storage profile.

Lets say I want to extract a private key as a p12 encrypted under a
password. The shell commands would be something like:

$password = ( meshtool /random )
meshtool mail /extract alice at example.com /out=mykey.pfx /pass=$password
thunderbird /addsmime mykey.pfx /password=$password
$password=
rm mykey.pfx

These are generate a new random password (25 chars), assign it to a shell
variable, create a p12 encrypted under the password, install it in an
application, delete the shell variable, delete the p12

Ok that sorts out lots of cases involving installing keys in applications.
But what about the more common case where I have an FTP site I want to sync
with my machine and have to use a password to log in? I don't want to store
the password on the machine, I certainly don't want it in the script. So
lets store it in a mesh profile which is end-to-end encrypted. Then I can
write something like

$password = (meshtool password get ftp.example.com)
sftp sync /pass=$password

Of course getting rid of passwords altogether is much better. But the Mesh
does that as well if the service is capable of using public key. Working
with the legacy infrastructure and delivering value is essential to build
critical mass.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20170830/c6d50537/attachment.html>