Two factor authentication (Security)
Implement and/or improve and document two-factor authentication in Ubuntu. This could include USB keys, Smartcards, RFID, fingerprint readers, etc.
Blueprint information
- Status:
- Not started
- Approver:
- Kees Cook
- Priority:
- High
- Drafter:
- Marc Deslauriers
- Direction:
- Needs approval
- Assignee:
- Marc Deslauriers
- Definition:
- Approved
- Series goal:
- Accepted for maverick
- Implementation:
-
Not started
- Milestone target:
-
ubuntu-10.10
- Started by
- Completed by
Whiteboard
Work items:
write wiki page detailing types of 2 factor auth: POSTPONED
[jdstrand] create howto for remote access one-time password: HOTP/yubikey (new) or opie s/key (old): POSTPONED
create howto for USB key storage of ecryptfs key: POSTPONED
create howto for smartcard storage of gpg and ssh keys: POSTPONED
create howto for fingerprint reader authentication: POSTPONED
investigate two factor auth to Active Directory: POSTPONED
add appropriate howtos to official documentation: POSTPONED
Gobby notes from lucid session:
What do we need to add to the archive, and what do we need to add to main?
= Existing stuff people have done on Linux =
* OPIE (S/Key)
* libpam-otpw
* smart card
* Soren's fun hack (OpenPGP card, with SSH keys)
* freeradius mod-xradius, pam module for Yubikey, for authentication to network services
* USB key auto-mounting for eCryptfs key, via fstab and udev rule for auto-mounting when not logged in yet
* RSA SecureID (proprietary, but server runs on Linux)
* OpenAuthentication (oath)
= Existing stuff people have done that they would like on Linux =
* AD with smart cards (or similar) -- required for certain environments (eg gov't)
* Arbitrary biometric backend system support
* Voice print identification
= Models from PAM's perspective =
* 2-factor to local
* 2-factor to remote directory
= Goals =
* Decrypt devices
* Auth to remote devices
* Securely store keys
* Locally authenticate
* Arbitrary authentication based on policy (e.g. time: idle <15min == fingerprint only, >15min == full auth)
= Fingerprint stuff =
* thinkfinger daemon replaced by fprint
* currently mostly used as either/or with regular password for single-factor auth
= Warnings =
* gdm: omg, do PAM right, please
* eCryptfs PKCS11 and TPM support: don't use this right now (inefficient PoC)
= How To =
* Write a PAM module for your backend please
* Use pam-auth-update to DTRT, it was written with 2-factor in mind
= Central Directories =
* Novell eDirectory
* AD
* LDAP
= Potentially For Lucid =
* Develop a single recipe for a 2-factor authentication of some specific type
* Move mount passphrase to external device
* http://
* using something most people already own (CC#)
= Insanity =
* libpam-pulseaudio
Olof 091130:
The fprint backend works quite well for my AES1600 fingerprint reader, but there are two problems that I can see.
1. There is no GUI tool for managing the pam settings. Currently these has to be set by hacking files in /etc/security
2. Also, fprint does not work well with gksu/gksudo. This is yet another reason to take gksudo out of the desktop (https:/
= Links =
* Here are instructions how to use the Crypto Stick and OpenPGP Card with Ubuntu and with various Open Source applications: https:/
