[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: authentication using gnupg/pgp keys?



For an example of how to use binray_prompts, take a look in the
libpamc/test/ directory of the 0.70 Linux-PAM tar ball. The reason this
module is not compiled and installed by default is that its not very
secure in its use of the /usr/bin/md5sum binary. However, it should
serve as a pretty good example of how to write challange response
module/agents. (Yes, the agent in this case is written in perl.)

The evolving spec for this and other PAM stuff is here:

 ftp://linux.kernel.org/pub/linux/libs/pam/pre/doc/current-draft.txt

I don't recommend using the libpamc library from before 0.70 as previous
versions had lots of bugs.

Unlike my fingerprint module, I'm not going to be distributing a pgp
based module/agent - but I guess someone out in the free world might
offer some space on a web server..?

Cheers

Andrew

sen_ml@eccosys.com wrote:
> 
> thanks for the response!
> 
> morgan> I'm not aware of anyone working on this. It does sound like an
> morgan> ideal use of binary prompts though.
> 
> how hard (or much work) do you think it would be to implement?  are
> you aware of any module that could be used as a starting point?  for
> that matter, is some pam-experienced person interested in writing such
> a module?  :-)
> 
> also, there is an interesting ietf draft:
> 
>   http://www.ietf.org/internet-drafts/draft-moscaritolo-mione-pgpticket-03.txt
> 
> w/ the abstract:
> 
>   OpenPGP specifies message formats and certificate formats used for
>   exchange of encrypted and/or authenticated objects. This document
>   discusses methods of extending OpenPGP's message formats to support an
>   authorization system. This system would use public key cryptography to
>   authenticate a user to a server and establish the user's access
>   permissions. The concept is that the user acquires a ticket signed by
>   some issuer that specifies what they are entitled to do. That ticket
>   is then submitted to a server. The server uses a challenge/response
>   method to verify that the holder really has the matching private
>   key. The server then allows the access specified.
> 
> does this seem like something that could be implemented as part of the
> pam module as well?
> 
> sorry for so many questions.
> 
> morgan> sen_ml@eccosys.com wrote:
> morgan> >
> morgan> > is anyone working on a module to allow authentication based on a
> morgan> > challenge-response scheme using gnupg/pgp keys?
> morgan> >
> morgan> > i didn't have any luck locating anything in the archives...
> 
> --
> To unsubscribe: mail -s unsubscribe pam-list-request@redhat.com < /dev/null



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []