Local PAM authentication with OpenPGP Card (was Re: PAM authentication with gpg or ssh key)

Peter Lebbing peter at digitalbrains.com
Wed Sep 30 12:54:29 CEST 2015

On 30/09/15 02:17, NIIBE Yutaka wrote:
> Perhaps, if there are some demands, I should write U2F module using
> gpg-agent (and revive Scute, accordingly).  I believe that this is a
> way to go, for those users who want to consolidate things cleanly.

Personally, my main interest lies with authentication with the OpenPGP
card using the PIN of the OpenPGP card. So not as a second factor! My
two factors are: possession of the OpenPGP card and knowledge of the
OpenPGP card PIN. I find different, difficult passwords for all my
machines too cumbersome. I'd rather use multiple smartcards with
different PINs.

For remote logins, I think the SSH agent already does a great job;
thanks NIIBE and Jerome for the pointers to the PAM modules, they might
still be useful for things that really, really want me to use a
sudo-like construction instead of plainly SSH'ing as root.

But for local logins, I'd like authentication to succeed (PAM) when the
OpenPGP card is locally attached to the PC in question and I enter the
correct PIN. Pinpad support would be nice.

I think I really need to restrict the logins to local ones only. In
practice, I would like not to use a separate smartcard for each and
every machine. In addition to the cards I already use for my OpenPGP
key, I would buy one additional card that would not hold my OpenPGP key,
but be exclusively used for local authentication on the systems I don't
want to have my OpenPGP key. This means the PIN is the same on every
system involved. If remote logins would succeed with this card, one
compromised PC could connect to the other. If the smartcard needs to be
connected locally and is only accepted for local terminals (Linux VT,
local X console), this seems to me to be prevented. In fact, the
requirement it is only used on local terminals (which is something you
can express in PAM with pam_securetty) should already be enough, but it
feels better if the OpenPGP card was restricted to local USB ports. I
suppose it's not a strong requirement.

So that's my scenario. I'm just expressing my idea of what would be
cool. If you decide to work on authentication with OpenPGP cards, this
is an idea for one way of using it.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list