[Freedombox-discuss] freedombox & blackhats
Matt Willsher
matt at monki.org.uk
Tue Mar 1 12:40:41 UTC 2011
On 1 March 2011 11:59, Florian Hofmann <florian at fhaust.de> wrote:
> Am Dienstag, den 01.03.2011, 11:29 +0000 schrieb Matt Willsher:
>>
>> Good point. A PAM module would be a good starting point for this kind
>> of thing. I think that's the way Ubuntu does the encrypted home
>> directory. If PAM is used for all authentications, any authentication
>> could unlock the data store.
>> What about cases were new data is in bound? It would need to be stored
>> unencrypted or reject until sure a time as the encrypted store became
>> available.
>
> You're right, all the work on the PAM has been done by the Ubuntu guys.
> The whole setup isn't hard either (i set it up on our server before it
> was implemented in Ubuntu by default).
> The problem is to have several services with potentially different user
> names and passwords. Maybe a multitier approach would be needed here:
> Tier 1 is the users password which is used to decrypt the userrelated
> stuff _and_ a key for the second tier which would be the service related
> files.
> Then this system would have to be implemented for every service in
> question
PAM is pretty flexible and can be configured differently for different
services - it can use different password DBs and even different
authentication methods (smartcard, X509 cert, output of a iris scan)
if the module exists.
Where possible one authentication scheme should be use to reduce
complexity and the password store, in whatever form, should be
centralised and ideally allow for as much SSO as possible.
More information about the Freedombox-discuss
mailing list