On Wed, 2004-10-13 at 15:36, Brian Fahrlander wrote: > I've heard a lot about biometrics, but the durned things cost over > $100 (consumer grade) and only seem to work for legacy software. The > cost isn't such a big deal, but the software sure is. > > But in the bigger picture, biometrics isn't enough. I know there'll > be a couple of cocky jerks who'll tell you (and me) at great lengths how > stupid the idea is, mostly because they've not looked down the road as > far as I have. Remember the GPG keys on repos and how that wasn't > suitable? :) > > Keyfobs. These little USB droplets of cyberspace. How about we, as > one of the largest collections of Linux people out there, standardize > some software to fit into PAM to do this: > > 1. Upon insertion, ask for the passphrase a'la local-agent. > > 2. When validated, use these credentials for everything. Sounds like you want something like Sun has with their Sunray systems. You walk up to one and plug in your badge (which has a chip on it) and the first time you login. When you are done you just pull your badge. You can then walk up to a different Sunray and insert your badge and the same environment shows up on the display. Not quite what you described but close. The trick with what you want is getting a driver that sits and monitors the usb port looking for some kind of token on the flash. When it sees the token they you can probably use one of those agent programs to authenticate a pgp key. After that any systems you use pgp with would let you access it with no problem. The big issue (you knew there was one!) is you need some process in place to recover when either your fob catastrophically fails or is lost. It also must be secure enough that if it is lost that no one else could use it. Which brings you back to using a highly secure password or pass phrase and encryption that would take the NSA at least a week to crack. :) You are correct in that virtually everyone at one time or another uses insecure passwords or uses the same password across a large number of systems. The best system I have seen uses a token card. I have used two forms of token cards, the first generated a new pass token every minute. The RSA server on the company LAN is synchronized so that when you enter your user id, token, and pin number it would authenticate you. The other token card actually had a keypad on it which you put your pin number into and then it generates a token that you use for the password. Both of these were used to establish VPN access but could also be used for authentication to servers with the right PAM modules. So a lot of what you want is already out there. The bigger issue is getting all the different systems you want to use this with to use the new scheme. -- Scot L. Harris webid@xxxxxxxxxx My pants just went to high school in the Carlsbad Caverns!!!