Do we really need to remember that ridiculous passwords/phrases?

Do we really need to remember and use that ridiculous 4-6 characters
passwords, that only protect us from ourselves? I'd like to try use
usb stick to authenticate me (use it as a key) on my computer and
don't remember any passwords. The way, probably, is through ssh-keygen
public and private keys. Here is some fuzzy sketch. I see login prompt
at console, next I insert usb stick, type my login name, and I'm
logged. What should be stored on usb stick? probably my private key in
a predefined directory, next, script running on the box reads from the
stick the private key, finds public key using typed login name and
performs login not asking passwords. Second, to protect my account
I'd like to use as password my private key. Problem, how to do that?

---
Bogdan

B. Yanchitsky wrote :
[color=blue]
> Problem, how to do that?[/color]

If you don't mind messing with PAM then maybe pam_usb is the answer:
<URL: http://www.pamusb.org/>
--
Thomas O.

This area is designed to become quite warm during normal operation.

(B.Yanchitsky@gmail.com) writes:[color=blue]
> Do we really need to remember and use that ridiculous 4-6 characters
> passwords, that only protect us from ourselves? I'd like to try use
> usb stick to authenticate me (use it as a key) on my computer and
> don't remember any passwords. The way, probably, is through ssh-keygen
> public and private keys. Here is some fuzzy sketch. I see login prompt
> at console, next I insert usb stick, type my login name, and I'm
> logged. What should be stored on usb stick? probably my private key in
> a predefined directory, next, script running on the box reads from the
> stick the private key, finds public key using typed login name and
> performs login not asking passwords. Second, to protect my account
> I'd like to use as password my private key. Problem, how to do that?
>[/color]
You can do anything you want, but once you move away from the norm
there's nobody checking to make sure how secure things are.

Surely one thing about a key is that it can be duplicated. That
holds for a physical key or some sort of usb key. If someone can
get ahold of it, they can copy it and get access. So you either
need something that can't be copied, or have something you need to
type in so merely having the key doesn't get you in. The latter
invalidates the whole concept, you might as well just get good
at remembering things.

Michael

On 2008-02-18, [email]B.Yanchitsky@gmail.com[/email] <B.Yanchitsky@gmail.com> wrote:[color=blue]
> Do we really need to remember and use that ridiculous 4-6 characters
> passwords, that only protect us from ourselves? I'd like to try use
> usb stick to authenticate me (use it as a key) on my computer and
> don't remember any passwords. The way, probably, is through ssh-keygen
> public and private keys. Here is some fuzzy sketch. I see login prompt
> at console, next I insert usb stick, type my login name, and I'm
> logged. What should be stored on usb stick? probably my private key in
> a predefined directory, next, script running on the box reads from the
> stick the private key, finds public key using typed login name and
> performs login not asking passwords. Second, to protect my account
> I'd like to use as password my private key. Problem, how to do that?[/color]

Do you really have to keep that USB stick safe and private and handy just
to protect us from oourselves?

Don't get near any strong magnetic sources....

Talk about doing things the hard way!

To avoid memorizing a small string?

Tom

--
calhobbit (at) | Artificial Intelligence:
gmail [DOT] com | When the real thing just won't do.

On Mon, 18 Feb 2008 09:36:06 -0800, B.Yanchitsky wrote:
[color=blue]
> Do we really need to remember and use that ridiculous 4-6 characters
> passwords, that only protect us from ourselves? I'd like to try use usb
> stick to authenticate me (use it as a key) on my computer and don't
> remember any passwords. The way, probably, is through ssh-keygen public
> and private keys. Here is some fuzzy sketch. I see login prompt at
> console, next I insert usb stick, type my login name, and I'm logged.
> What should be stored on usb stick? probably my private key in a
> predefined directory, next, script running on the box reads from the
> stick the private key, finds public key using typed login name and
> performs login not asking passwords. Second, to protect my account I'd
> like to use as password my private key. Problem, how to do that?[/color]

There is another option. Some companies like RSA sell this sort of thing
[url]http://www.rsa.com/node.aspx?id=1156[/url]

I don't know if it works in Slackware though. You still have to type in
the password but without the key you cannot gain entry, cause the key
gives you new password every 60 seconds. So it is similar to your USB
idea but more complicated and much more expensive.

As for your USB idea you would need a different login program so that
after typing in your password it reads from a USB key. login is the name
of the program that does the authentication IIRC. It is called by agetty.

There is a document on the system that describes how agetty and login work
/usr/doc/Linux-HOWTOs/From-PowerUp-To-Bash-Prompt-HOWTO

There are many security problems in doing this, you should research them
before you try.

Richard James :)
--
If you find yourself suddenly facing a GUI because you accidentally ran
startx, don't panic. Just press the CTRL-ALT-BACKSPACE key combo and
you'll quick as a flash be back in your cosy command line where you
belong.

On Mon, 18 Feb 2008 09:36:06 -0800, B.Yanchitsky wrote:
[color=blue]
> I see login prompt at console, next I insert usb stick, type my login
> name, and I'm logged... Second, to protect my account I'd like to use
> as password my private key. Problem, how to do that?[/color]

This doesn't quite do what you want, Bogdan, but it gets you close.

[url]http://www.linuxjournal.com/article/8599[/url]
--
Chick Tower

For e-mail: aols2 DOT sent DOT towerboy AT xoxy DOT net

gotcha, done, at least basically

I really do not recommend anybody to go away from security models that
are proposed as defaults in your distributions. But what I've done is
very simple. ssh has a private-public keys model. You generate 2 keys
using ssh-keygen -t dsa. id_dsa is private key id_dsa.pub is public
key. When id_dsa.pub is added to authorized_keys you are allowed not
to type passwords (passphrase is possible but optional). Private key
is stored on usb stick, it is important not store anything on the
stick concerning your login name, machine name and public key. Public
key is stored on the computer in .ssh directory, private key must be
removed from this directory. sshd daemon must be running on the box.
inittab has the following entry
c5:1235:respawn:/sbin/agetty 38400 tty5 linux -l /sbin/usblogin

and usblogin script is something like

#!/bin/bash
MOUNTPOINT="/mnt/usbsticklogin"
/sbin/rescan-scsi-bus &> /dev/null
if [ ! -e $MOUNTPOINT ]; then
/usr/bin/mkdir -p $MOUNTPOINT
fi
/bin/umount $MOUNTPOINT &> /dev/null
/bin/mount /dev/sda1 $MOUNTPOINT -o ro &> /dev/null
/usr/bin/ssh -i /home/$2/.ssh/id_dsa $2@localhost
/bin/umount $MOUNTPOINT &> /dev/null

and its purpose is to mount usb stick and do ssh localhost through
loopback interface.
$2 is user name typed in login, id_dsa in user's .ssh directory on the
box is a soft link to MOUNTPOINT/.ssh/id_dsa private key. Clearly this
script has a bunch of vulnerabilities, here are some of them, stick
must be unmounted as far as possible, not waiting for end of ssh
session. Only root and user can read the stick, mount must be as
secure as possible, memory pages must be protected, script must be
protected from keyboard interventions. Especial thanks for pointing me
to agetty and login issues and for some ideas concerning encrypted
containers, may be really useful when stick, login and machine name
are stolen, and you have still some time to change password,
passphrase may be good here too.
Now I'm about to secure the script, if anybody has ideas for
improvements, I'm ready to listen for that.
Thanks for your attention.
Posting that from secured local socket ;-).

---
Bogdan