Do we really need to remember that ridiculous passwords/phrases? - Slackware

This is a discussion on Do we really need to remember that ridiculous passwords/phrases? - Slackware ; Do we really need to remember and use that ridiculous 4-6 characters passwords, that only protect us from ourselves? I'd like to try use usb stick to authenticate me (use it as a key) on my computer and don't remember ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Do we really need to remember that ridiculous passwords/phrases?

  1. Do we really need to remember that ridiculous passwords/phrases?

    Do we really need to remember and use that ridiculous 4-6 characters
    passwords, that only protect us from ourselves? I'd like to try use
    usb stick to authenticate me (use it as a key) on my computer and
    don't remember any passwords. The way, probably, is through ssh-keygen
    public and private keys. Here is some fuzzy sketch. I see login prompt
    at console, next I insert usb stick, type my login name, and I'm
    logged. What should be stored on usb stick? probably my private key in
    a predefined directory, next, script running on the box reads from the
    stick the private key, finds public key using typed login name and
    performs login not asking passwords. Second, to protect my account
    I'd like to use as password my private key. Problem, how to do that?

    ---
    Bogdan

  2. Re: Do we really need to remember that ridiculous passwords/phrases?


    B. Yanchitsky wrote :

    > Problem, how to do that?


    If you don't mind messing with PAM then maybe pam_usb is the answer:

    --
    Thomas O.

    This area is designed to become quite warm during normal operation.

  3. Re: Do we really need to remember that ridiculous passwords/phrases?

    (B.Yanchitsky@gmail.com) writes:
    > Do we really need to remember and use that ridiculous 4-6 characters
    > passwords, that only protect us from ourselves? I'd like to try use
    > usb stick to authenticate me (use it as a key) on my computer and
    > don't remember any passwords. The way, probably, is through ssh-keygen
    > public and private keys. Here is some fuzzy sketch. I see login prompt
    > at console, next I insert usb stick, type my login name, and I'm
    > logged. What should be stored on usb stick? probably my private key in
    > a predefined directory, next, script running on the box reads from the
    > stick the private key, finds public key using typed login name and
    > performs login not asking passwords. Second, to protect my account
    > I'd like to use as password my private key. Problem, how to do that?
    >

    You can do anything you want, but once you move away from the norm
    there's nobody checking to make sure how secure things are.

    Surely one thing about a key is that it can be duplicated. That
    holds for a physical key or some sort of usb key. If someone can
    get ahold of it, they can copy it and get access. So you either
    need something that can't be copied, or have something you need to
    type in so merely having the key doesn't get you in. The latter
    invalidates the whole concept, you might as well just get good
    at remembering things.

    Michael


  4. Re: Do we really need to remember that ridiculous passwords/phrases?

    On 2008-02-18, B.Yanchitsky@gmail.com wrote:
    > Do we really need to remember and use that ridiculous 4-6 characters
    > passwords, that only protect us from ourselves? I'd like to try use
    > usb stick to authenticate me (use it as a key) on my computer and
    > don't remember any passwords. The way, probably, is through ssh-keygen
    > public and private keys. Here is some fuzzy sketch. I see login prompt
    > at console, next I insert usb stick, type my login name, and I'm
    > logged. What should be stored on usb stick? probably my private key in
    > a predefined directory, next, script running on the box reads from the
    > stick the private key, finds public key using typed login name and
    > performs login not asking passwords. Second, to protect my account
    > I'd like to use as password my private key. Problem, how to do that?


    Do you really have to keep that USB stick safe and private and handy just
    to protect us from oourselves?

    Don't get near any strong magnetic sources....

    Talk about doing things the hard way!

    To avoid memorizing a small string?

    Tom

    --
    calhobbit (at) | Artificial Intelligence:
    gmail [DOT] com | When the real thing just won't do.


  5. Re: Do we really need to remember that ridiculouspasswords/phrases?

    On Mon, 18 Feb 2008 09:36:06 -0800, B.Yanchitsky wrote:

    > Do we really need to remember and use that ridiculous 4-6 characters
    > passwords, that only protect us from ourselves? I'd like to try use usb
    > stick to authenticate me (use it as a key) on my computer and don't
    > remember any passwords. The way, probably, is through ssh-keygen public
    > and private keys. Here is some fuzzy sketch. I see login prompt at
    > console, next I insert usb stick, type my login name, and I'm logged.
    > What should be stored on usb stick? probably my private key in a
    > predefined directory, next, script running on the box reads from the
    > stick the private key, finds public key using typed login name and
    > performs login not asking passwords. Second, to protect my account I'd
    > like to use as password my private key. Problem, how to do that?


    There is another option. Some companies like RSA sell this sort of thing
    http://www.rsa.com/node.aspx?id=1156

    I don't know if it works in Slackware though. You still have to type in
    the password but without the key you cannot gain entry, cause the key
    gives you new password every 60 seconds. So it is similar to your USB
    idea but more complicated and much more expensive.

    As for your USB idea you would need a different login program so that
    after typing in your password it reads from a USB key. login is the name
    of the program that does the authentication IIRC. It is called by agetty.

    There is a document on the system that describes how agetty and login work
    /usr/doc/Linux-HOWTOs/From-PowerUp-To-Bash-Prompt-HOWTO

    There are many security problems in doing this, you should research them
    before you try.

    Richard James
    --
    If you find yourself suddenly facing a GUI because you accidentally ran
    startx, don't panic. Just press the CTRL-ALT-BACKSPACE key combo and
    you'll quick as a flash be back in your cosy command line where you
    belong.

  6. Re: Do we really need to remember that ridiculous passwords/phrases?

    On Mon, 18 Feb 2008 09:36:06 -0800, B.Yanchitsky wrote:

    > I see login prompt at console, next I insert usb stick, type my login
    > name, and I'm logged... Second, to protect my account I'd like to use
    > as password my private key. Problem, how to do that?


    This doesn't quite do what you want, Bogdan, but it gets you close.

    http://www.linuxjournal.com/article/8599
    --
    Chick Tower

    For e-mail: aols2 DOT sent DOT towerboy AT xoxy DOT net


  7. Re: Do we really need to remember that ridiculous passwords/phrases?

    gotcha, done, at least basically

    I really do not recommend anybody to go away from security models that
    are proposed as defaults in your distributions. But what I've done is
    very simple. ssh has a private-public keys model. You generate 2 keys
    using ssh-keygen -t dsa. id_dsa is private key id_dsa.pub is public
    key. When id_dsa.pub is added to authorized_keys you are allowed not
    to type passwords (passphrase is possible but optional). Private key
    is stored on usb stick, it is important not store anything on the
    stick concerning your login name, machine name and public key. Public
    key is stored on the computer in .ssh directory, private key must be
    removed from this directory. sshd daemon must be running on the box.
    inittab has the following entry
    c5:1235:respawn:/sbin/agetty 38400 tty5 linux -l /sbin/usblogin

    and usblogin script is something like

    #!/bin/bash
    MOUNTPOINT="/mnt/usbsticklogin"
    /sbin/rescan-scsi-bus &> /dev/null
    if [ ! -e $MOUNTPOINT ]; then
    /usr/bin/mkdir -p $MOUNTPOINT
    fi
    /bin/umount $MOUNTPOINT &> /dev/null
    /bin/mount /dev/sda1 $MOUNTPOINT -o ro &> /dev/null
    /usr/bin/ssh -i /home/$2/.ssh/id_dsa $2@localhost
    /bin/umount $MOUNTPOINT &> /dev/null

    and its purpose is to mount usb stick and do ssh localhost through
    loopback interface.
    $2 is user name typed in login, id_dsa in user's .ssh directory on the
    box is a soft link to MOUNTPOINT/.ssh/id_dsa private key. Clearly this
    script has a bunch of vulnerabilities, here are some of them, stick
    must be unmounted as far as possible, not waiting for end of ssh
    session. Only root and user can read the stick, mount must be as
    secure as possible, memory pages must be protected, script must be
    protected from keyboard interventions. Especial thanks for pointing me
    to agetty and login issues and for some ideas concerning encrypted
    containers, may be really useful when stick, login and machine name
    are stolen, and you have still some time to change password,
    passphrase may be good here too.
    Now I'm about to secure the script, if anybody has ideas for
    improvements, I'm ready to listen for that.
    Thanks for your attention.
    Posting that from secured local socket ;-).

    ---
    Bogdan

+ Reply to Thread