moin *,
sorry for the cross-post; follow-ups should go to xdg@ (the only one of
those lists i'm subscribed to).
i'm pondering with the idea to implement SingleSignOn based on an
authentication agent like the ones employed by ssh and gnupg. the system
would consist of the two main components:
- fdo-keyagent, certainly a d-bus service
- pam_keyagent. a PAM module that would authenticate users by unlocking
their key(s) (which one(s), has to be preconfigured somehow -
~/.config/keyagent maybe?) and adding them to the agent's cache.
- it might make sense to create libkeyagent that would provide functions
for key retrieval, etc. i'm not sure whether it would be better to
embed ssh-add's equivalent into the agent or into such a library.
the key agent would send notifications when keys exceed their lifetime.
in fact, this is a major missing component of PAM. in this context it
might even make sense to create meta-entries for kerberos tokens and
even unix passwords (with close relation to pam_time/pam_group).
end-user/desktop applications (password managers, ssh, gpg, etc.) would
use the keys stored in the agent - obviously.
a buzz word that comes to mind is x.509 compliance, but i really have no
idea what that would include.
as far as security goes, i really need some input. possible concerns:
- having a central agent for all users might be frowned upon. one could
make the agent fork a sub-agent for each user, but this would require
some elaborate IPC.
plan b is to make fdo-keyagent a meta-agent that would spawn
ssh-agents, gpg-agents, etc. on demand, ref-count them and do other
housekeeping. even more "interesting" IPC.
- apps using PAM traditionally have been bad at using mlock, and i
wouldn't know how to fix this. what do the security experts think
about this issue?
- having the d-bus daemon in between doesn't exactly help, either. maybe
it would make sense to use d-bus for the protocol only and setup
dedicated connections for passphrase and key transfers.
i'm interested in any kind of useful comments, including pointers to
prior art in that area and papers worth reading.
--
Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
--
Chaos, panic, and disorder - my work here is done.