On 30/09/15 02:17, NIIBE Yutaka wrote: > Perhaps, if there are some demands, I should write U2F module using > gpg-agent (and revive Scute, accordingly). I believe that this is a > way to go, for those users who want to consolidate things cleanly.
Personally, my main interest lies with authentication with the OpenPGP card using the PIN of the OpenPGP card. So not as a second factor! My two factors are: possession of the OpenPGP card and knowledge of the OpenPGP card PIN. I find different, difficult passwords for all my machines too cumbersome. I'd rather use multiple smartcards with different PINs. For remote logins, I think the SSH agent already does a great job; thanks NIIBE and Jerome for the pointers to the PAM modules, they might still be useful for things that really, really want me to use a sudo-like construction instead of plainly SSH'ing as root. But for local logins, I'd like authentication to succeed (PAM) when the OpenPGP card is locally attached to the PC in question and I enter the correct PIN. Pinpad support would be nice. I think I really need to restrict the logins to local ones only. In practice, I would like not to use a separate smartcard for each and every machine. In addition to the cards I already use for my OpenPGP key, I would buy one additional card that would not hold my OpenPGP key, but be exclusively used for local authentication on the systems I don't want to have my OpenPGP key. This means the PIN is the same on every system involved. If remote logins would succeed with this card, one compromised PC could connect to the other. If the smartcard needs to be connected locally and is only accepted for local terminals (Linux VT, local X console), this seems to me to be prevented. In fact, the requirement it is only used on local terminals (which is something you can express in PAM with pam_securetty) should already be enough, but it feels better if the OpenPGP card was restricted to local USB ports. I suppose it's not a strong requirement. So that's my scenario. I'm just expressing my idea of what would be cool. If you decide to work on authentication with OpenPGP cards, this is an idea for one way of using it. Thanks! Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
