On Sun, Jan 05, 2014 at 09:15:21PM +0900, Ryan McBride wrote: > My wish is for something with this user functionality, but use the > password to encrypt/decrypt the user.key file, via pbkdf2-ish function > (like bioctl/softraid_crypto), to avoid having the key in plaintext on > the disk. It's a bit trickier, as you'd need to handle password > changes, but with the right metadata in the user.key file you could > avoid having a separate binary for this (all handled cleanly by > login_yubikey).
Yes, that would be nice. But I don't understand how it could work without an extra tool to handle password changes. Even without the encrypt/decrypt functionality a tool like ssh-keygen for yubikey in base would be nice. It could be used to generate the key and id file and write it to the yubikey. > On Sat, Jan 04, 2014 at 10:55:39AM +0100, Remi Locherer wrote: > > This patch privides a new login style: yubikey-and-pwd. The idea is from > > login_totp-and-pwd from the login_oath port. > > > > I tried to keep the patch small and not touch to many things. But probably > > it would be bette to chang more stuff (eg: there are now two backchannels: > > *back from login_passwd.c and *f from login_yubikey.c). > > > > It's likely that I got something wrong - I'm a novice in progamming c ;)
