moin *, sorry for the cross-post; follow-ups should go to xdg@ (the only one of those lists i'm subscribed to).
i'm pondering with the idea to implement SingleSignOn based on an authentication agent like the ones employed by ssh and gnupg. the system would consist of the two main components: - fdo-keyagent, certainly a d-bus service - pam_keyagent. a PAM module that would authenticate users by unlocking their key(s) (which one(s), has to be preconfigured somehow - ~/.config/keyagent maybe?) and adding them to the agent's cache. - it might make sense to create libkeyagent that would provide functions for key retrieval, etc. i'm not sure whether it would be better to embed ssh-add's equivalent into the agent or into such a library. the key agent would send notifications when keys exceed their lifetime. in fact, this is a major missing component of PAM. in this context it might even make sense to create meta-entries for kerberos tokens and even unix passwords (with close relation to pam_time/pam_group). end-user/desktop applications (password managers, ssh, gpg, etc.) would use the keys stored in the agent - obviously. a buzz word that comes to mind is x.509 compliance, but i really have no idea what that would include. as far as security goes, i really need some input. possible concerns: - having a central agent for all users might be frowned upon. one could make the agent fork a sub-agent for each user, but this would require some elaborate IPC. plan b is to make fdo-keyagent a meta-agent that would spawn ssh-agents, gpg-agents, etc. on demand, ref-count them and do other housekeeping. even more "interesting" IPC. - apps using PAM traditionally have been bad at using mlock, and i wouldn't know how to fix this. what do the security experts think about this issue? - having the d-bus daemon in between doesn't exactly help, either. maybe it would make sense to use d-bus for the protocol only and setup dedicated connections for passphrase and key transfers. i'm interested in any kind of useful comments, including pointers to prior art in that area and papers worth reading. -- Hi! I'm a .signature virus! Copy me into your ~/.signature, please! -- Chaos, panic, and disorder - my work here is done. _______________________________________________ xdg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xdg
