Two factor authentication (Security)

Registered by Marc Deslauriers

Implement and/or improve and document two-factor authentication in Ubuntu. This could include USB keys, Smartcards, RFID, fingerprint readers, etc.

Blueprint information

Status:
Not started
Approver:
Kees Cook
Priority:
High
Drafter:
Marc Deslauriers
Direction:
Needs approval
Assignee:
Marc Deslauriers
Definition:
Approved
Series goal:
Accepted for maverick
Implementation:
Not started
Milestone target:
milestone icon ubuntu-10.10

Related branches

Sprints

Whiteboard

Work items:
write wiki page detailing types of 2 factor auth: POSTPONED
[jdstrand] create howto for remote access one-time password: HOTP/yubikey (new) or opie s/key (old): POSTPONED
create howto for USB key storage of ecryptfs key: POSTPONED
create howto for smartcard storage of gpg and ssh keys: POSTPONED
create howto for fingerprint reader authentication: POSTPONED
investigate two factor auth to Active Directory: POSTPONED
add appropriate howtos to official documentation: POSTPONED

Gobby notes from lucid session:

What do we need to add to the archive, and what do we need to add to main?

= Existing stuff people have done on Linux =
 * OPIE (S/Key)
 * libpam-otpw
 * smart card
  * Soren's fun hack (OpenPGP card, with SSH keys)
 * freeradius mod-xradius, pam module for Yubikey, for authentication to network services
 * USB key auto-mounting for eCryptfs key, via fstab and udev rule for auto-mounting when not logged in yet
 * RSA SecureID (proprietary, but server runs on Linux)
 * OpenAuthentication (oath)

= Existing stuff people have done that they would like on Linux =
 * AD with smart cards (or similar) -- required for certain environments (eg gov't)
 * Arbitrary biometric backend system support
 * Voice print identification

= Models from PAM's perspective =
 * 2-factor to local
 * 2-factor to remote directory

= Goals =
 * Decrypt devices
 * Auth to remote devices
 * Securely store keys
 * Locally authenticate
 * Arbitrary authentication based on policy (e.g. time: idle <15min == fingerprint only, >15min == full auth)

= Fingerprint stuff =
 * thinkfinger daemon replaced by fprint
 * currently mostly used as either/or with regular password for single-factor auth

= Warnings =
 * gdm: omg, do PAM right, please
 * eCryptfs PKCS11 and TPM support: don't use this right now (inefficient PoC)

= How To =
 * Write a PAM module for your backend please
 * Use pam-auth-update to DTRT, it was written with 2-factor in mind

= Central Directories =
 * Novell eDirectory
 * AD
 * LDAP

= Potentially For Lucid =
 * Develop a single recipe for a 2-factor authentication of some specific type
  * Move mount passphrase to external device
   * http://blog.dustinkirkland.com/2009/03/ubuntu-encrypted-home-with-2-factor.html
  * using something most people already own (CC#)

= Insanity =
 * libpam-pulseaudio

Olof 091130:
The fprint backend works quite well for my AES1600 fingerprint reader, but there are two problems that I can see.
1. There is no GUI tool for managing the pam settings. Currently these has to be set by hacking files in /etc/security
2. Also, fprint does not work well with gksu/gksudo. This is yet another reason to take gksudo out of the desktop (https://blueprints.launchpad.net/ubuntu/+spec/security-karmic-no-sudo)

= Links =
 * Here are instructions how to use the Crypto Stick and OpenPGP Card with Ubuntu and with various Open Source applications: https://privacyfoundation.de/wiki/CryptoStickSoftwareEn

(?)

Work Items