Situation:
- Password-less methods like yubikeys etc have their own unique keys. A backup yubikey has a different second key. (see fido2 hmac-secret for how to get deterministic keys out)
- Users have a backup-password in-case they do not have their yubikey with them.
For login there currently exists a yubico provided pam module which handles multiple keys and delegates to pam_unix for password login.
However that module doesn't emit the user-password when unlocking with a yubikey, since it doesn't store it.
Problems:
- No single password during login -> no keyring unlock during certain flows.
- Current keyring prompters ask for a password, I doubt they are extendible like PAM?
The first thing that comes to mind for me when needing a shared secret is SOPS, but that seems to be aimed at ssh or age keys, not arbitrary ones. Another option is to simply encrypt the shared secret with each key. Keys can hopefully be distinguished by id or method.
I believe would need to solve that shared secret issue outside of oo7, since oo7 seems to already have been written for the single password model.
Question:
If I were to implement a proof of concept for passwordless with oo7.
I suppose I would need to:
- write my own pam-module (to support passwordless methods and to extract the shared key, update on passwd change)
- create a 3rd prompter in the server to talk to custom prompter client.
- create a prompter client (to support passwordless methods and to extract the shared key)
Is what I described the intended path to support passwordless methods?
Situation:
For login there currently exists a yubico provided pam module which handles multiple keys and delegates to pam_unix for password login.
However that module doesn't emit the user-password when unlocking with a yubikey, since it doesn't store it.
Problems:
The first thing that comes to mind for me when needing a shared secret is SOPS, but that seems to be aimed at ssh or age keys, not arbitrary ones. Another option is to simply encrypt the shared secret with each key. Keys can hopefully be distinguished by id or method.
I believe would need to solve that shared secret issue outside of oo7, since oo7 seems to already have been written for the single password model.
Question:
If I were to implement a proof of concept for passwordless with oo7.
I suppose I would need to:
Is what I described the intended path to support passwordless methods?