[nycbug-talk] Reducing password fatigue on OpenBSD (or any BSD)

Raul Cuza raulcuza at gmail.com
Mon Nov 11 12:19:34 EST 2013


On Sat, Nov 9, 2013 at 8:41 PM, Eric Radman <ericshane at eradman.com> wrote:
> This week I moved /home to a softraid(4) crypto device on my laptop so
> that I would no longer need to spend time worrying about about the
> consequences of it being lost or stolen. Works great; I just have to
> "unlock" the volume on boot
>
> Passphrase: ****************
>
> And log in
>
> login: myself
> Password: ****************
>
> And activate my SSH keypairs
>
> $ eval `ssh-agent`
> $ ssh-add
> Enter passphrase for /home/myself/.ssh/id_XXX: ****************
>
> And I haven't even typed kinit yet.
>
> Are there any well-respected practices for keying off of data stored on
> a USB stick? How might one collapse two of these steps in a reasonably
> secure way?
>
> Thought it would be worth asking before I wander off and invent a flawed
> or brittle shortcut!
>
> --
> Eric Radman


Probably should not reply as I don't have any well-respected practices
to offer, but nature abhors a vacuum.

It seems like any automation between the volume decryption and getting
s*$+ done would leave you vulnerable in some way. It is not like a
unique code can be generated on the output of one step that can be
part of the input of the next step.

What about something like the Yubi key? It means you have to have a
USB port (which you do not seem to be opposed to) and you don't have
to type your passphrase(s) over and over. See
http://geekyschmidt.com/2010/12/27/yubikey-and-my-desire-to-beat-the-feds-to-hspd12-compliance
for a post about it. I've not used it with OpenBSD, but I've used OTP
at a couple of sites with a warm sense of safety (but that might of
just been the heat generated by the NSA using my CPU to decrypt
hashes).

Raúl

p.s. I love that my $work filters geekyschmidt.com as a
Proxy/Anonymizer. "Bad website, bad website. Sit. Play dead. Good
website, good website."




More information about the talk mailing list