-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sat, Aug 12, 2017 at 06:56:38AM -0700, the2nd wrote:
> Hi,
Hi,
> i am the developer of OTPme (
otpme.org), an authentication system with
> focus on multi-factor authentication. The not yet released version 0.3 will
> come with a PAM module to authenticate e.g. with a yubikey (U2F,
> challenge/response, HOTP etc.). The module also handles offline logins,
> screen unlocking etc.
>
> Now that i am a happy Qubes OS user i would like to support Qubes within
> OTPme to be able to handle dom0 login with OTPme. The PAM module is written
> in python and my plan is to have a sys-auth AppVM where my yubikey is
> connected to and OTPme (client) is installed. In dom0 i just want to have
> the PAM module which should pass on username/password to the sys-auth VM
> which does the authentication (online or offline).
Is it about user authenticating to Qubes (like unlocking screenlocker),
or user logging into some external service? In the first case, why dom0
would send username/password anywhere? I'd expect rather otherwise -
sys-auth sending some token to dom0 to authenticate.
See here for similar solution:
https://www.qubes-os.org/doc/yubi-key/
> So what i need is some
> kind of socket between dom0 and sys-auth VM. I've looked at the split
> gpg/ssh stuff and it seems like it uses qubes RPC to do exactly this. (e.g.
>
https://github.com/henn/qubes-app-split-ssh)
>
> My questions now is, is this the preferred way to implement something like
> this or is there any python API to use? If i understand it right at least
> the split ssh implementation just forwards a unix socket via stdin/stdout
> (netcat) through qrexec....
Yes, this is preferred way, see more details here:
https://www.qubes-os.org/doc/qrexec3/
While there is python API (as part of Admin API) which among other
things wrap this, it is an overkill here. It will wrap
subprocess.Popen(...) into a little longer line...
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZjwxmAAoJENuP0xzK19cstwkH/0ZDrl/wXlxqwwtvnwqr6Ph0
lEqtPQ9oMxKjDbGDQ1/9jGz1Hc34i8RMl6UkcJLJ0jsCWPTosu+Qvc0hPcx2RFaM
xOa9WtdL7m5yLwu+7E/uih1iIbfWkg7hnoUyA0z8MtSWBZy61W55TzbA5c4G9QNc
ZM5bxyPe9IPoR00GlSWLrRApbJ7LUgQvwSjqE8HhDcIltdUuspGOMUbSOcs23QOw
jVZ7pi72Yp+EnN4cfPyXmpmwmNSOjS7HBJSWFzjDobadfr0FX3HGQVLij40FcJtW
wiAUUFIoeJcivhXB2gOuoaENEaxX6ah/cwTqBM+vZNl5+Q3EwzTAfWUVhpnEmEQ=
=CJTz
-----END PGP SIGNATURE-----