python API for dom0 <> AppVM communication
the2nd
i am the developer of OTPme (otpme.org), an authentication system with
focus on multi-factor authentication. The not yet released version 0.3 will
come with a PAM module to authenticate e.g. with a yubikey (U2F,
challenge/response, HOTP etc.). The module also handles offline logins,
screen unlocking etc.
Now that i am a happy Qubes OS user i would like to support Qubes within
OTPme to be able to handle dom0 login with OTPme. The PAM module is written
in python and my plan is to have a sys-auth AppVM where my yubikey is
connected to and OTPme (client) is installed. In dom0 i just want to have
the PAM module which should pass on username/password to the sys-auth VM
which does the authentication (online or offline). So what i need is some
kind of socket between dom0 and sys-auth VM. I've looked at the split
gpg/ssh stuff and it seems like it uses qubes RPC to do exactly this. (e.g.
https://github.com/henn/qubes-app-split-ssh)
My questions now is, is this the preferred way to implement something like
this or is there any python API to use? If i understand it right at least
the split ssh implementation just forwards a unix socket via stdin/stdout
(netcat) through qrexec....
Any help is appreciated.
Regrads
the2nd
Marek Marczykowski-Górecki
Hash: SHA256
On Sat, Aug 12, 2017 at 06:56:38AM -0700, the2nd wrote:
> Hi,
Hi,
> i am the developer of OTPme (otpme.org), an authentication system with
> focus on multi-factor authentication. The not yet released version 0.3 will
> come with a PAM module to authenticate e.g. with a yubikey (U2F,
> challenge/response, HOTP etc.). The module also handles offline logins,
> screen unlocking etc.
>
> Now that i am a happy Qubes OS user i would like to support Qubes within
> OTPme to be able to handle dom0 login with OTPme. The PAM module is written
> in python and my plan is to have a sys-auth AppVM where my yubikey is
> connected to and OTPme (client) is installed. In dom0 i just want to have
> the PAM module which should pass on username/password to the sys-auth VM
> which does the authentication (online or offline).
or user logging into some external service? In the first case, why dom0
would send username/password anywhere? I'd expect rather otherwise -
sys-auth sending some token to dom0 to authenticate.
See here for similar solution:
https://www.qubes-os.org/doc/yubi-key/
> So what i need is some
> kind of socket between dom0 and sys-auth VM. I've looked at the split
> gpg/ssh stuff and it seems like it uses qubes RPC to do exactly this. (e.g.
> https://github.com/henn/qubes-app-split-ssh)
>
> My questions now is, is this the preferred way to implement something like
> this or is there any python API to use? If i understand it right at least
> the split ssh implementation just forwards a unix socket via stdin/stdout
> (netcat) through qrexec....
https://www.qubes-os.org/doc/qrexec3/
While there is python API (as part of Admin API) which among other
things wrap this, it is an overkill here. It will wrap
subprocess.Popen(...) into a little longer line...
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZjwxmAAoJENuP0xzK19cstwkH/0ZDrl/wXlxqwwtvnwqr6Ph0
lEqtPQ9oMxKjDbGDQ1/9jGz1Hc34i8RMl6UkcJLJ0jsCWPTosu+Qvc0hPcx2RFaM
xOa9WtdL7m5yLwu+7E/uih1iIbfWkg7hnoUyA0z8MtSWBZy61W55TzbA5c4G9QNc
ZM5bxyPe9IPoR00GlSWLrRApbJ7LUgQvwSjqE8HhDcIltdUuspGOMUbSOcs23QOw
jVZ7pi72Yp+EnN4cfPyXmpmwmNSOjS7HBJSWFzjDobadfr0FX3HGQVLij40FcJtW
wiAUUFIoeJcivhXB2gOuoaENEaxX6ah/cwTqBM+vZNl5+Q3EwzTAfWUVhpnEmEQ=
=CJTz
-----END PGP SIGNATURE-----
the2nd
But thanks for your answer anyway. I'll try to implement it using the qrexec framework.
Regards
the2nd