Hi,

i am the developer of OTPme (otpme.org), an authentication system with focus on multi-factor authentication. The not yet released version 0.3 will come with a PAM module to authenticate e.g. with a yubikey (U2F, challenge/response, HOTP etc.). The module also handles offline logins, screen unlocking etc.

Now that i am a happy Qubes OS user i would like to support Qubes within OTPme to be able to handle dom0 login with OTPme. The PAM module is written in python and my plan is to have a sys-auth AppVM where my yubikey is connected to and OTPme (client) is installed. In dom0 i just want to have the PAM module which should pass on username/password to the sys-auth VM which does the authentication (online or offline). So what i need is some kind of socket between dom0 and sys-auth VM. I've looked at the split gpg/ssh stuff and it seems like it uses qubes RPC to do exactly this. (e.g. https://github.com/henn/qubes-app-split-ssh)

My questions now is, is this the preferred way to implement something like this or is there any python API to use? If i understand it right at least the split ssh implementation just forwards a unix socket via stdin/stdout (netcat) through qrexec....

Any help is appreciated.

Regrads
the2nd