On Tue, Apr 4, 2017 at 10:04 AM, Phillip Hallam-Baker <phill@hallambaker.com> wrote:

This is a call for technical assistance with a crypto project. Hopefully it will be of wider benefit if successful.

The Mathematical Mesh has the goal of making computers easier to use by

You mean http://www.prismproof.org/

making them more secure. Note the order. While there are some times that it is appropriate for a cryptographic key to require the user to enter a PIN or the like to use it, that cannot be the default requirement, nor is it acceptable to just leave private keys sitting on disk unencrypted.

Windows and OSX both provide features that cause private keys and other credentials to be unlocked automatically using the user's password as a PIN. I want to achieve the same on Ubuntu. I am happy if the solution can also be carried across to other Linux and FreeBSD but don't have resources to cover anything else.

Various tools / ports / projects in both Linux and BSD do exist that will get you magical login encrypted homedirs. OSX also has it. Now that per dataset crypto keying is in ZFS, you might expect to see some uniform use of it spread across everything except Windows. http://open-zfs.org/wiki/ZFS-Native_Encryption https://youtu.be/frnLiXclAMo https://drive.google.com/file/d/0B5hUzsxe4cdmU3ZTRXNxa2JIaDQ/view?usp=sharin... http://pefs.io/ https://github.com/glk/pefs https://wiki.freebsd.org/PEFS http://glebkurtsou.blogspot.com/search/label/pefs You could find other implementations, FUSE, PAM, login, etc here... https://www.freebsd.org/ports/categories-grouped.html Linux does bunch of things with FUSE / PAM / dmcrypt. Even the old NFS crypto loopback still exists.

The authentication mechanism is PAM. So far, the only documentation I have found has been of the barely more comprehensible than the code variety.

https://en.wikipedia.org/wiki/OpenPAM http://www.openpam.org/ https://www.freebsd.org/cgi/man.cgi?apropos=1&query=pam https://www.freebsd.org/cgi/man.cgi?query=pam.conf

* Is hooking PAM the way to go

Probably, or quite commonly. More tricky is defining and detecting whatever is considered to be a logout state, timeout, loss of human user, etc.

or should I try to make use of an encrypted directory mechanism instead?

If that is what you want as part of an outcome, then yes.

* If PAM is the way to go, where might I find a working example for using the login password to unlock a private keystore?

See above links. Other people will probably post others.

* Has someone already done this for GPG Agent?

Probably.

In addition, one of the layered applications, Mesh/Confirm offers two factor authentication (among other things) so an example showing how to integrate a network authentication mechanism would be useful.

The architecture I am thinking of would be:

1) User logs in with password.

2) Password is passed to the unlock keys mechanism which uses it to unlock a master key.

3) Processes running under the master key account can request unlocking of profile data stored under it.

Of course, it is quite possible that the magic required to bridge the gap between 2 and 3 means effectively recreating GPGAgent.