Score:0

Combining security key based login with sshfs mount on PXE booted live system

jp flag

TL;DR: What is the best way to mount user homes via SSHFS (or any other encrypted protocol) at login while enforcing the use of security keys like Yubikeys and Nitrokeys?

The long version: I need to build a new network consisting of (initially at least) one central server and multiple clients. Idea is to let the clients boot via PXE and then mount all needed folders via SSHFS. That should be no problem at all with a correctly configured pam_mount if I only wanted to use username and password, but I also need to enforce the necessity to use a Yubikey as second factor to unlock the SSHFS mounts.

Do you know of any more or less ready-to-use solutions which I can use to reach my goal?

For the sake of completeness of course I also had a few ideas, but I don't know if one of them is actually feasible:

  1. Using pam_exec in combination with a custom script acting as a wrapper around all necessary steps. A server daemon would check the basic authentication using username+password, and, if successful, respond with a (FIDO2) challenge which the client would use to generate a FIDO2 assertion which again the server could check and, if successful, generate a temporary SSH key of which the public key would be added the authorized_keys file and the private key be returned to the client. After a specific amount of time the server would remove this entry again. I am quite sure this is feasible.

  2. Again using pam_exec and a custom script but this time adding Keycloak to the server setup, so that the server daemon would act as a Service Provider in terms of OpenID Connect. I think, the problem here is that the client (wrapper) script would need to be able to authenticate to Keycloak because "Direct Grant"/"Resource Owner Grant" cannot be used with two-factor authentication based on hardware tokens.

Thanks in advance for any hint.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.