2

I use Ansible to manage my infrastructure and utilize randomized passwords (which I do not track). To access the machine I have GPG hardware security tokens (Yubikey 5 NFC) that can SSH into the machines as root. Recently I bodged a network config and found out the hard way that having disk encryption and no local root password it a major PITA (I did manage to get access again though).

The question originates from this incident; is there a way to locally login to a Linux (Debian) system using a hardware GPG token? I'd rather not have to keep track of root passwords for all the servers that I manage and instead only rely on the hardware tokens for which I already have a management process in place.

I have heard of pam-ssh-agent modules, but I have yet to make it work with gpg-agent.

Any thoughts are appreciated!

Giacomo1968
  • 58,727
Tom Stock
  • 161

1 Answers1

2

pam_poldi can be used to authenticate using an OpenPGP smartcard.

pam_exec or pam_python can be used to implement arbitrary authentication steps.

As in the previous answer:

  • Accessing an OpenPGP smartcard generally relies on GnuPG's scdaemon, which is a user-level service and unpleasant to access from "system" contexts, especially from PAM. For example, I'm not sure whether the PAM module can work while you already have your regular scdaemon running, and I wouldn't always trust it to work in situations where you need local root access.

  • Since you have specifically a Yubikey, there are more options such as pam_pkcs11 or pam_p11 (with an X.509 PKI and the Yubikey's PIV module) – though I still wouldn't trust that for emergency root access – or pam_u2f (with the Yubikey's FIDO2 module).

grawity
  • 501,077