[fprint] fprint authentication over ssh

Pavel Herrmann morpheus.ibis at gmail.com
Wed Jul 16 06:24:51 PDT 2014 

Hi

On Wednesday 16 of July 2014 16:11:32 Igor Gnatenko wrote:
> On Sat, Jul 12, 2014 at 3:59 PM, Pavel Herrmann <morpheus.ibis at gmail.com> 
wrote:
> > Hi
> 
> Hi,
> 
> > On Saturday 12 of July 2014 15:35:33 Igor Gnatenko wrote:
> >> Hi,
> >> 
> >> I have local laptop with finger scanner and have remote server.
> >> 
> >> Can I login over ssh and authorize by fingerprint?
> > 
> > do you want this as a gimmick, or as a real security feature?
> 
> real security feature.
> 
> > one way to do this (the gimmicky one) is to have public key auth on ssh,
> > and have a program on the laptop that unlocks/decrypts your key only if
> > it gets the right fingerprint.
> > However, if an attacker were to steal your laptop, he could reverse said
> > program to decrypt your private key without needing your fingerptint, so
> > its not really any more secure than having a decrypted private key on
> > your laptop
> > 
> > for real security, you would need to implement the fingerprint matching on
> > a secure system (not your laptop)
> 
> Can you provide some more info what I want to do. I could implement,
> but don't know from what start.
> I.e. would be good if I will know all, what I should write. New pam
> module or what.

This requires some thought, so that it would not have any obvious security 
hole.

There is a setup I had in mind, but it is rather complex, and would require a 
lot of work to get working.

first step would be to modify libfprint to allow it to run as two processes, 
where one ("the server") would do the comparison, while the other ("the 
client") would control the fingerprint reader. It may be possible to do this 
(at least the server part) by simply implementing a dummy driver, but more 
intrusive modifications might be necessary

You would connect these two parts by some TLS tunnel, which should provide 
protection against virtually any attack during transport.

next, you would use "the server" together with Kerberos S4U extensions to 
create an authentication backend, that would give out kerberos tickets based 
on your fingerprint (as opposed to password in the usual setup)

in the end you would have your client application, that would connect to the 
server, ask for your fingerprint, send it to the server for comparison, and in 
case of success, receive a kerberos ticket back. this ticket could then be 
used to log on through SSH, or any other Kerberos-aware service.

please note that you could fake "the client" and just send the image of your 
fingerprint, but this is inherent security issue with the fingerprint concept, 
cannot be helped.

More information about the fprint mailing list