test, please disregard

Well, there you go not following instructions... :)

If your still reading, I'm testing promail recipies.  Making sure I
didn't screw up what was already working.

Jason.
--

-- 
gentoo-security <at> gentoo.org mailing list

ssh-agent and cryptsetup

The subject kinda says it all.  I've been hunting around for an
automated solution to backing up my encrypted home directory to a remote
server through ssh.  Obviously, the backup is also an encrypted volume.  

Is there an existing solution to getting cryptsetup to use ssh-agent
for the volume key?

The end result would put my ssh private key on a thumbdrive (password
protected).  Logging in would decrypt local homedir, and rsync with
remote encrypted homedir.  Logging out would rsync push changes up to
remote encrypted home dir and tear down all encrypted volumes and
ssh-agent.

So far, I've found the articles on encrypted home dirs with dm-crypt,
using a thumbdrive to hold the key (various solutions), pam-ssh to
automatically fire up ssh-agent using the private key password to log in
(limited success with that).  But nothing regarding using ssh-agent to
decrypt a volume.

Any ideas?

Jason.
--

-- 
gentoo-security <at> gentoo.org mailing list

Re: ssh-agent and cryptsetup

On Wed, Jul 12, 2006 at 09:22:13AM -0400, Jason wrote:
> The subject kinda says it all.  I've been hunting around for an
> automated solution to backing up my encrypted home directory to a remote
> server through ssh.  Obviously, the backup is also an encrypted volume.  
[...]

Have you considered backing up the block device that underlies your
encrypted volume instead of trying to back up the files on the
filesystem?  You don't need to decrypt and re-encrypt it in that case;
you just back up the raw (encrypted) block device using rsync (over
ssh, just to provide secure authentication).  If the block device
happens to be managed by LVM, you can use LVM's snapshot feature to
get a consistent image of the device.  Otherwise, you'd have to make
sure the filesystem is unmounted or mounted read-only during the
backup.

-- 
Randall
--

-- 
gentoo-security <at> gentoo.org mailing list

Re: ssh-agent and cryptsetup

Randall Nortman (gentoolists <at> wonderclown.com) wrote:
> On Wed, Jul 12, 2006 at 09:22:13AM -0400, Jason wrote:
> > The subject kinda says it all.  I've been hunting around for an
> > automated solution to backing up my encrypted home directory to a remote
> > server through ssh.  Obviously, the backup is also an encrypted volume.  
> 
> Have you considered backing up the block device that underlies your
> encrypted volume instead of trying to back up the files on the
> filesystem?  You don't need to decrypt and re-encrypt it in that case;
> you just back up the raw (encrypted) block device using rsync (over
> ssh, just to provide secure authentication).  If the block device
> happens to be managed by LVM, you can use LVM's snapshot feature to
> get a consistent image of the device.  Otherwise, you'd have to make
> sure the filesystem is unmounted or mounted read-only during the
> backup.

I'd considered that, unfortunately, three issues arose.  One, I've
earmarked 20 GB for my encrypted homedir for plenty of growth.  It's
currently over 4 GB of stuff I actually want there.  Two, even if I
shrink it, I can't assume I'll always have a fat pipe from my laptop.
And three, I want user login to still be as quick and transparent as
possible.  Since very little changes in my homedir from one login to the
next, rsyncing the data inside makes much more sense.

I'm currently looking at the openssh API to ssh-agent and once I have
that figured out I'll take a look at wedging it into cryptsetup.  Not
sure from a crypto perspective if that approach is tight, but I'll carry
on till I'm told otherwise. :)

Jason.

Re: ssh-agent and cryptsetup

Can't you use rsync on the raw encrypted volume since linux disk 
encryption is block-based?

My understanding is that rsync also works equally well for syncing a 
single large file where little of it has changed.

Just an idea,

-Alex

On Wed, 12 Jul 2006, Jason wrote:

> Randall Nortman (gentoolists <at> wonderclown.com) wrote:
>
> I'd considered that, unfortunately, three issues arose.  One, I've
> earmarked 20 GB for my encrypted homedir for plenty of growth.  It's
> currently over 4 GB of stuff I actually want there.  Two, even if I
> shrink it, I can't assume I'll always have a fat pipe from my laptop.
> And three, I want user login to still be as quick and transparent as
> possible.  Since very little changes in my homedir from one login to the
> next, rsyncing the data inside makes much more sense.
>
> I'm currently looking at the openssh API to ssh-agent and once I have
> that figured out I'll take a look at wedging it into cryptsetup.  Not
> sure from a crypto perspective if that approach is tight, but I'll carry
> on till I'm told otherwise. :)
>
> Jason.
> -- 
> gentoo-security <at> gentoo.org mailing list

Re: ssh-agent and cryptsetup

Hi,

it would also be possible to write a script which mounts the crypted devices 
before rsync starts and unmounts it after it. The whole backup logic could be 
put in there too. This would lead to an automatism which minimizes your work.

cu,
Ronny

Am Mittwoch, 12. Juli 2006 15:22 schrieb Jason:
> The subject kinda says it all.  I've been hunting around for an
> automated solution to backing up my encrypted home directory to a remote
> server through ssh.  Obviously, the backup is also an encrypted volume.
>
> Is there an existing solution to getting cryptsetup to use ssh-agent
> for the volume key?
>
> The end result would put my ssh private key on a thumbdrive (password
> protected).  Logging in would decrypt local homedir, and rsync with
> remote encrypted homedir.  Logging out would rsync push changes up to
> remote encrypted home dir and tear down all encrypted volumes and
> ssh-agent.
>
> So far, I've found the articles on encrypted home dirs with dm-crypt,
> using a thumbdrive to hold the key (various solutions), pam-ssh to
> automatically fire up ssh-agent using the private key password to log in
> (limited success with that).  But nothing regarding using ssh-agent to
> decrypt a volume.
>
> Any ideas?

[RTLWS8-CFP] Eighth Real-Time Linux Workshop 2nd CFP

We apologize for multiple receipts.

--------------------------------------------------------------------------------

                      Eighth Real-Time Linux Workshop

                            October 12-15, 2006
                         Lanzhou University - SISE
                          Tianshui South Road 222
                           Lanzhou, Gansu 730000
                                 P.R.China

  General

   Following  the  meetings  of  developers  and  users at the previous 7
   successful  real-time Linux workshops held in Vienna, Orlando, Milano,
   Boston,  and  Valencia, Singapore, Lille, the Real-Time Linux Workshop
   for  2006  will  come back to Asia again, to be held at the School for
   Information  Science  and  Engineering, Lanzhou University, in Lanzhou
   China.

   Embedded  and  real-time Linux is rapidly gaining traction in the Asia
   Pacific  region.  Embedded  systems  in  both  automation/control  and
   entertainment moving to 32/64bit systems, opening the door for the use
   of  full  featured  OS  like  GNU/Linux  on  COTS  based systems. With
   real-time  capabilities being a common demand for embedded systems the
   soft  and  hard  real-time  variants are an important extension to the
   versatile GNU/Linux GPOS.

Ffree tools to manage user and passwords

Hello everybody,

I'm searching a free tools to manage user and passwords, but in static mode.
I'm explained:
I'm searching for a free tool which may store user and passwords on unix box
with priviledges:
- The tool must run on Apache
- One global administrator
- Groups (with roles: manager (can change password)/reader/no access)

Or if no free product with these specifications, a smallest version with
the following requirement:
- Free
- Run on apache (linux)
- optionnal: admin and readers

Thanks for your help

--

-- 
gentoo-security <at> gentoo.org mailing list

RE: Ffree tools to manage user and passwords

Hello Alexis,

If I understand you correctly, (as I'm not quite sure what you mean by
"static mode") something like Webmin [1], or Usermin [2] might be what
you want.

[1] www.webmin.com
[2] http://www.webmin.com/index6.html

It actually includes its own SSL webserver, so you can even use it on
machines without Apache.

Calum

-----Original Message-----
From: Alexis Villebrun [mailto:alex <at> ssji.net] 
Sent: 27 July 2006 11:09
To: gentoo-security <at> lists.gentoo.org
Subject: [gentoo-security] Ffree tools to manage user and passwords

Hello everybody,

I'm searching a free tools to manage user and passwords, but in static
mode.
I'm explained:
I'm searching for a free tool which may store user and passwords on unix
box with priviledges:
- The tool must run on Apache
- One global administrator
- Groups (with roles: manager (can change password)/reader/no access

Re: Ffree tools to manage user and passwords