Linux account PW as TOTP

Rogue-agent · February 28, 2024, 11:11am

Hello world,

There is a military system in place that encrypts a drive and to unlock it you have an authenticator like Aegis and get the OTP from there to unlock. I already have LUKS so this might be a bit though to do.

But I thought, can I set my account or another account PW to be a changing OTP like a 2FA? So I could share that password to someone who at the moment needs to access the laptop and when they close it, they can’t access it.

I don’t know what to google for, I only found a rehel guide to install google authenticator. And other authenticator links.

ps. we seem to be missing any kind of tags for mfa/2fa, otp and oauth

alvast bedankt

regulareel · February 28, 2024, 11:56am

Bump this thread as well. I have no use case, just curious.

I think windows can use a PIN as login to unlock the TPM but I dont think its rotating like a TOTP and I dont think it can be used in Linux.

Rogue-agent · February 28, 2024, 12:28pm

I also found something really interesting lately.

NATO encryption drives. Known in the industry as Eclypt. The highest security “Cosmic secret” uses rotating encryption, which seems really cool and I want one to play around with.

thetazman · February 28, 2024, 1:05pm

Just as a fair warning … DO NOT DO THIS ON THE MILITARY SYSTEM!

That’s why everyone has their own set of credentials. And they know when shit is messed with!

Even discussing here may lead you into some trouble!

Rogue-agent · February 28, 2024, 2:55pm

I’m not doing anything on military systems.

This is my personal laptop that I bought two weeks ago. As it is a laptop that I’ll have on the go, I want it to be secure and if I loose it or it gets taken away by some ruffians, then they can’t use the data on there.

compy386 · February 28, 2024, 3:13pm

There seems to be a problem with this idea and I think it’s that you’ll need whatever software stack that is doing the TOTP to run before the drive is unencrypted. I don’t know if systemd even has hooks for that (or if systemd is even running then!). In other words, I would be concerned about what is even running at that time (probably not much) and how that might complicate things… Then you have to wonder about whether all of this will actually be somehow less secure than default LUKS implementation. It’s an interesting idea but I’m not sure I’d want to run it on my daily driver.

Rogue-agent · February 28, 2024, 3:29pm

The top post is more about TOTP instead of user predefined password for the accounts.

H-i-v-e · February 28, 2024, 3:33pm

Not feasible with LUKS as far as I understand it. LUKS has a rather simple header, with twenty or so keyslots, with access to the master key. In case you would write an early boot environment app, let’s say as a dracut module or whatever early boot environment you use, this app would need to have a copy of one of the LUKS keys for decryption on file which is not good since decrypting the partition could be done by extracting the password from the TOTP app you wrote. To add TOTP capabilities in a secure manner you would need to add this feature to the LUKS code base, which afaik has not been done and is not planned.