IRC chat logs for #ltsp on irc.libera.chat (webchat)


Channel log from 25 March 2020   (all times are UTC)

00:10
<map7`>
Can you use yubikey to login to LTSP 20.3 fat clients?
00:10map7` is now known as map7
00:11
<vagrantc>
maybe ... essentially anything you could configure on a standalone machine you *should* be able to configure ... but it may require some tinkering to get it to work correctly
00:13
<map7>
vagrantc: Cool, yubikey does have good debian support so I might give it a go down the track
01:32adrianorg has left IRC (adrianorg!~adrianorg@179.187.26.41.dynamic.adsl.gvt.net.br, Ping timeout: 258 seconds)
02:02adrianorg has joined IRC (adrianorg!~adrianorg@179.187.26.41.dynamic.adsl.gvt.net.br)
03:45vagrantc has left IRC (vagrantc!~vagrant@unaffiliated/vagrantc, Quit: leaving)
04:28shored has left IRC (shored!~shored@87-92-92-55.bb.dnainternet.fi, Read error: Connection reset by peer)
04:29shored has joined IRC (shored!~shored@87-92-92-55.bb.dnainternet.fi)
05:05GodFather has left IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com, Ping timeout: 256 seconds)
05:08GodFather has joined IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com)
06:10gdi2k has joined IRC (gdi2k!~gdi2k@58.69.160.28)
07:21map7 has left IRC (map7!~user@103.232.216.31, Remote host closed the connection)
07:21map7` has joined IRC (map7`!~user@103.232.216.31)
07:30
<alkisg>
map7`: yubikey doesn't provide a password so I don't think it will be able to authenticate via SSHFS
07:30
It will authenticate locally, but then you'll need NFS to access /home
07:31
I think I've heard something about yubikey and ssh authentication, but I haven't looked into it as I've never even saw a yubikey
07:32
I imagine they'd implement it similar to key-based authentication
07:57eu^lfbn-dij-1-95 has joined IRC (eu^lfbn-dij-1-95!5a7d97c4@lfbn-dij-1-956-196.w90-125.abo.wanadoo.fr)
08:14eu^lfbn-dij-1-95 has left IRC (eu^lfbn-dij-1-95!5a7d97c4@lfbn-dij-1-956-196.w90-125.abo.wanadoo.fr, Remote host closed the connection)
08:25woernie_ has joined IRC (woernie_!~werner@p5DDEC5BE.dip0.t-ipconnect.de)
08:33woernie_ has left IRC (woernie_!~werner@p5DDEC5BE.dip0.t-ipconnect.de, Quit: http://quassel-irc.org - Chat comfortably. Anywhere.)
08:34woernie_ has joined IRC (woernie_!~werner@p5DDEC5BE.dip0.t-ipconnect.de)
08:56
<meo>
alkisg: you can use PAM to authenticate OTP
08:56
yubikeys have switchable authentication slots, each can be configured, you can even have it spit out a static password
08:57
I use it as a private key container HSM
10:29shored has left IRC (shored!~shored@87-92-92-55.bb.dnainternet.fi, Ping timeout: 256 seconds)
10:32shored has joined IRC (shored!~shored@87-92-92-55.bb.dnainternet.fi)
10:37
<alkisg>
meo: the question is, can you insert a yubikey and automatically have ssh authenticate to a remote server?
10:47
Or, can you run `ssh remote-server`, and have yubikey help in authentication there...
10:48
When ssh'ing to a remote server, the local PAM isn't involved
10:50
ssh client needs to have yubikey specific code, in order to use it
10:59
<meo>
alkisg: no, you use gpg-agent and scdaemon for that
10:59
the first access to the smartcard requires pinentry
10:59
which implies some form of ui
11:00
but it definitely works otherwise
11:00
I am logged in to this session off yubikey authentication
11:00woernie_ has left IRC (woernie_!~werner@p5DDEC5BE.dip0.t-ipconnect.de, Ping timeout: 264 seconds)
11:01
<meo>
essentially gpg-agent relays ssh authentication requests to scdaemon which talks to yubikey
11:02woernie has joined IRC (woernie!~werner@p578bb7b6.dip0.t-ipconnect.de)
11:02
<alkisg>
meo, gpg-agent can't be used in the login screen, as the user isn't yet logged in
11:03
ltsp has a pam hook that will need to somehow bind the local authentication attempt to a remote ssh, all that before login
11:05shored has left IRC (shored!~shored@87-92-92-55.bb.dnainternet.fi, Read error: Connection reset by peer)
11:05
<meo>
gpg-agent, scdaemon and pinentry per se are not dependent on the specific uid and can be spawned as e.g. nobody or in a temporary session, pinentry would require interactive UI but I suppose it's doable
11:06
the trick would be to connect gpg-agent to the running scdaemon after logon I suppose
11:06
<alkisg>
It's not possible to launch other GUI programs from the login screen; the gnome devs specifically refused to support that
11:06
<meo>
that I wouldn't know, I believe there's a mechanism for this in xdm
11:06
<alkisg>
They only allow their own, like orca, and nothing else (I was trying to have them allow epoptes broadcasts, i.e. a vnc viewer, over the login screen)
11:06shored has joined IRC (shored!~shored@87-92-92-55.bb.dnainternet.fi)
11:07
<alkisg>
They don't have a window manager running at that point, so any program you run gets underneath the display screen
11:07
So what we'd want from a yubikey would be, to find a way to: login on vt1 as root. Then insert a yubikey, and have a command like `ssh user@server` authenticate automatically
11:07
No xorg or wayland involved
11:08
I think there was a request or an attempt or something, to put code in ssh client to do that
11:08
That would be the proper place, not overlays or agents...
11:09
<meo>
that would be doable, since there's console pinentry as well
11:10
<alkisg>
pinentry echoes a password to stdin?
11:13Teridon1 has joined IRC (Teridon1!~Teridon@dragon.teridon.com)
11:41bcg has left IRC (bcg!~b@df-vm8yyyyyyyyyyyyyyt-3.rev.dnainternet.fi, Quit: bcg)
11:41bcg has joined IRC (bcg!~b@df-vm8yyyyyyyyyyyyyyt-3.rev.dnainternet.fi)
11:44bcg has left IRC (bcg!~b@df-vm8yyyyyyyyyyyyyyt-3.rev.dnainternet.fi, Client Quit)
11:45bcg has joined IRC (bcg!~b@df-vm8yyyyyyyyyyyyyyt-3.rev.dnainternet.fi)
11:59bcg has left IRC (bcg!~b@df-vm8yyyyyyyyyyyyyyt-3.rev.dnainternet.fi, Quit: bcg)
12:00bcg has joined IRC (bcg!~b@df-vm8yyyyyyyyyyyyyyt-3.rev.dnainternet.fi)
12:05woernie has left IRC (woernie!~werner@p578bb7b6.dip0.t-ipconnect.de, Remote host closed the connection)
12:07woernie has joined IRC (woernie!~werner@p5DDEC5BE.dip0.t-ipconnect.de)
12:30Teridon2 has joined IRC (Teridon2!~Teridon@dragon.teridon.com)
12:31Teridon1 has left IRC (Teridon1!~Teridon@dragon.teridon.com, Ping timeout: 240 seconds)
12:38woernie has left IRC (woernie!~werner@p5DDEC5BE.dip0.t-ipconnect.de, Ping timeout: 264 seconds)
12:38woernie has joined IRC (woernie!~werner@p5DDEC5BE.dip0.t-ipconnect.de)
13:04GodFather has left IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com, Quit: Ex-Chat)
13:07GodFather has joined IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com)
13:09GodFather has left IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com, Remote host closed the connection)
13:22GodFather has joined IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com)
13:32Mikaela has left IRC (Mikaela!~Mikaela@unaffiliated/mikaela, Quit: Mikaela)
13:34Mikaela has joined IRC (Mikaela!~Mikaela@unaffiliated/mikaela)
13:40Mikaela has left IRC (Mikaela!~Mikaela@unaffiliated/mikaela, Quit: Mikaela)
13:41Mikaela has joined IRC (Mikaela!~Mikaela@unaffiliated/mikaela)
13:45Mikaela has left IRC (Mikaela!~Mikaela@unaffiliated/mikaela, Client Quit)
13:47Mikaela has joined IRC (Mikaela!~Mikaela@unaffiliated/mikaela)
14:26vagrantc has joined IRC (vagrantc!~vagrant@unaffiliated/vagrantc)
14:41GodFather has left IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com, Remote host closed the connection)
14:42GodFather has joined IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com)
16:12GodFather_ has joined IRC (GodFather_!~rcc@d53-64-7-141.nap.wideopenwest.com)
16:12GodFather_ has left IRC (GodFather_!~rcc@d53-64-7-141.nap.wideopenwest.com, Remote host closed the connection)
16:42woernie has left IRC (woernie!~werner@p5DDEC5BE.dip0.t-ipconnect.de, Remote host closed the connection)
16:47uumas has left IRC (uumas!uumaskapsi@gateway/shell/matrix.org/x-nfulzmxwdcfukodz, Ping timeout: 256 seconds)
16:48woernie has joined IRC (woernie!~werner@p5DDEC5BE.dip0.t-ipconnect.de)
16:53uumas has joined IRC (uumas!uumaskapsi@gateway/shell/matrix.org/x-iesnstbpahkaeney)
19:23Teridon2 has left IRC (Teridon2!~Teridon@dragon.teridon.com, Quit: Leaving.)
20:15GodFather has left IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com, Ping timeout: 256 seconds)
20:29GodFather has joined IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com)
21:04woernie has left IRC (woernie!~werner@p5DDEC5BE.dip0.t-ipconnect.de, Remote host closed the connection)
22:41map7` has left IRC (map7`!~user@103.232.216.31, Remote host closed the connection)
23:42GodFather has left IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com, Ping timeout: 256 seconds)