A new idea is born. It started with a paper I wrote about using LinOTP – the ancestor of privacyIDEA – as a mangement system for Yubikey in challenge response that would be used in conjunction with LUKS. The tool to use the Yubikey to protect the encrypted Linux harddisk can be found here at github. The paper was published at the Chemnitzer Linuxtage 2014 (German! p. 19).
The idea is to enroll Yubikeys with privacyIDEA and manage the knowledge which yubikey is used to boot which machine. Booting the machine is no usual authentication request issued against the authentication server privacyIDEA. It is handled completely on the client machine. But the central management system (privacyIDEA) would know, which yubikey is allowed to to which client.
Why not generalize this idea? Thus we can have a system that knows which authentication device can be used for which application on which client machine. Being it Yubikey tokens, HMAC tokens, simple passwords or not-yet-existing SSH keys…
The concept is developed in the github wiki “Conecpt for machines and remote applications”. Feel free to ask questions, nag, contribute!