OpenPGP card and poldi-ctrl

Alphazo alphazo at gmail.com
Sun Dec 12 19:20:02 CET 2010 

Hi Markus,

What you are seeing with gnome-keyring is normal. The database of
gnome-keyring is encrypted with a password that is usually the same as the
login password. Therefore when you login with password, your gnome-keyring
database gets automatically decrypted and you can access your WPA protected
Wifi (if using network-manager) network without entering any additional
password. Now when you login with an OpenPGP card, you can no longer decrypt
the gnome-keyring database. I haven't found a practical way to avoid that.
One alternative could be to use an encrypted space (truecrypt/encfs...) to
store the gnome-keyring database and other home related information and
therefore get rid of the gnome-keyring password. But you will still have to
enter a password to unlock this encrypted space ;(

Alphazo

On Sun, Dec 12, 2010 at 6:10 PM, Markus Krainz <ldm at gmx.at> wrote:

>  Hi Alphazo,
>
> thanks for this great howto. I got it working right away.
> Where I still have problems: The gnome-keyring (seahorse), still demands
> the user-password. Also I often have to unplug and replug the reader to
> authenticate. This works, but it is very inconvenient.
>
> Regards,
> Markus
>
>
>
> On 2010-11-27 08:31, wrote:
>
> Hi Markus,
>
>  Poldi tutorials are outdated. The new versions is configured
> differently. Poldi 0.4.1 works flawlessly with my Cryptostick token (OpenPGP
> card V2) for PAM authentication
>
> I used the default /etc/poldi/poldi.conf
> *auth-method localdb
> log-file /var/log/poldi.log
> debug
> scdaemon-program /usr/bin/scdaemon
> *
> Added one line to /etc/poldi/localdb/users with CryptoStick's serial number
> (get it from gpg --card status | grep Application) :
> * D1234678912346789123467891234678 alpha*
>
> And they dumped the public key from my Cryptostick into poldi local db:
> *sudo poldi-ctrl -k > /etc/poldi/localdb/keys/*
> D1234678912346789123467891234678
>
> The rest is pretty standard as it requires to modify pam configuration
> files. I keep the possibility to log in with password for the moment so I
> just added in /etc/pam.d/gdm   /etc/pam.d/login   /etc/pam.d/sudo
> /etc/pam.d/gnome-screensaver:
> *auth        sufficient    pam_poldi.so*
>
> That's it really!
>
> One more thing, for better stability I recommend to disable opensc daemon
> when using Cryptostick. I had it enabled because I was playing with a
> PKCSC#11 token and got all sort of problems. I also had opensc-pkcs11.so
> module loaded in Thunderbird that had a tendency to restart opensc daemon
> also. So best is to disable it too.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20101212/70e48fbb/attachment.htm>

More information about the Gnupg-users mailing list