Local PAM authentication with OpenPGP Card (was Re: PAM authentication with gpg or ssh key)

Peter Lebbing peter at digitalbrains.com
Thu Oct 1 11:52:19 CEST 2015


On 01/10/15 08:06, NIIBE Yutaka wrote:
> Although I have a bit of experience with Poldi, frankly speaking, I
> don't quite understand the need for local login authentication with
> OpenPGPcard.  For me, if I do some access control for my own PC, it
> would be better to consider removing keyboard from a PC, or securing
> access to the room where I have a PC.

For me, it's about getting rid of the root password altogether.
Authentication as root can only be done with an OpenPGP Card and its PIN.

Or by booting the system into single user mode ;). Your comment
regarding securing the room is very true: once someone has unfettered
access to the machine, it's near impossible to secure. This is not a
threat model I consider. Once they have physical access to the machine,
I give up.

I'm primarily (though not exclusively) talking about machines that
normally run headless. But sometimes you can't use SSH with an OpenPGP
card to solve a problem, for instance if it's the network that is not
working. So you really need to connect a monitor to the system and do a
local login.

Thank you for your response and giving it thought!

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list