unlock keychain with pam authentication

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Sep 25 05:09:28 CEST 2015


On Tue 2015-09-22 11:13:38 -0400, SGT. Garcia wrote:
> been looking for a solution to get gpg dance nicely with pam in the sense that
> once a user authenticated in keychain is unlocked. that is to have one central
> authentication that lasts for the duration of the user's session.

You might be interested in libpam-poldi:

 http://www.g10code.com/p-poldi.html

I'm not sure if it meets your particular goals/use cases, though.

There are some conceptual caveats to what you're proposing: Note that a
user's GnuPG secret keyring potentially contains multiple secret keys,
and each secret key could be encrypted with a different password.  which
secret key would need to be decrypted to make that work?

Potentially even scarier, if i can convince you to import key material,
i could give you a secret key that is set with a passphrase that i
know.  Once you've done that, if the PAM module allows me to connect
if i can unlock any key, then i could use it to unlock your account!

You could also consider a more integrated desktop environment like
GNOME, which has a single keyring/password manager that is integrated
with account login.  GNOME's keyring can be used to also talk to
gpg-agent if both tools are configured to do so.

hth,

        --dkg



More information about the Gnupg-users mailing list