unlock keychain with pam authentication
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Sep 25 05:09:28 CEST 2015
On Tue 2015-09-22 11:13:38 -0400, SGT. Garcia wrote:
> been looking for a solution to get gpg dance nicely with pam in the sense that
> once a user authenticated in keychain is unlocked. that is to have one central
> authentication that lasts for the duration of the user's session.
You might be interested in libpam-poldi:
http://www.g10code.com/p-poldi.html
I'm not sure if it meets your particular goals/use cases, though.
There are some conceptual caveats to what you're proposing: Note that a
user's GnuPG secret keyring potentially contains multiple secret keys,
and each secret key could be encrypted with a different password. which
secret key would need to be decrypted to make that work?
Potentially even scarier, if i can convince you to import key material,
i could give you a secret key that is set with a passphrase that i
know. Once you've done that, if the PAM module allows me to connect
if i can unlock any key, then i could use it to unlock your account!
You could also consider a more integrated desktop environment like
GNOME, which has a single keyring/password manager that is integrated
with account login. GNOME's keyring can be used to also talk to
gpg-agent if both tools are configured to do so.
hth,
--dkg
More information about the Gnupg-users
mailing list