unlock keychain with pam authentication

SGT. Garcia darwinskernel at gmail.com
Mon Sep 28 02:14:20 CEST 2015

On Thu, Sep 24, 2015 at 11:09:28PM -0400, Daniel Kahn Gillmor wrote:
> On Tue 2015-09-22 11:13:38 -0400, SGT. Garcia wrote:
> > been looking for a solution to get gpg dance nicely with pam in the sense that
> > once a user authenticated in keychain is unlocked. that is to have one central
> > authentication that lasts for the duration of the user's session.
> You might be interested in libpam-poldi:
>  http://www.g10code.com/p-poldi.html

thanks, will have a look in a tick.

> I'm not sure if it meets your particular goals/use cases, though.
> There are some conceptual caveats to what you're proposing: Note that a
> user's GnuPG secret keyring potentially contains multiple secret keys,
> and each secret key could be encrypted with a different password.  which
> secret key would need to be decrypted to make that work?

i use pass to manage my passwords:

all passwords are encrypted with one single passphrase which is what i would
like to have in *sync* with pam's OK on user's successful authentication.

> Potentially even scarier, if i can convince you to import key material,
> i could give you a secret key that is set with a passphrase that i
> know.  Once you've done that, if the PAM module allows me to connect
> if i can unlock any key, then i could use it to unlock your account!

import where? i'm not sure if i follow. pass only manages passwords for my email
accounts, so far at least, and i don't see how this comes into play. would care
to elaborate please?

> You could also consider a more integrated desktop environment like
> GNOME, which has a single keyring/password manager that is integrated
> with account login.  GNOME's keyring can be used to also talk to
> gpg-agent if both tools are configured to do so.

i don't use desktop environment. my machine usually boots into console and i may
or may not run xinit to start X with dwm (a window manager). this may change in
the future when i start X's systemd session-manager which apparently requires a
login-manager. same goes for wayland incidentally and afaik. in that case i
would be looking into integration that login-manager with gnupg for the same


More information about the Gnupg-users mailing list