unlock keychain with pam authentication

[Daniel Kahn Gillmor]

On Sun 2015-09-27 20:14:20 -0400, SGT. Garcia wrote:
> i use pass to manage my passwords:
> http://www.passwordstore.org/
>
> all passwords are encrypted with one single passphrase which is what i would
> like to have in *sync* with pam's OK on user's successful authentication.

This suggests that you're interested in a pam module that verifies that
you can unlock any secret key associated with the ID stored in
~/.password-store/.gpg-id, then the user can log in.  Does that sound
right?

Or maybe you want your PAM module to test that given ~/.gnupg and
~/.password-store, the user-supplied password is capable of decrypting
some specific entry in pass?

either way, i think you're asking for something that is custom to your
setup.

>> Potentially even scarier, if i can convince you to import key material,
>> i could give you a secret key that is set with a passphrase that i
>> know.  Once you've done that, if the PAM module allows me to connect
>> if i can unlock any key, then i could use it to unlock your account!
>
> import where? i'm not sure if i follow. pass only manages passwords for my email
> accounts, so far at least, and i don't see how this comes into play. would care
> to elaborate please?

i send you a file dkg.asc that contains my OpenPGP certificate, and ask
you to import it into your keyring.  you do "gpg --import dkg.asc".

But in that file, in addition to my actual OpenPGP certificate, i've
included an additional certificate that has your own user ID on it
("SGT. Garcia <darwinskernel at gmail.com>"), uses a novel secret key, and
that secret key is encrypted by a password i know (let's say it's a
terrible password, like "bananas").

Now, if your proposed setup is in place, and ~/.password-store/.gpg-id
contains "SGT. Garcia <darwinskernel at gmail.com>", i will be able to log
in to your account with the password "bananas".

Does this attack make sense?

     --dkg