unlock keychain with pam authentication

SGT. Garcia darwinskernel at gmail.com
Mon Sep 28 19:16:06 CEST 2015

On Mon, Sep 28, 2015 at 01:03:10PM -0400, Daniel Kahn Gillmor wrote:
> On Sun 2015-09-27 20:14:20 -0400, SGT. Garcia wrote:
> > i use pass to manage my passwords:
> > http://www.passwordstore.org/
> >
> > all passwords are encrypted with one single passphrase which is what i would
> > like to have in *sync* with pam's OK on user's successful authentication.
> This suggests that you're interested in a pam module that verifies that
> you can unlock any secret key associated with the ID stored in
> ~/.password-store/.gpg-id, then the user can log in.  Does that sound
> right?
> Or maybe you want your PAM module to test that given ~/.gnupg and
> ~/.password-store, the user-supplied password is capable of decrypting
> some specific entry in pass?
> either way, i think you're asking for something that is custom to your
> setup.

i think neither is what i'm asking. the following particular use case should
explain it better.

on my user's first login into this machine i run 'notmuch new' this calls mbsync
to sync my email with gmail but in order for mbsync to do so it has to get my
password from pass. pass in turn has encrypted all my passwords and for that i
have to provide the passphrase *manually*. i would like it to happen
automatically on user login. hence the pam integration. note that i already have
a user systemd service to run 'notmuch new' on user login. it of course fails
until i run the command first to unlock my email passwords.

> >> Potentially even scarier, if i can convince you to import key material,
> >> i could give you a secret key that is set with a passphrase that i
> >> know.  Once you've done that, if the PAM module allows me to connect
> >> if i can unlock any key, then i could use it to unlock your account!
> >
> > import where? i'm not sure if i follow. pass only manages passwords for my email
> > accounts, so far at least, and i don't see how this comes into play. would care
> > to elaborate please?
> i send you a file dkg.asc that contains my OpenPGP certificate, and ask
> you to import it into your keyring.  you do "gpg --import dkg.asc".
> But in that file, in addition to my actual OpenPGP certificate, i've
> included an additional certificate that has your own user ID on it
> ("SGT. Garcia <darwinskernel at gmail.com>"), uses a novel secret key, and
> that secret key is encrypted by a password i know (let's say it's a
> terrible password, like "bananas").
> Now, if your proposed setup is in place, and ~/.password-store/.gpg-id
> contains "SGT. Garcia <darwinskernel at gmail.com>", i will be able to log
> in to your account with the password "bananas".
> Does this attack make sense?
>      --dkg

that would be my email account not my local user account, correct?


More information about the Gnupg-users mailing list