unlock keychain with pam authentication

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Sep 28 20:35:58 CEST 2015

On Mon 2015-09-28 13:16:06 -0400, SGT. Garcia wrote:
> i think neither is what i'm asking. the following particular use case should
> explain it better.
> on my user's first login into this machine i run 'notmuch new' this calls mbsync
> to sync my email with gmail but in order for mbsync to do so it has to get my
> password from pass. pass in turn has encrypted all my passwords and for that i
> have to provide the passphrase *manually*. i would like it to happen
> automatically on user login. hence the pam integration. note that i already have
> a user systemd service to run 'notmuch new' on user login. it of course fails
> until i run the command first to unlock my email passwords.

if you want it to happen on user login, you're asking for an additional
PAM module that would authenticate you to the local system.

With PAM, you could configure your system to do this as an additional
authentication step (in which case it's the same as your current
scenario, but you're prompted by the login greeter instead of your own
shell initialization scripts) or as the only authentication required
(in which case my attack against your local user account applies).

> that would be my email account not my local user account, correct?

The attack i described is an attack against your local user account,
though i suspect it could be leveraged into an attack against your
e-mail account as well.


More information about the Gnupg-users mailing list