unlock keychain with pam authentication

SGT. Garcia darwinskernel at gmail.com
Mon Sep 28 21:39:13 CEST 2015


On Mon, Sep 28, 2015 at 01:03:10PM -0400, Daniel Kahn Gillmor wrote:
> 
> i send you a file dkg.asc that contains my OpenPGP certificate, and ask
> you to import it into your keyring.  you do "gpg --import dkg.asc".
> 
> But in that file, in addition to my actual OpenPGP certificate, i've
> included an additional certificate that has your own user ID on it
> ("SGT. Garcia <darwinskernel at gmail.com>"), uses a novel secret key, and
> that secret key is encrypted by a password i know (let's say it's a
> terrible password, like "bananas").
> 
> Now, if your proposed setup is in place, and ~/.password-store/.gpg-id
> contains "SGT. Garcia <darwinskernel at gmail.com>", i will be able to log
> in to your account with the password "bananas".
> 
> Does this attack make sense?
> 
>      --dkg

hmm, it pinenty asked me for passphrase, how did that happen? gnupg imports the
new key automatically?


sgt



More information about the Gnupg-users mailing list