unlock keychain with pam authentication

[SGT. Garcia]

On Mon, Sep 28, 2015 at 02:35:58PM -0400, Daniel Kahn Gillmor wrote:
> On Mon 2015-09-28 13:16:06 -0400, SGT. Garcia wrote:
> > i think neither is what i'm asking. the following particular use case should
> > explain it better.
> >
> > on my user's first login into this machine i run 'notmuch new' this calls mbsync
> > to sync my email with gmail but in order for mbsync to do so it has to get my
> > password from pass. pass in turn has encrypted all my passwords and for that i
> > have to provide the passphrase *manually*. i would like it to happen
> > automatically on user login. hence the pam integration. note that i already have
> > a user systemd service to run 'notmuch new' on user login. it of course fails
> > until i run the command first to unlock my email passwords.
> 
> if you want it to happen on user login, you're asking for an additional
> PAM module that would authenticate you to the local system.
> 
> With PAM, you could configure your system to do this as an additional
> authentication step (in which case it's the same as your current
> scenario, but you're prompted by the login greeter instead of your own
> shell initialization scripts) or as the only authentication required
> (in which case my attack against your local user account applies).

i really want it as the only authentication required that is open password from
user logs him in and decrypts the passwords.

> > that would be my email account not my local user account, correct?
> 
> The attack i described is an attack against your local user account,
> though i suspect it could be leveraged into an attack against your
> e-mail account as well.
> 
>        --dkg

how does it work, does gnupg phone home? i suspect not. i did not agree to
import anything but apparently my mail client (mutt) and/or gnupg took the
initiative to do so. if that's true then that's a misconfiguration or bad
default configuration of mutt and/or gnupg, i think.


sgt