unlock keychain with pam authentication

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Sep 28 22:10:10 CEST 2015


On Mon 2015-09-28 16:00:38 -0400, SGT. Garcia wrote:
> i really want it as the only authentication required that is open password from
> user logs him in and decrypts the passwords.
>
>> > that would be my email account not my local user account, correct?
>> 
>> The attack i described is an attack against your local user account,
>> though i suspect it could be leveraged into an attack against your
>> e-mail account as well.
>
> how does it work, does gnupg phone home? i suspect not. i did not agree to
> import anything but apparently my mail client (mutt) and/or gnupg took the
> initiative to do so. if that's true then that's a misconfiguration or bad
> default configuration of mutt and/or gnupg, i think.

There is no phoning home.  Do you ever import keys that other people
send you?  or keys you find on the web?  or keys attached to e-mail
messages?  Are you sure the things imported can't include a secret key?

Apparently i'm not doing a great job at communicating this scenario to
you.  sorry about that.  Maybe someone else can try to explain it more
clearly than i can.

I understand what you're asking for, and i see how it would be a useful
thing.  However, i think you should constrain it much more tightly than
what you appear to be asking for, and i don't think that such a thing
already exists.  It would be a bit of engineering work to make sure that
it's functional, but i'd be happy to review something like this if
somebody wants to propose it.

         --dkg



More information about the Gnupg-users mailing list