An update on poldi? [was: Re: unlock keychain with pam authentication]
NIIBE Yutaka
gniibe at fsij.org
Tue Sep 29 04:44:17 CEST 2015
Thank you, dkg for Cc-ing.
On 09/29/2015 02:05 AM, Daniel Kahn Gillmor wrote:
> On Sun 2015-09-27 22:04:40 -0400, SGT. Garcia wrote:
>> On Thu, Sep 24, 2015 at 11:09:28PM -0400, Daniel Kahn Gillmor wrote:
>>> You might be interested in libpam-poldi:
>>>
>>> http://www.g10code.com/p-poldi.html
>>
>> i get 'not found' error. google finds me this:
>> http://www.schiessle.org/howto/poldi.html
>>
>> assuming they're the same thing it mentions gnupg smartcards; not sure what that
>> is but i'm guessing the module can be used with pam regardless even without the
>> card; correct?
>
> Cc'ing gniibe, who might be able to give us some feedback on the state
> of poldi.
Poldi works with smartcard, specifically OpenPGPcard compatible. It
doesn't work without OpenPGPcard compatible smartcard.
I maintain Poldi and Scute for Debian. Since those two projects are
orphaned by upstream, I only do small changes.
Last year, I did small changes for Poldi, when a person asked me if
Poldi can still work on Fedora. Those changes are in the repository:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=poldi.git;a=summary
He said that he would be able to have a little budget for further
development of Poldi, but it seems that my unpaid work of last year
was just enough for him, and it didn't proceed further.
Personally, I think that the use case for Poldi for login
authentication is fundamentally different than the use case of
OpenPGPcard for SSH authentication. I tend to assume ownership of
computer and OpenPGPcard is by its users, but in some (or most) cases,
Poldi is used in the situation where computer owner is a company and
OpenPGPcard owner is also a company (and a company let employees use
their computers). Who controls what, is different.
Thus, in my opinion, Poldi is an experimental project, just for
seeking the technical possibility, which doesn't go anywhere.
* * *
For authentication of sudo on remote machine, I think that we can use
pam_ssh_agent [0] together with GnuPG, if we can configure correctly.
I don't have any experiences, though. It would be good if we can also
do similar thing directly by gpg-agent remote access.
[0] pam_ssh_agent: http://pamsshagentauth.sourceforge.net/
--
More information about the Gnupg-users
mailing list