An update on poldi? [was: Re: unlock keychain with pam authentication]

NIIBE Yutaka gniibe at fsij.org
Tue Sep 29 04:44:17 CEST 2015


Thank you, dkg for Cc-ing.

On 09/29/2015 02:05 AM, Daniel Kahn Gillmor wrote:
> On Sun 2015-09-27 22:04:40 -0400, SGT. Garcia wrote:
>> On Thu, Sep 24, 2015 at 11:09:28PM -0400, Daniel Kahn Gillmor wrote:
>>> You might be interested in libpam-poldi:
>>>
>>>  http://www.g10code.com/p-poldi.html
>>
>> i get 'not found' error. google finds me this:
>> http://www.schiessle.org/howto/poldi.html
>>
>> assuming they're the same thing it mentions gnupg smartcards; not sure what that
>> is but i'm guessing the module can be used with pam regardless even without the
>> card; correct?
> 
> Cc'ing gniibe, who might be able to give us some feedback on the state
> of poldi.

Poldi works with smartcard, specifically OpenPGPcard compatible.  It
doesn't work without OpenPGPcard compatible smartcard.

I maintain Poldi and Scute for Debian.  Since those two projects are
orphaned by upstream, I only do small changes.

Last year, I did small changes for Poldi, when a person asked me if
Poldi can still work on Fedora.  Those changes are in the repository:

    http://git.gnupg.org/cgi-bin/gitweb.cgi?p=poldi.git;a=summary

He said that he would be able to have a little budget for further
development of Poldi, but it seems that my unpaid work of last year
was just enough for him, and it didn't proceed further.

Personally, I think that the use case for Poldi for login
authentication is fundamentally different than the use case of
OpenPGPcard for SSH authentication.  I tend to assume ownership of
computer and OpenPGPcard is by its users, but in some (or most) cases,
Poldi is used in the situation where computer owner is a company and
OpenPGPcard owner is also a company (and a company let employees use
their computers).  Who controls what, is different.

Thus, in my opinion, Poldi is an experimental project, just for
seeking the technical possibility, which doesn't go anywhere.

			*	*	*

For authentication of sudo on remote machine, I think that we can use
pam_ssh_agent [0] together with GnuPG, if we can configure correctly.
I don't have any experiences, though.  It would be good if we can also
do similar thing directly by gpg-agent remote access.

[0] pam_ssh_agent: http://pamsshagentauth.sourceforge.net/
-- 



More information about the Gnupg-users mailing list