unlock keychain with pam authentication
darwinskernel at gmail.com
Tue Sep 29 00:16:17 CEST 2015
On Mon, Sep 28, 2015 at 04:10:10PM -0400, Daniel Kahn Gillmor wrote:
> On Mon 2015-09-28 16:00:38 -0400, SGT. Garcia wrote:
> > i really want it as the only authentication required that is open password from
> > user logs him in and decrypts the passwords.
> >> > that would be my email account not my local user account, correct?
> >> The attack i described is an attack against your local user account,
> >> though i suspect it could be leveraged into an attack against your
> >> e-mail account as well.
> > how does it work, does gnupg phone home? i suspect not. i did not agree to
> > import anything but apparently my mail client (mutt) and/or gnupg took the
> > initiative to do so. if that's true then that's a misconfiguration or bad
> > default configuration of mutt and/or gnupg, i think.
> There is no phoning home. Do you ever import keys that other people
> send you? or keys you find on the web? or keys attached to e-mail
> messages? Are you sure the things imported can't include a secret key?
this is the first time i hear about *importing* to be honest. after reading, yes
just reading, your email a new key was added and on the next run of 'notmuch
new' i was asked for it by pinentry. i'm guessing mutt imports any key it finds
> Apparently i'm not doing a great job at communicating this scenario to
> you. sorry about that. Maybe someone else can try to explain it more
> clearly than i can.
it's not your fault. i think i'm missing some background on this.
> I understand what you're asking for, and i see how it would be a useful
> thing. However, i think you should constrain it much more tightly than
> what you appear to be asking for, and i don't think that such a thing
> already exists. It would be a bit of engineering work to make sure that
> it's functional, but i'd be happy to review something like this if
> somebody wants to propose it.
for now i just nuked my old .gnupg directory and created a new one without
passphrase. seems to accomplish the same thing, i.e. no more annoying passphrase
dialog. i will have to confirm on the next boot though.
More information about the Gnupg-users