unlock keychain with pam authentication

SGT. Garcia darwinskernel at gmail.com
Tue Sep 29 00:16:17 CEST 2015

On Mon, Sep 28, 2015 at 04:10:10PM -0400, Daniel Kahn Gillmor wrote:
> On Mon 2015-09-28 16:00:38 -0400, SGT. Garcia wrote:
> > i really want it as the only authentication required that is open password from
> > user logs him in and decrypts the passwords.
> >
> >> > that would be my email account not my local user account, correct?
> >> 
> >> The attack i described is an attack against your local user account,
> >> though i suspect it could be leveraged into an attack against your
> >> e-mail account as well.
> >
> > how does it work, does gnupg phone home? i suspect not. i did not agree to
> > import anything but apparently my mail client (mutt) and/or gnupg took the
> > initiative to do so. if that's true then that's a misconfiguration or bad
> > default configuration of mutt and/or gnupg, i think.
> There is no phoning home.  Do you ever import keys that other people
> send you?  or keys you find on the web?  or keys attached to e-mail
> messages?  Are you sure the things imported can't include a secret key?

this is the first time i hear about *importing* to be honest. after reading, yes
just reading, your email a new key was added and on the next run of 'notmuch
new' i was asked for it by pinentry. i'm guessing mutt imports any key it finds
in attachments.

> Apparently i'm not doing a great job at communicating this scenario to
> you.  sorry about that.  Maybe someone else can try to explain it more
> clearly than i can.

it's not your fault. i think i'm missing some background on this.

> I understand what you're asking for, and i see how it would be a useful
> thing.  However, i think you should constrain it much more tightly than
> what you appear to be asking for, and i don't think that such a thing
> already exists.  It would be a bit of engineering work to make sure that
> it's functional, but i'd be happy to review something like this if
> somebody wants to propose it.
>          --dkg

for now i just nuked my old .gnupg directory and created a new one without
passphrase. seems to accomplish the same thing, i.e. no more annoying passphrase
dialog. i will have to confirm on the next boot though.


More information about the Gnupg-users mailing list