On Thu, Sep 24, 2015 at 11:09:28PM -0400, Daniel Kahn Gillmor wrote: > On Tue 2015-09-22 11:13:38 -0400, SGT. Garcia wrote: > > been looking for a solution to get gpg dance nicely with pam in the sense > > that > > once a user authenticated in keychain is unlocked. that is to have one > > central > > authentication that lasts for the duration of the user's session. > > You might be interested in libpam-poldi: > > http://www.g10code.com/p-poldi.html
thanks, will have a look in a tick. > I'm not sure if it meets your particular goals/use cases, though. > > There are some conceptual caveats to what you're proposing: Note that a > user's GnuPG secret keyring potentially contains multiple secret keys, > and each secret key could be encrypted with a different password. which > secret key would need to be decrypted to make that work? i use pass to manage my passwords: http://www.passwordstore.org/ all passwords are encrypted with one single passphrase which is what i would like to have in *sync* with pam's OK on user's successful authentication. > Potentially even scarier, if i can convince you to import key material, > i could give you a secret key that is set with a passphrase that i > know. Once you've done that, if the PAM module allows me to connect > if i can unlock any key, then i could use it to unlock your account! import where? i'm not sure if i follow. pass only manages passwords for my email accounts, so far at least, and i don't see how this comes into play. would care to elaborate please? > You could also consider a more integrated desktop environment like > GNOME, which has a single keyring/password manager that is integrated > with account login. GNOME's keyring can be used to also talk to > gpg-agent if both tools are configured to do so. > i don't use desktop environment. my machine usually boots into console and i may or may not run xinit to start X with dwm (a window manager). this may change in the future when i start X's systemd session-manager which apparently requires a login-manager. same goes for wayland incidentally and afaik. in that case i would be looking into integration that login-manager with gnupg for the same purpose. sgt _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
