Automating pam_keyring...
Todd Zullinger
tmz at pobox.com
Tue Jul 17 15:42:55 UTC 2007
Jonathan Underwood wrote:
> On 17/07/07, Todd Zullinger <tmz at pobox.com> wrote:
>> With pam_ssh installed and a small tweak to /etc/pam.d/gdm (similar
>> to what you do to use pam_keyring), you can enter your password
>> once and be done. That is, at the gdm login screen you enter your
>> username and password and your ssh keys get loaded. This requires
>> your login password and the password on your ssh key(s) to match.
>
> That requirement isn't something that should be encouraged, though,
> IMO.
Yes, there's a benefit to keeping the passphrases separate. This
also affect pam_keyring. Anything that intends to unlock a keyring
with one passphrase pretty much requires that the passphrases match.
There is always a tradeoff between security and convenience. Are you
suggesting that there not be a way for users to enable their login to
unlock their various keyrings? Or are there better tools to make this
both convenient and more secure?
> There's a reason that ssh uses passphrases.
You say that like we don't all use passphrases for login. ;)
My fault for saying password when I should have said passphrase.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Intaxication (n.) Euphoria at getting a tax refund, which lasts until
you realize it was your money to start with.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20070717/33e9852c/attachment-0002.bin
More information about the devel
mailing list