Automating pam_keyring...
Todd Zullinger
tmz at pobox.com
Tue Jul 17 15:42:55 UTC 2007
Jonathan Underwood wrote:
> On 17/07/07, Todd Zullinger <tmz at pobox.com> wrote:
>> With pam_ssh installed and a small tweak to /etc/pam.d/gdm (similar
>> to what you do to use pam_keyring), you can enter your password
>> once and be done. That is, at the gdm login screen you enter your
>> username and password and your ssh keys get loaded. This requires
>> your login password and the password on your ssh key(s) to match.
>
> That requirement isn't something that should be encouraged, though,
> IMO.
Yes, there's a benefit to keeping the passphrases separate. This
also affect pam_keyring. Anything that intends to unlock a keyring
with one passphrase pretty much requires that the passphrases match.
There is always a tradeoff between security and convenience. Are you
suggesting that there not be a way for users to enable their login to
unlock their various keyrings? Or are there better tools to make this
both convenient and more secure?
> There's a reason that ssh uses passphrases.
You say that like we don't all use passphrases for login. ;)
My fault for saying password when I should have said passphrase.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Intaxication (n.) Euphoria at getting a tax refund, which lasts until
you realize it was your money to start with.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20070717/33e9852c/attachment.sig>
More information about the fedora-devel-list
mailing list