Automating pam_keyring...

Todd Zullinger tmz at pobox.com
Tue Jul 17 17:24:31 UTC 2007 

Jonathan Underwood wrote:
> You were arguing for the login password/phrase matching the ssh
> password/phrase - that seems like a bad idea and really unecessary.

It's necessary for using pam_ssh at the moment.  It is also needed
for pam_keyring.  I'm not arguing that this is the best way.  I was
only passing on this info that may help the Jesse's friend find a
workable solution with the current tools.

>> There is always a tradeoff between security and convenience.  Are
>> you suggesting that there not be a way for users to enable their
>> login to unlock their various keyrings?
>
> Nope. But that in no way requires login password/phrase == ssh key
> password/phrase.

At present for pam_ssh it does.  I'm not sure how much of a risk this
really is.  Say that gnome-keyring gets support for unlocking ssh
keys.  Then I could have my ssh passphrase stored in gnome-keyring,
which would be using the same passphrase as my login.  My ssh
passphrase is now only as secure as gnome-keying is.  How secure is
gnome-keying?

I'm not suggesting that gnome-keying is inherently insecure, as I've
not looked at it (nor am I really qualified to assess it properly).
But I'm not sure that having gnome-keyring -- using the same
passphrase as my login -- protecting my ssh passphrase is that much
different than using the same passphrase as login for the ssh key.  Am
I missing something really obvious?

For those that want much stronger security, not using any sort of
automated passphrase store and using different passphrases for login,
ssh keys, etc. is the only way to go.  That's not the target audience
for the features an automated pam_keyring would provide, as far as I
can tell.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The average woman would rather be beautiful than smart because the
average man can see better than he can think.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20070717/26351720/attachment.sig>

More information about the fedora-devel-list mailing list