[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Automating pam_keyring...



Jonathan Underwood wrote:
> On 17/07/07, Todd Zullinger <tmz pobox com> wrote:
>> With pam_ssh installed and a small tweak to /etc/pam.d/gdm (similar
>> to what you do to use pam_keyring), you can enter your password
>> once and be done.  That is, at the gdm login screen you enter your
>> username and password and your ssh keys get loaded.  This requires
>> your login password and the password on your ssh key(s) to match.
>
> That requirement isn't something that should be encouraged, though,
> IMO.

Yes, there's a benefit to keeping the passphrases separate.  This
also affect pam_keyring.  Anything that intends to unlock a keyring
with one passphrase pretty much requires that the passphrases match.

There is always a tradeoff between security and convenience.  Are you
suggesting that there not be a way for users to enable their login to
unlock their various keyrings?  Or are there better tools to make this
both convenient and more secure?

> There's a reason that ssh uses passphrases.

You say that like we don't all use passphrases for login. ;)

My fault for saying password when I should have said passphrase.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Intaxication (n.) Euphoria at getting a tax refund, which lasts until
you realize it was your money to start with.

Attachment: pgp4wUzQkQEtX.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]