Jonathan Underwood wrote: > On 17/07/07, Todd Zullinger <tmz pobox com> wrote: >> With pam_ssh installed and a small tweak to /etc/pam.d/gdm (similar >> to what you do to use pam_keyring), you can enter your password >> once and be done. That is, at the gdm login screen you enter your >> username and password and your ssh keys get loaded. This requires >> your login password and the password on your ssh key(s) to match. > > That requirement isn't something that should be encouraged, though, > IMO. Yes, there's a benefit to keeping the passphrases separate. This also affect pam_keyring. Anything that intends to unlock a keyring with one passphrase pretty much requires that the passphrases match. There is always a tradeoff between security and convenience. Are you suggesting that there not be a way for users to enable their login to unlock their various keyrings? Or are there better tools to make this both convenient and more secure? > There's a reason that ssh uses passphrases. You say that like we don't all use passphrases for login. ;) My fault for saying password when I should have said passphrase. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Intaxication (n.) Euphoria at getting a tax refund, which lasts until you realize it was your money to start with.
Description: PGP signature