On Mon, 2014-12-08 at 20:45 +0100, Stef Walter wrote:
Yes, this is useful. I would suggest however that you encrypt a secret with the key on the smart card, and use that secret to encrypt the password keyring ... rather than doing it directly using the smart card.
Oh $DEITY yes. You have a 'session key' which actually encrypts the storage, then you store a copy of that encrypted with the password (for the cases where that works), *and* a copy of it encrypted with whatever external keys you might have, like the pam_pkcs11 one and the Microsoft BKRP one.
Doing it with the extra step solves all sorts of issues with sharing PKCS#11 sessions between processes, etc. In fact if you can put an such a secret as an AUTHTOK directly in the PAM stack after authenticating with the smart card, and gnome-keyring will happily use it.
That kind of thing is a possibility, yes. It certainly sounds easier than actually arranging access to PKCS#11 modules or "real" secrets. Thanks. -- dwmw2
Attachment:
smime.p7s
Description: S/MIME cryptographic signature