Hi List! I don't know if this is the right list to post this to, so please correct me if I'm wrong.
Anyway, I borrowed a laptop from a friend (to fix a couple of problems with it), using Ubuntu with Gnome 2.14 and NetworkManager. As you probably know, NetworkManager's Gnome applet uses the Gnome keyring to save WEP and WPA keys. Because of this, one has to unlock the keyring to be able to connect to a network. I found the following situation quite annoying. As soon as one logs into Gnome (normally using a login password), one immediately has to unlock the keyring as well, normally using the same password (does anyone use a different password for login and the keyring?). Not a great deal, but one shouldn't have to enter one's password twice in a row. So I got this idea. How about writing a PAM module which would make a crypto key from the login password (in a similar manner to how gnome-keyring-daemon already does, but with the login password) and store it in the Linux kernel's keyring utility (as introduced with, what was it, 2.6.12?), and then having gnome-keyring-daemon use it instead of asking for a password? A kind of SSO for the keyring, that is. I've thought through the following considerations: * Security is the same -- it's easy to extract the key from the kernel's keyring, but so is extracting gnome-keyring-daemon's key using ptrace. In both cases, it's stored in RAM, so it will disappear upon system shutdown/crash or user logout. * A layer of indirection has to be used, in case the user changes his password. There will have to be a main key, which is encrypted with the password-generated key, and when the login password is changed, the main key will be reencrypted. * The indirection layer will also provide a framework to solve password-less logins or two-factor authentication, precisely because the main key is fetched indirectly. I'm fully intending to do this work myself. I'd just like to hear any opinions about this scheme or any weaknesses spotted. Anyone? Fredrik Tolf _______________________________________________ gnome-devel-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/gnome-devel-list
