Many Questions about thinkfinger pam_mount gdm gnome-keyring and luks

dschmid · 06-04-2008, 05:08 PM

Hello, I have a little problem. I'm using Arch on my IBM x60s Thinkpad. First I have configured my System to use thinkfinger for authentification in the shell, gdm and on gnome-screensaver. That works really great. The next thing I wanted to do was to unlock a luks crypted volume on gdm login with my fingerprint. So I tried pam_mount, and added these two lines to my /etc/pam.d/gdm file:

auth optional pam_mount.so
session optional pam_mount.so

With this setup logon with fingerprint is not possible and I get asked for password twice. When I enter my password mounting is ok (my user pass and the pass for the encrypted volume are the same).
For security reasons is my pass over thirty digets and so very frustrating to enter.

I think pam_mount with thinkfinger there is no way to do this because pam_mount needs to get the password.
My question now is - is it possible to unlock gnome-keyring (with pam_keyring???) with thinkfinger input or is that the same issue? If I can store store the password in my keyring to use that for my luksOpen command would be great.

I think that both ways are not possible because one plain password is always needed. It would be great if there where a solution to use only a fingerprint instead of an password to encrypt and decrypt something (with a hash from the fingerprint or something else).

Any tip, idea or anything else is welcome. Thx for any help.

win32sux · 06-04-2008, 06:27 PM

Quote:

Originally Posted by dschmid

It would be great if there where a solution to use only a fingerprint instead of an password to encrypt and decrypt something (with a hash from the fingerprint or something else).

Any tip, idea or anything else is welcome. Thx for any help.

I don't have an answer to your questions, but I do have a small question of my own: Why would you want to encrypt/decrypt stuff using something you leave in cleartext almost everywhere you go? I'm really curious about this, as your answer might help me understand how people can *solely* rely on something like fingerprints for granting access to stuff.

dschmid · 06-04-2008, 06:51 PM

You are right the fingerprint is not the securest solution. But if my notebook gets stolen the chance is very low that the thief is clever enough to get my fingerprint from my keys to use it for login.
Today are many thumbdrives and hdds on the market that uses the fingerprint as key for decrypting the encrypted data on it. So there has to be a way to de- and encrypting date with biometric input.
The best and easiest solution for me now is to use my fingerprint for gdm shell and screensaver. And create a keyring file (gnome-keyring) that prompts me after login for password (12 - 16 digets not so an ugly long one) and mounts automatically my luks volume in gnome. I next try it with an truecrypt file bacause you can chose the algorithms and mix them. I think that increases the security a bit.