Cannot make it work - Githubissues

cruegge / pam-gnupg

Unlock GnuPG keys on login

GNU General Public License v3.0

268 stars 12 forks source link

Cannot make it work #1

Closed antoyo closed 7 years ago

antoyo commented 7 years ago

Hello. I've just tried this project, but I cannot make it work. I use ArchLinux and installed this project from AUR. I added these lines:

auth     optional  pam_gnupg.so
session  optional  pam_gnupg.so

in /etc/pam.d/system-local-login and:

auth     optional  pam_gnupg.so

in /etc/pam.d/i3lock. and

allow-preset-passphrase

in ~/.gnupg/gpg-agent.conf and finally what I think is my keygrip in in ~/.pam-gnupg. For the latter, the command gpg -K --with-keygrips fails with:

gpg: invalid option "--with-keygrips"

so I ran gpg -K and took the only string that was 40 characters. Is this ok? Is there some logs to see what is going on? Thanks for your help and your work!

cruegge commented 7 years ago

What GnPG version are you using? I have only tested it with 2.1, and I'm fairly sure anything older than 2.0 will not work. Also, I do not know precisely how to obtain the keygrip on 2.0, but I have read somewhere that passing --fingerprint twice may work.

As for the logging, there is currently nothing. I wanted to polish things a bit, but did not get around to it yet. Maybe I'll look into it over the weekend.

antoyo commented 7 years ago

This is the output of gpg --version:

gpg (GnuPG) 2.1.19
libgcrypt 1.7.6

I was wondering if the keygrip was on the line mentionning KEYGRIP_HERE in the following when running gpg -K:

/home/user/.gnupg/pubring.kbx
sec    rsa4096 2017-04-04 [SC]
       KEYGRIP_HERE
…

Thanks.

cruegge commented 7 years ago

Oh, I just see there is a typo in the README. It should be --with-keygrip (without the final s). That should work for your version.

cruegge commented 7 years ago

And regarding your question about plain gpg -K: the KEYGRIP_HERE-line is not the keygrip, unfortunately.

antoyo commented 7 years ago

Do I need to use the Keygrip from sec or ssb? I tried both and it does not seem to work. Thanks for your help.

cruegge commented 7 years ago

Hmm, the ssb keygrip should work for decryption. Can you unlock your key using

echo <PASSPHRASE> | /usr/lib/gnupg/gpg-preset-passphrase --preset <KEYGRIP>

You might want to reset the agent cache using

echo reloadagent | gpg-connect-agent

before testing that.

antoyo commented 7 years ago

This command unlocks the key. Actually, I've just noticed that unlocking i3lock unlocks my key too. So, it probably has something to do with lxdm: I'll look into how to enable PAM for this display manager. Thanks.

antoyo commented 7 years ago

I needed to add these lines:

auth     optional  pam_gnupg.so
session  optional  pam_gnupg.so

in /etc/pam.d/lxdm. Could you please document that we need to add these lines for the display manager file too? Thanks for your great work!

cruegge commented 7 years ago

I updated the documentation. Thanks for the hint.

kopr12 commented 5 years ago

I'm facing the same problem. Not using display managers, I login at console after kernel boots and then use startx So I've added those auth and session lines in /etc/pam.d/system-local-login and followed everything else in the instructions. Am I missing something ?

kopr12 commented 5 years ago

Never mind, the problem was /lib/security, in my case it had to be /lib64/security