nuvious/pam-duress

Duress password does not unlock keyring

Closed this issue · 2 comments

After logging in with a duress password, the keyring notification window pops up and says the login password no longre matches the keyring password and asks for the password

msva commented
  1. it is not supposed to unlock keyrings (even despite you did not specified what keyring exactly)
  2. it can't work with keyrings in any way. It is PAM moudule. That's all. It only provides a way to "allow fake password auth for whatever asks, ad run jobs in background". That. Is. All. It is keyring's business whether to use PAM or not (hint: none of them use PAM to unlock. Instead, they use the password they asked to encrypt stored ones)

For further context the purpose of the password for a keyring is to produce an encryption key which is then used to decrypt/encrypt your plaintext secrets. Some keyring may be smart and use something like LUKS where the actual key that is encrypted/decrypted is completely random and your password just decrypts the actual key. This is why you can add multiple passwords to unlock a Luks encrypted block device. In any case the password is used to directly generate an encryption key or unlock an encryption key.

For PAM the password is used to authenticate via a simple salted hash. To the best of my knowledge PAM may be configured on certain flavors to relay the plaintext password on to other routines which may use the same password to say decrypt a home directory container or automatically unlock the key. However the premise of pam-duress is you are intentionally using a non standard password which will not be able to generate/unlock the encryption keys used to encrypt home directories, keyrings, etc.

That's the long story on why the issue cannot be address the way this tool is designed to operate.