Comments (6)
I use the entries:
auth required pam_e4crypt.so onerr=succeed
session required pam_e4crypt.so onerr=succeed
I'll add them to the README and add a short explanation. This issue should be closed only after the information found its was into the documentation.
from pam_e4crypt.
Thanks for pointing this out btw, I didn't realize that the documentation lacked information on the entries.
from pam_e4crypt.
It's weird but I still can't get it. Making it as required
locks me out of system. Unfortunately I need further guidance. Let's say those are my current files in /etc/pam.d/:
/etc/pam.d/system-auth
#%PAM-1.0
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
/etc/pam.d/system-login
#%PAM-1.0
auth required pam_tally.so onerr=succeed file=/var/log/faillog
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_loginuid.so
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session required pam_env.so
Where exactly put those pam_e4crypt.so
and pam_keyinit.so
entries?
from pam_e4crypt.
It shouldn't matter when you perform the "authentication" with pam_e4crypt
, but I recommend doing it rather late. However, it should be invoked as early as possible during the session setup. I recommend having PAM invoke pam_keyinit.so
first and pam_e4crypt.so
second. You should really use pam_keyinit
btw.
For reference, here's my system-login
file:
auth required pam_tally2.so onerr=succeed
auth required pam_shells.so
auth required pam_nologin.so
auth include system-auth
auth required pam_e4crypt.so onerr=succeed
account required pam_access.so
account required pam_nologin.so
account include system-auth
account required pam_tally2.so onerr=succeed
password include system-auth
session required pam_keyinit.so
session required pam_e4crypt.so onerr=succeed
session optional pam_loginuid.so
session required pam_env.so
session optional pam_lastlog.so silent
session include system-auth
session optional pam_ck_connector.so nox11
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so
All of this really ought to be part of the documentation. Shame on me.
from pam_e4crypt.
Ok, I had my auth method set as sufficient
which broken the chain. Setting it as required
or optional
fixed this. Also I had to set session optional
for pam_e4crypt.so
because required
breaks SDDM with dbus can't sync environment
error (although console login still works).
One issue which still remains is that after logout my files are still decrypted in plaintext. Using revoke
option for pam_keyinit
didn't help. My key isn't showed in keyctl anymore but perhaps exist somewhere in cache. This is perhaps limitation of ext4 encryption not an pam_e4crypt issue. Could you confirm this in your setup?
I tested this logging in with password1
, confirming I have password1
logon key in keyctl, logging out, logging in with password2
, confirming I have password2
logon key in keyctl (password1 key is gone) but files encrypted with password1
logon key are available in plaintext. Everything is done by the same user. Files are encrypted again as they should only after reboot.
I think that new README is ok. You can add notice that users can use optional
instead of required
for pam_e4crypt.so
first to do testing and probably set emergency console available because of locking out risk as I had with SDDM.
I'm very grateful for your support!
from pam_e4crypt.
Glad to hear. I'll update the README and open a new issue regarding the problem with files still being visible after.
from pam_e4crypt.
Related Issues (20)
- Keys not flushed from cache after logout HOT 1
- [Idea] Add an option for system-wide user specific salt HOT 6
- systemd --user instance doesn't inherit user's session keyring HOT 6
- Adhere to XDG spec HOT 2
- [info] fscrypt by google HOT 1
- Implement password management function HOT 5
- Packaged for distros HOT 1
- Add ext2fs package to cmake dependencies
- Userspace usage HOT 1
- Salt handling does not match `e4crypt add_key` HOT 1
- PAM failed: Cannot make/remove an entry for the specified session HOT 3
- Make a man page
- nice work HOT 1
- Mention cron problems in documentation HOT 1
- Is the 16-byte salt length required ? HOT 2
- Re-introduce support for EXT4_IOC_GET_ENCRYPTION_PWSALT and iterating over mtab HOT 3
- Failure to transport keys from auth to session stage with pam-1.4.0
- sshd support HOT 6
- Changing LIBDIR to /usr/lib HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pam_e4crypt.