On Tue, Dec 4, 2018 at 1:20 PM Ray Strode <rstrode@xxxxxxxxxx> wrote: > > hi, > On Mon, Dec 3, 2018 at 5:48 PM Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote: > > - GDM needs to know how to use single passphrases to both login and > > unlock volume. > Right now if you have autologin enabled, then GDM will use the > password you typed at the luks screen to unlock the gnome-keyring in > the user's session. > > It's something that I implemented a long time ago, but it broke after > systemd changes and I didn't end up fixing it until fairly recently > with the help of mcatanzaro testing. It might be reasonable out of the box if the WG wants to assume a single user use case with autologin by default. But I quickly imagine what happens if the user changes their passphrase: a. Is the new passphrase added to one of the LUKS key slots? If not, the new passphrase won't work at plymouth on the next boot. User will try the old one, which does work, but then autologin will fail, user will try the new passphrase here which works. That's a bit schizo. b. Is the old passphrase wiped from the proper LUKS key slot? Is the user warned? If no and no; then there's a window from the passphrase change time, and next boot which might not be immediate, when the user is likely unaware that their old passphrase is still valid for unlocking the encrypted volume. For what it's worth, fscrypt has some PAM integration. That might help with both the multiple user case, and adding, removing, modifying passphrases. -- Chris Murphy _______________________________________________ desktop mailing list -- desktop@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to desktop-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/desktop@xxxxxxxxxxxxxxxxxxxxxxx
