On Wed, Dec 5, 2018 at 1:36 PM Ray Strode <rstrode@xxxxxxxxxx> wrote: > > Hi, > On Wed, Dec 5, 2018 at 3:21 PM Hans de Goede <hdegoede@xxxxxxxxxx> wrote: > > FWIW I think that putting the entirety of gdm in the initrd is a bad > > idea, > I don't think anyone proposed that (unless I'm missing something). I did effectively say it as one possibility for FDE. Here's why: A user should only need one passphrase to get into a computer. That passphrase unlocks the encrypted volume, and authenticates them as the user they claim to be at login time. And a computer should support 2+ user logins. a. You could have a login window capture login credentials early, both user and their passphrase. macOS does this in their bootloader when Filevault2 is enabled. b. You could have a password field only that appears early. LUKS supports 8 slots so any user's passphrase would unlock the volume. And then after startup, you'd choose your user icon at gdm, but without a password field since that's already been entered. c. If you can infer the user from their passphrase, you could skip the user selection entirely, but that seems weird or maybe even spooky. What happens behind the scene, intentionally trying to login as everyone while using previously entered passphrase? That pollutes the failed login attempts metadata that's tracked per user, and is inappropriate. Anyway, you still need to track users and their LUKS keyslots, so LUKS keyslots can be wiped and modified. If I change my user login passphrase either at the CLI or in the GUID, the new one should unlock the volume and the old one should no longer unlock the volume. -- Chris Murphy _______________________________________________ desktop mailing list -- desktop@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to desktop-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/desktop@xxxxxxxxxxxxxxxxxxxxxxx
