On Tue, Sep 24, 2019 at 5:47 PM Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> wrote: > > Has anyone considered how all this interacts with domain users, BTW? > > My user account is not a local one managed in /etc/passwd; it's a > FreeIPA domain account. One fun thing that happens with this is that > when I change my password in FreeIPA, I have to do a stupid trick in > seahorse to change my keyring password to be the same as the new user > password, otherwise my keyring doesn't get unlocked when I log into the > system. Are we gonna have similar 'fun' with on-by-default or mandatory > user data encryption? PAM can forward your passphrase to FreeIPA and fscrypt. But what if your FreeIPA admin has a passphrase expiration policy that's triggered, you change your passphrase with FreeIPA, and go to login, and viola, fscrypt gets the new passphrase forwarded which is wrong. So yeah, at worst, you need an opt out for user encryption. And at best there'd be some integration so that the passphrase changes both login and user data encryption at the same time - that's not trivial I suspect. The problem of separate login credentials and unlocking encrypted user data is solved by systemd-homed. But I think it's intended as a simple solution for a laptop with one to a few users. -- Chris Murphy _______________________________________________ desktop mailing list -- desktop@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to desktop-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/desktop@xxxxxxxxxxxxxxxxxxxxxxx
