On Mo, 02.12.19 12:39, Chris Murphy (lists@xxxxxxxxxxxxxxxxx) wrote: > Basically you have to choose between user home security (or more > specifically privacy) and remote logins. However, there are some > ideas that could possibly work around this, to varying degrees of > inelegance, which I'll gratuitously copy from a related Workstation > WG issue [1]. > > 1. Enhance openssh's PAM support > 2. Stub account to ssh into, whereby the user is prompted to > authenticate+unlock the real account; and now ssh into the real > account. > 3. Same as 2 but maybe it's possible to bind mount the real home dir > over the stub home dir, eliminating the 2nd login? (Vaguely recall > reading about this somewhere, maybe Ubuntu's use of ecryptfs based > home, now since deprecated in favor of LUKS) > 4. If based on any fscrypt implementation, exclude ~/.ssh/ from > encryption systemd-homed integrates with sshd's AuthorizedKeysCommand and supplies any SSH keys assoicated with the user account directly to SSH without anyone needing access ~/.ssh/. i.e. integration with SSH is actually already in place. The problem is that sshd's PAM implementation doesn't allow PAM modules to ask questions in login sessions which are authenticated via authorized_keys instead of PAM. Because if we could ask questions then, we could simply ask the user for the passphrase to derive the LUKS key from if we need. That would mean that if you SSH login if you already are logged in locally, then logins would be instant, but if you SSH login otherwise then you'd get a prompt for the pw first. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
