On Di, 03.12.19 01:29, John M. Harris Jr (johnmh@xxxxxxxxxxxxx) wrote: > > The problem is that sshd's PAM implementation doesn't allow PAM > > modules to ask questions in login sessions which are authenticated via > > authorized_keys instead of PAM. Because if we could ask questions > > then, we could simply ask the user for the passphrase to derive the > > LUKS key from if we need. That would mean that if you SSH login if you > > already are logged in locally, then logins would be instant, but if > > you SSH login otherwise then you'd get a prompt for the pw first. > > Is the key's passphrase always going to be based on the user's password with > systed-homed? Is there a mechanism to use a separate password? In theory the infrastructure would allow that, but systemd-homed's idea is really to unify authentication, and make disk encryption part of the user account an implementation detail. Hence, in systemd-homed you can have N passwords and M PKCS#11 tokens (i.e. yubikeys) and these translate to N+M keyslots on the LUKS volume, so that any supplied password or any supplied yubikey unlocks the whole stack. (And N and M can individually be zero, but N+M must be > 0) (And systemd-homed also supports ext4 encryption as backend, as well as unencrypted backends, and authentication works the same there except that the keys are never propagated to any storage backend because the storage backend has no interest in cryptographic key material) Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
