Re: Fedora 32 System-Wide Change proposal: Disallow Empty Password By Default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Di, 03.12.19 01:29, John M. Harris Jr (johnmh@xxxxxxxxxxxxx) wrote:

> > The problem is that sshd's PAM implementation doesn't allow PAM
> > modules to ask questions in login sessions which are authenticated via
> > authorized_keys instead of PAM. Because if we could ask questions
> > then, we could simply ask the user for the passphrase to derive the
> > LUKS key from if we need. That would mean that if you SSH login if you
> > already are logged in locally, then logins would be instant, but if
> > you SSH login otherwise then you'd get a prompt for the pw first.
>
> Is the key's passphrase always going to be based on the user's password with
> systed-homed? Is there a mechanism to use a separate password?

In theory the infrastructure would allow that, but systemd-homed's
idea is really to unify authentication, and make disk encryption part
of the user account an implementation detail. Hence, in systemd-homed
you can have N passwords and M PKCS#11 tokens (i.e. yubikeys) and
these translate to N+M keyslots on the LUKS volume, so that any
supplied password or any supplied yubikey unlocks the whole stack.

(And N and M can individually be zero, but N+M must be > 0)

(And systemd-homed also supports ext4 encryption as backend, as well
as unencrypted backends, and authentication works the same there
except that the keys are never propagated to any storage backend
because the storage backend has no interest in cryptographic key
material)

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux