Lennart Poettering wrote:
> The problem is that sshd's PAM implementation doesn't allow PAM
> modules to ask questions in login sessions which are authenticated via
> authorized_keys instead of PAM. Because if we could ask questions
> then, we could simply ask the user for the passphrase to derive the
> LUKS key from if we need. That would mean that if you SSH login if you
> already are logged in locally, then logins would be instant, but if
> you SSH login otherwise then you'd get a prompt for the pw first.
I think a proper SSH integration would actually store a LUKS keyfile
encrypted with the SSH public key somewhere in .ssh, and on login, send that
to the client, have that decrypt it with the SSH private key and send it
back, and use the decrypted key to unlock the LUKS partition.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
