On Mi, 04.12.19 03:09, Kevin Kofler (kevin.kofler@xxxxxxxxx) wrote: > Lennart Poettering wrote: > > The problem is that sshd's PAM implementation doesn't allow PAM > > modules to ask questions in login sessions which are authenticated via > > authorized_keys instead of PAM. Because if we could ask questions > > then, we could simply ask the user for the passphrase to derive the > > LUKS key from if we need. That would mean that if you SSH login if you > > already are logged in locally, then logins would be instant, but if > > you SSH login otherwise then you'd get a prompt for the pw first. > > I think a proper SSH integration would actually store a LUKS keyfile > encrypted with the SSH public key somewhere in .ssh, and on login, send that > to the client, have that decrypt it with the SSH private key and send it > back, and use the decrypted key to unlock the LUKS partition. To my knowledge the SSH protocol doesn't have provisions for allowing that. i.e. there's no API and no protocol for allowing apps on the server to ask for decryption of arbitrary blobs from the client. I mean, I am happy to support anything that we can do, but I am not sure I want to get involved with SSH enough to amend protocol and implementation for this, given that I don't even think it's as crucial as some people think it is... Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
