On Di, 07.12.21 15:39, Zbigniew Jędrzejewski-Szmek (zbyszek@xxxxxxxxx) wrote: > Latest systemd versions have been getting some support for the low-level > parts, i.e. the low-level encrypted-secret storage. But we're missing the > upper parts, i.e. how to actually use and update the passwords. I didn't > even mention this, because we don't have a comprehensive story yet. > I think it'd be necessary to write some pam module and/or authentication > helper from scratch. It's probably not too much work, but nobody has > signed up to do this. So here's what I'd suggest: let's define a group (my suggestion: let's repurpose "wheel" for that) that has the effect that the passwords of any user in it are also accepted as password for the root user, implicitly. We'd have to add some small infra to collect these passwords, and encrypt/sign them with TPM2, then propagate to the ESP or to some EFI var or so, so that they can be honoured already in the initrd. With such a mechanism we would have quite nice semantics: if a user is designated to have admin privs, then that's sufficient to be able to log into the root account, no further manual work necessary, and it applies to the whole runtime of the OS: from initrd to regular system, to sudo. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure