On Mo, 25.04.22 15:39, Benjamin Berg (benjamin@xxxxxxxxxxxxxxxx) wrote: > > Right now homed supports neither (I think it would make a ton of sense > > to add though. > > > > Note that homed home directories are LUKS-unlocked by the password > > entered or the secret unlocked by pkcs11/fido2. Thus adding > > alternative authenticators to homed accounts via just PAM will > > generally not work, since we must have something key-like (i.e. a > > password, or data blob from the security token or so) to unlock LUKS > > with. Not sure what fingerprint login has there? > > Fingerprint does not provide any data that could be used for unlocking > LUKS. So, my take is that we need to skip trying fingerprint > authentication if the home directory cannot be mounted without a > secret. Hmm, are you sure? I mean, I am sure many fingerprint devices are basically just photo scanners. But aren't there devices that are a bit smarter, and can do some cryptography based on local fingerprint auth? i.e. that wen you enroll a fingerprint you can associate some secret key with it that you pass to the hw. And then you store that secret key also on the host, and whenever you need to authorize a user you ask the fingerprint hw for a finger scan plus some value of your choice and it will return you a HMAC of that value, keyed by the secret you specified during enrollment? if so, that would be good enough for us I guess, as we could then use that unlock some of our own stuff incuding LUKS in the end. > > I don't understand the question, I have no idea how fingerprint and > > PAM currently interact... In fact I don't even have any idea whether > > fingerprint auth can communicate something we can use as unlock key > > for LUKS to us, and if PAM can function as a transport for that. > > Exactly, fingerprint auth cannot communicate any secret. > > The trouble is that we need the password for some things (home > directory, user keyring). The idea of my previous mail was to query > pam_systemd_home.so whether the home directory is available and the > simpler fingerprint authentication method may be acceptable. I think pam_systemd_home.so should simply sit in the PAM stack before the fprint auth so that fprint is never asked? Lennart -- Lennart Poettering, Berlin
Re: Disallowing fingerprint authentication if pam_systemd_home.so needs a password
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Disallowing fingerprint authentication if pam_systemd_home.so needs a password
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Mon, 25 Apr 2022 16:29:08 +0200
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <5c72e0627209808262e1bbd14ebd3f73eb859907.camel@sipsolutions.net>
- References: <18b6966148a790c2b154cdd3eb25bcd37f4262a9.camel@sipsolutions.net> <YmaFx8xb95jIKrcJ@gardel-login> <5c72e0627209808262e1bbd14ebd3f73eb859907.camel@sipsolutions.net>
- Follow-Ups:
- Re: Disallowing fingerprint authentication if pam_systemd_home.so needs a password
- From: Benjamin Berg
- Re: Disallowing fingerprint authentication if pam_systemd_home.so needs a password
- From: Lennart Poettering
- Re: Disallowing fingerprint authentication if pam_systemd_home.so needs a password
- References:
- Disallowing fingerprint authentication if pam_systemd_home.so needs a password
- From: Benjamin Berg
- Re: Disallowing fingerprint authentication if pam_systemd_home.so needs a password
- From: Lennart Poettering
- Re: Disallowing fingerprint authentication if pam_systemd_home.so needs a password
- From: Benjamin Berg
- Disallowing fingerprint authentication if pam_systemd_home.so needs a password
- Prev by Date: rename a block device
- Next by Date: Re: rename a block device
- Previous by thread: Re: Disallowing fingerprint authentication if pam_systemd_home.so needs a password
- Next by thread: Re: Disallowing fingerprint authentication if pam_systemd_home.so needs a password
- Index(es):
 |