Bug 486152
Summary: | RFE: authconfig should support pam_ecryptfs | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Piergiorgio Sartor <piergiorgio.sartor> | ||||||||||||||||
Component: | authconfig | Assignee: | Tomas Mraz <tmraz> | ||||||||||||||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||||
Severity: | medium | Docs Contact: | |||||||||||||||||
Priority: | low | ||||||||||||||||||
Version: | rawhide | CC: | ascii79, dwmw2, mhlavink, pbonzini, pmrpla, psplicha, tmraz | ||||||||||||||||
Target Milestone: | --- | Keywords: | FutureFeature | ||||||||||||||||
Target Release: | --- | ||||||||||||||||||
Hardware: | All | ||||||||||||||||||
OS: | Linux | ||||||||||||||||||
Whiteboard: | |||||||||||||||||||
Fixed In Version: | authconfig-6.1.13-1.fc15 | Doc Type: | Enhancement | ||||||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||||||
Clone Of: | |||||||||||||||||||
: | 665059 665060 665061 665062 665063 (view as bug list) | Environment: | |||||||||||||||||
Last Closed: | 2011-02-08 21:15:17 UTC | Type: | --- | ||||||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||||||
Documentation: | --- | CRM: | |||||||||||||||||
Verified Versions: | Category: | --- | |||||||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||
Embargoed: | |||||||||||||||||||
Bug Depends On: | 665059, 665060, 665061, 665062, 665063 | ||||||||||||||||||
Bug Blocks: | 487088, 516996, 617282 | ||||||||||||||||||
Attachments: |
|
Description
Piergiorgio Sartor
2009-02-18 17:11:34 UTC
Hi, just curious to know how is going with this, since in the koji, looking at the changelog, I did not find any reference to this entry. Thanks, bye, pg This is still not implemented. Patches welcome. I'd prefer for start to have it implemented in the command line ui. I'd like to keep the GUI as simple as possible. In the %post of pam_ecryptfs it would be then possible to enable the module with the call to the authconfig. Created attachment 461342 [details]
patch to authconfig 6.1.11
The attached patch against Fedora 14's authconfig git repo takes care of adding a USEECRYPTFS key to /etc/sysconfig/authconfig and does parsing+regeneration of pam_ecryptfs entries in /etc/pam.d/system-auth.
The only quirk is that, since PAM files are read after sysconfig files, it is impossible to disable ecryptfs with
USE_ECRYPTFS=no
followed by "authconfig --updateall --update", because the pam_ecryptfs entry in system-auth trumps the USE_ECRYPTFS setting. I don't know if this is due to a mistake or is by design. I was simply copying what is done for fprintd. :)
This is by design. I will add the patch to the upstream repository and it will be included in the next authconfig release. Thank you. Unfortunately the patch is not sufficient. First (simple) problem is that not only system-auth, but also password-auth files should be modified. However the bigger problem is with the way the module has to be inserted into the PAM auth and password stacks. The module has to be called after the primary authentication modules (pam_unix, pam_krb5, pam_sss, pam_ldap) but these modules are "sufficient" in the current configuration as authconfig generates it. This means substantial changes are needed, these modules cannot be "sufficient" and sophisticated configuration with jumps will have to be used. The other option would be to add a new file which would be called as a 'substack' that would contain just the above mentioned modules. You're right. This works for me: === /etc/pam.d/system-auth-chk: auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so === /etc/pam.d/system-auth: auth required pam_env.so auth substack system-auth-chk auth optional pam_ecryptfs.so unwrap I think it's better to do it the other way round, i.e. by adding a postlogin configuration file in PAM and calling it whenever appropriate. You definitely do not want to mount ecryptfs when doing "chfn" for example... And in any case the above will not work for graphical login. I have a patch but I still have to finish the PAM side. Created attachment 461547 [details]
authconfig patch
This is an updated version of the patch that puts the "auth" and "session" pieces in a separate file /etc/pam.d/postlogin. I'll shortly upload the other missing pieces.
Created attachment 461548 [details]
authconfig.spec patch
This is the authconfig.spec part of the feature.
Created attachment 461551 [details]
RFC patches for other packages
Other affected packages luckily require no upstream changes; PAM files are included directly in the Fedora RPMs. For this reason, this attachment includes as an RFC all the changes to affected packages: pam, util-linux-ng and gdm. I am not including /etc/pam.d/sshd and /etc/pam.d/remote.
If a package is missing, the only result is that ecryptfs will not be mounted when logging in via that service. It does not have any effect on the ability to use the service. The changes only ensure that *-auth is called as "auth substack" rather than "auth include", and add
auth include postlogin
session include postlogin
to the affected files.
If this approach is considered acceptable, I can clone the BZ for all affected packages. Maybe this should also be added to the F15 features page. Tomas, what do you think?
Created attachment 470252 [details] authconfig patch v2 updated to add "password optional pam_ecryptfs.so unwrap" to postlogin instead of system-auth. See also bug 665063. Created attachment 476434 [details] authconfig.spec patch v2 Patch used to build http://koji.fedoraproject.org//koji/taskinfo?taskID=2754782 Created attachment 476435 [details]
the two authconfig commits that fix the bug
|