[pkg-cryptsetup-devel] Bug#502772: closed by Jonas Meurer <jonas at freesources.org> (Re: Bug#502772: cryptsetup: gnome autologin user should depend on boot passsword)

Daniel Mueller Zendil at gmx.net
Wed Nov 5 22:14:58 UTC 2008 

Hello Jonas,

I agree that forwarding the pass phrase would be definitely a bad idea.
But  communicating the slot number to PAM oder GDM should not be a
security problem!?

I also considered to file this wish list bug directly to the pam
package. But if the pam programmers wanted to implement this suggestion,
they would depend on luks to pass the slot number.  If this is
impossible or a security problem just keep the bug closed. If you see a
way how luks could pass this information, please forward the bug to pam.

Best Regards

Daniel


Debian Bug Tracking System schrieb:
> This is an automatic notification regarding your Bug report
> which was filed against the cryptsetup package:
>
> #502772: cryptsetup: gnome autologin user should depend on boot passsword
>
> It has been closed by Jonas Meurer <jonas at freesources.org>.
>
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Jonas Meurer <jonas at freesources.org> by
> replying to this email.
>
>
>   
>
> ------------------------------------------------------------------------
>
> Betreff:
> Re: Bug#502772: cryptsetup: gnome autologin user should depend on boot
> passsword
> Von:
> Jonas Meurer <jonas at freesources.org>
> Datum:
> Wed, 5 Nov 2008 22:17:01 +0100
> An:
> Daniel Müller <zendil at gmx.net>, 502772-done at bugs.debian.org
>
> An:
> Daniel Müller <zendil at gmx.net>, 502772-done at bugs.debian.org
> CC:
> Debian Bug Tracking System <submit at bugs.debian.org>
>
> Received:
> (at 502772-done) by bugs.debian.org; 5 Nov 2008 21:17:16 +0000
> X-Spam-Checker-Version:
> SpamAssassin 3.2.3-bugs.debian.org_2005_01_02 (2007-08-08) on
> rietz.debian.org
> X-Spam-Bayes:
> score:0.0000 Tokens: new, 41; hammy, 93; neutral, 50; spammy, 4.
> spammytokens:0.987-1--Müller, 0.987-1--müller, 0.937-+--associated,
> 0.918-+--H*c:iso-8859-1 hammytokens:0.000-+--H*r:sk:RSA AES,
> 0.000-+--gnome, 0.000-+--H*u:Mutt, 0.000-+--H*r:TLS1.0,
> 0.000-+--H*r:esmtpsa
> X-Spam-Status:
> No, score=-7.2 required=4.0 tests=AWL,BAYES_00,HAS_BUG_NUMBER
> autolearn=unavailable version=3.2.3-bugs.debian.org_2005_01_02
> Return-path:
> <jonas at freesources.org>
> Received:
> from mx01.freesources.org ([80.237.252.149]
> helo=mail01.freesources.org) by rietz.debian.org with esmtp (Exim
> 4.63) (envelope-from <jonas at freesources.org>) id 1KxpkZ-0005QL-I1;
> Wed, 05 Nov 2008 21:17:15 +0000
> Received:
> from p57a6e9ae.dip.t-dialin.net ([87.166.233.174]
> helo=resivo.wgnet.de) by mail01.freesources.org with esmtpsa
> (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from
> <jonas at freesources.org>) id 1KxpoK-0002E3-UH; Wed, 05 Nov 2008
> 21:21:09 +0000
> Received:
> from resivo by resivo.wgnet.de with local (Exim 4.69) (envelope-from
> <jonas at freesources.org>) id 1KxpkM-0005hy-Df; Wed, 05 Nov 2008
> 22:17:02 +0100
> Nachricht-ID:
> <20081105211701.GD6713 at resivo.wgnet.de>
> Referenzen:
> <20081019153310.3946.94127.reportbug at zebru.starfleet>
> MIME-Version:
> 1.0
> Content-Type:
> text/plain; charset=iso-8859-1
> Content-Disposition:
> inline
> Content-Transfer-Encoding:
> 8bit
> In-Reply-To:
> <20081019153310.3946.94127.reportbug at zebru.starfleet>
> User-Agent:
> Mutt/1.5.18 (2008-05-17)
> X-SA-Exim-Connect-IP:
> 87.166.233.174
> X-SA-Exim-Mail-From:
> jonas at freesources.org
> X-SA-Exim-Version:
> 4.2.1 (built Wed, 25 Jun 2008 17:20:07 +0000)
> X-SA-Exim-Scanned:
> Yes (on mail01.freesources.org)
>
>
> On 19/10/2008 Daniel Müller wrote:
>   
>> If a linux PC is protected by luks hard disk encryption, you have to type
>> two passwords: the luks boot password and the user password for the
>> gnome/kde session. This is sometimes annoying.
>>
>> A single user could active gnome/kde auto login and type only the boot password. 
>>
>> If the same computer is used by more than one user, this is not possible.
>>
>> Could luks pass the key slot number or a user name associated with the key
>> slot number to gdm, so that the auto login user can depend on the boot
>> password used?
>>     
>
> Hey Daniel,
>
> If at all, your request needs to be implemented in gdm. It's not only
> out of cryptsetups scope to submit/forward a passphrase, it even would
> be a grave security hole if it was supported.
>
> I cannot imagine a secure implementation for your requested
> functionality at all. maybe you can do something with libpam-mount.
>
> sorry, the wishlist request is not valid for cryptsetup, thus I'm
> closing the bugreport.
>
> greetings,
>  jonas
>
>   
>
> ------------------------------------------------------------------------
>
> Betreff:
> cryptsetup: gnome autologin user should depend on boot passsword
> Von:
> Daniel Müller <zendil at gmx.net>
> Datum:
> Sun, 19 Oct 2008 17:33:10 +0200
> An:
> Debian Bug Tracking System <submit at bugs.debian.org>
>
> An:
> Debian Bug Tracking System <submit at bugs.debian.org>
>
> Received:
> (at submit) by bugs.debian.org; 19 Oct 2008 15:33:05 +0000
> X-Spam-Checker-Version:
> SpamAssassin 3.2.3-bugs.debian.org_2005_01_02 (2007-08-08) on
> rietz.debian.org
> X-Spam-Bayes:
> score:0.0000 Tokens: new, 38; hammy, 133; neutral, 48; spammy, 4.
> spammytokens:0.997-1--luks, 0.987-+--H*r:bugs.debian.org,
> 0.961-+--associated, 0.899-+--H*r:sk:rietz.d
> hammytokens:0.000-+--H*M:reportbug, 0.000-+--H*MI:reportbug,
> 0.000-+--H*x:reportbug, 0.000-+--H*UA:reportbug, 0.000-+--Severity
> X-Spam-Status:
> No, score=-12.4 required=4.0 tests=BAYES_00,FOURLA,HAS_PACKAGE,
> RCVD_IN_PBL,RCVD_IN_SORBS_DUL,SPF_FAIL,XMAILER_REPORTBUG,X_DEBBUGS_CC
> autolearn=ham version=3.2.3-bugs.debian.org_2005_01_02
> Return-path:
> <zendil at gmx.net>
> Received:
> from zc1c9.z.pppool.de ([89.61.193.201] helo=zebru.starfleet) by
> rietz.debian.org with esmtp (Exim 4.63) (envelope-from
> <zendil at gmx.net>) id 1KraHA-0004Ym-Mg for submit at bugs.debian.org; Sun,
> 19 Oct 2008 15:33:04 +0000
> Content-Type:
> text/plain; charset="us-ascii"
> MIME-Version:
> 1.0
> Content-Transfer-Encoding:
> 7bit
> Nachricht-ID:
> <20081019153310.3946.94127.reportbug at zebru.starfleet>
> X-Mailer:
> reportbug 3.31
> X-Debbugs-Cc:
> zendil at gmx.net
> Delivered-To:
> submit at bugs.debian.org
>
>
> Package: cryptsetup
> Version: 2:1.0.4+svn26-1
> Severity: wishlist
>
>
> If a linux PC is protected by luks hard disk encryption, you have to type
> two passwords: the luks boot password and the user password for the
> gnome/kde session. This is sometimes annoying.
>
> A single user could active gnome/kde auto login and type only the boot password. 
>
> If the same computer is used by more than one user, this is not possible.
>
> Could luks pass the key slot number or a user name associated with the key
> slot number to gdm, so that the auto login user can depend on the boot
> password used?
>
> -- System Information:
> Debian Release: 4.0
>   APT prefers stable
>   APT policy: (500, 'stable')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.18-6-686
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
>
> Versions of packages cryptsetup depends on:
> ii  dms 2:1.02.08-1                          The Linux Kernel Device Mapper use
> ii  lib 2.3.6.ds1-13etch7                    GNU C Library: Shared libraries
> ii  lib 2:1.02.08-1                          The Linux Kernel Device Mapper use
> ii  lib 1.2.3-2                              LGPL Crypto library - runtime libr
> ii  lib 1.4-1                                library for common error values an
> ii  lib 1.10-3                               lib for parsing cmdline parameters
> ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 universally unique id library
>
> cryptsetup recommends no packages.
>
> -- no debconf information
>
>
>

More information about the pkg-cryptsetup-devel mailing list