[pkg-cryptsetup-devel] Bug#850756: cryptsetup: Please save password to kernel keyring
Laurent Bigonville
bigon at debian.org
Tue Jan 10 16:28:41 UTC 2017
Le 10/01/17 à 14:37, Christoph Anton Mitterer a écrit :
> On Tue, 2017-01-10 at 10:26 +0100, Laurent Bigonville wrote:
>> Well we need this to be integrated in cryptsetup if we want this to
>> work.
> Especially in the security-relevant context it's IMO always
> questionable whether everything should work automagically out-of-the-
> box.
We need to balance the user friendlessness and the security.
So the only question here should be: does it introduce a security risk
or not.
And any software running as root can extract the key I think if the luks
partition is already open.
>> Do you have any specific concerns about enabling this automatically?
>> Anything in mind that might break?
> Basically three:
>
> - From what you wrote it wasn't clear to me, whether the auto-login
> would happen per default, i.e. without the sysadmin (and not just a
> user) enabling it, or not.
> Many people (especially on not-just-single-user-desktop) may likely
> not want such auto-login.
No, the user needs to explicitly enable the autologin. If the autologin
is enabled, the pam_gdm module will be called and try to retrieve the
password for the kernel keyring and use it to try to unlock the
gnome-keyring. And anyway even if gdm was enabling auto-login by
default, this is not a concern for cryptsetup.
> - Security-wise it's particularly bad to made such sensitive material
> as the key accessible to such a big piece of software-bloat.
> Looking at gdm3 it has quite an amount of direct and indirect
> dependencies including such which seem to communicate with the
> internet (e.g. gdm3 built on top of gnome shell, which uses gnome-
> online-accounts.
> Such crucial things as the dm-crypt keys/passphrase should IMO be
> used with as little as possible code.
>
> - The whole "utopia" code has shown at least once that it may have
> tremendous security flaws, I vaguely remember some hole in some of
> devicekit/udisk/polkit, which lead to exporting the dm-crypt keys to
> ever user (may be #576687, which I recall here... or something else).
Isn't that true for any pam service as the pam module code is run in the
process context?
Note that only the gdm-session-worker process is running as root,
gnome-shell and the rest is running as Debian-gdm user and thus doesn't
have access to the root user's kernel keyring.
> Instead of unconditionally adding the key to the keyring, why not just
> including a keyscript in the package, which allows users to do just
> that?
> Maybe one can combine this with the already existing decrypt_keyctl.
a keyscript might be a solution but it would requires manual setup from
the enduser.
Note also that the decrypt_keyctl script is also using the kernel
keyring to store the keys, so for a security POV it's the same IMHO
More information about the pkg-cryptsetup-devel
mailing list