Bug 183643 - kdm passphrase prompt for encrypted home partitions.
Summary: kdm passphrase prompt for encrypted home partitions.
Status: RESOLVED DUPLICATE of bug 105631
Alias: None
Product: kdm
Classification: Miscellaneous
Component: general (show other bugs)
Version: unspecified
Platform: Fedora RPMs Linux
: NOR wishlist
Target Milestone: ---
Assignee: kdm bugs tracker
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-02-08 01:14 UTC by Robin Laing
Modified: 2009-02-08 02:12 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robin Laing 2009-02-08 01:14:22 UTC
Version:           kdm-4.1-4.20081031svn (using KDE 4.1.4)
OS:                Linux
Installed from:    Fedora RPMs

With the need for higher security, I am moving all key users to encrypted home partitions to be mounted on login using a passphrase that is separate from their password.

I have configured pam_mount to work and mount the partition from a tty terminal.  In a terminal, I enter the user, get prompted for password and then asked for the passphrase for the home partition.  Pam_mount asks for the second password when the user password cannot be used to unlock the drive.

From pam_mount user list.

"2. even console login only asks for a password once unless there is a problem."

The partition is then processed by pam_mount and mounted to /home/{user}

Moving to kdm, kdm prompts for the user and password but there is no prompt for the passphrase.  There is no way to manually enter the passphrase at this point.

Without kdm prompting for the passphrase, only encrypted home partitions with a key file on a mounted partition are supported.  This leaves one level of security open and depends on the user password to unlock the drive.  It also means that roaming home directories between computers has to add a level of administration as the key file needs to be cloned across drives or stored in ldap.

This is from the pam_mount mail list.

"1. some programs, like kdm, do not offer secondary prompts (to my knowledge)."

This wish is related to https://bugs.kde.org/show_bug.cgi?id=113629 wishing for full LUKS support.

I don't know if it would be possible to have kdm look at the pam process and then open a dialog box to request the passphrase.

I understand that there are more issues to be resolved to make this fully transparent and useful that are not all kde related issues but involve hal, udev and pam.
Comment 1 Oswald Buddenhagen 2009-02-08 02:12:03 UTC
another dupe in disguise ...
your particular sub-problem is actually solved, btw.

*** This bug has been marked as a duplicate of bug 105631 ***