passwd, pam_mount, and LUKS/dm_crypt need better integration

Bug #179894 reported by jhansonxi on 2008-01-02
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Wishlist
Unassigned

Bug Description

Wishlist item. If separate LUKS/dm_crypt volumes are being used for each user's home directory they can be auto-mounted at login using pam_mount by supplying a key file encrypted by the login password via openssl that contains the LUKS/dm_crypt key and specifying it in pam_mount.conf. But there is no mechanism for re-encrypting the key file when the user changes their password resulting in them being left in the empty home mount directory on their next login. While auto-mounting an encrypted volume via a generally weak login password reduces it's effectiveness, this can be mitigated somewhat by storing the keys somewhere like /etc/keys/dm_crypt with 700 permissions and root ownership, increasing the default minimum password length to something >6 characters, and using an encrypted root volume. This setup is important for easing security implementation on laptops.

CVE References

Daniel T Chen (crimsun) on 2008-11-22
Changed in pam:
importance: Undecided → Wishlist
Jan Engelhardt (jengelh) wrote :

There is (was) a mechanism, the passwdehd script. (Not yet resurrected with the move to the new mount.crypt.)

jhansonxi (jhansonxi) wrote :

Hopefully it can be updated. I see there was a security problem reported with it:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5138

Steve Langasek (vorlon) wrote :

To fix this bug, some package would need to provide a PAM module to integrate with this keystore and rekey when the password changes. I don't think pam itself is an appropriate place for this; it should be maintained somewhere more closely tied to the implementation of the keystore in question - either cryptsetup, or in some standalone package that provides this integration.

Reassigning to cryptsetup for the moment.

affects: pam (Ubuntu) → cryptsetup (Ubuntu)
Thomas Hotz (thotz) on 2012-11-09
Changed in cryptsetup (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers