New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pam module: enable pam_keyinit.so by default #30333
Conversation
Ping. |
I admit I don't totally understand what this does, but if it's upstream-recommended and it fixes ecryptfs, then I'm all for it! 😄 |
We're not in a great place as this is a regression in 17.09. When we get this approved I think we should keep it in master for at least 2 weeks before cherry-picking it in 17.09 to make sure there are no side-effect to the pam change. The saving grace is this probably affects very few people… |
Any updates? |
Debian and Ubuntu only have it in a few PAM configs:
This can also be done with our NixOS PAM module. Can somebody test that this is enough to make ecryptfs work? |
@fpletz, well I'm biased but I've been running with it since I opened the PR & it's worked for me.. |
Okay. I'll try to give this a spin soon. We'll also have to find out why our ecryptfs test doesn't catch this. |
I vaguely recall trying to extend the test to cover the failing usecases but it went nowhere (and now don't recall much of the subtleties). Mostly I think it had to do with mounting encrypted directories at other times than login. |
(I've rebased this on fresh master) |
@fpletz, shall we merge this? |
Looks like this fixes other issues: #32279 (comment) |
So @eternaleye, based on #32279 (comment), you don't think we should merge it? |
I would like to see this merged, bcachefs with it's own encryption is very alluring. |
@obadz Sorry I took so long to reply - that is correct, I think this should not be merged. The issue is that this exposes shared, mutable, security-relevant state (the keyring) to all PAM sessions. In addition, the issue with ecryptfs and bcachefs was fixed upstream; as a result, the next release of systemd (v238) will make this workaround superfluous. |
This should be fixed now by #37647 and 361bd59...2d2ab94 which upgraded systemd to 238. |
My comment on the bottom of #32279 may be relevant here. |
Could one of you please try a recent 18.03 beta release with the systemd bump #36918? It's supposed to also fix this issue. |
Thanks! There was a bump to systemd to use the stable tree but I haven't checked if fixes for this issue went in there. |
I'll try again with that commit to make sure it's just not user error, we'll see if this is still the case. |
@fpletz |
This fixes a bug with changed qemu network interface names and also generally should be preferred to using a release tag.
I am still experiencing #27574 after the systemd-238 update. |
Closes #27574
Motivation for this change
Fixes ecryptfs regression (from 17.03 to 17.09) as explained in #27574 (comment)
I'm unfortunately not entirely sure what other side-effects this might have, though this thread seems to say that enabling
pam_keyinit
is "recommended" anyway.Hopefully someone more competent can opine.
From
pam_keyinit
's man page:AFAIK we don't have a separate
pam.nix
forsu
andsudo
so can't carve them out.(Without
force
, regression wouldn't go away)(Wasn't sure about this one but it sounded conservative so I put it in)
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)