Hello Jonas, I agree that forwarding the pass phrase would be definitely a bad idea. But communicating the slot number to PAM oder GDM should not be a security problem!?
I also considered to file this wish list bug directly to the pam package. But if the pam programmers wanted to implement this suggestion, they would depend on luks to pass the slot number. If this is impossible or a security problem just keep the bug closed. If you see a way how luks could pass this information, please forward the bug to pam. Best Regards Daniel Debian Bug Tracking System schrieb: > This is an automatic notification regarding your Bug report > which was filed against the cryptsetup package: > > #502772: cryptsetup: gnome autologin user should depend on boot passsword > > It has been closed by Jonas Meurer <[EMAIL PROTECTED]>. > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Jonas Meurer <[EMAIL > PROTECTED]> by > replying to this email. > > > > > ------------------------------------------------------------------------ > > Betreff: > Re: Bug#502772: cryptsetup: gnome autologin user should depend on boot > passsword > Von: > Jonas Meurer <[EMAIL PROTECTED]> > Datum: > Wed, 5 Nov 2008 22:17:01 +0100 > An: > Daniel Müller <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > > An: > Daniel Müller <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > CC: > Debian Bug Tracking System <[EMAIL PROTECTED]> > > Received: > (at 502772-done) by bugs.debian.org; 5 Nov 2008 21:17:16 +0000 > X-Spam-Checker-Version: > SpamAssassin 3.2.3-bugs.debian.org_2005_01_02 (2007-08-08) on > rietz.debian.org > X-Spam-Bayes: > score:0.0000 Tokens: new, 41; hammy, 93; neutral, 50; spammy, 4. > spammytokens:0.987-1--Müller, 0.987-1--müller, 0.937-+--associated, > 0.918-+--H*c:iso-8859-1 hammytokens:0.000-+--H*r:sk:RSA AES, > 0.000-+--gnome, 0.000-+--H*u:Mutt, 0.000-+--H*r:TLS1.0, > 0.000-+--H*r:esmtpsa > X-Spam-Status: > No, score=-7.2 required=4.0 tests=AWL,BAYES_00,HAS_BUG_NUMBER > autolearn=unavailable version=3.2.3-bugs.debian.org_2005_01_02 > Return-path: > <[EMAIL PROTECTED]> > Received: > from mx01.freesources.org ([80.237.252.149] > helo=mail01.freesources.org) by rietz.debian.org with esmtp (Exim > 4.63) (envelope-from <[EMAIL PROTECTED]>) id 1KxpkZ-0005QL-I1; > Wed, 05 Nov 2008 21:17:15 +0000 > Received: > from p57a6e9ae.dip.t-dialin.net ([87.166.233.174] > helo=resivo.wgnet.de) by mail01.freesources.org with esmtpsa > (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from > <[EMAIL PROTECTED]>) id 1KxpoK-0002E3-UH; Wed, 05 Nov 2008 > 21:21:09 +0000 > Received: > from resivo by resivo.wgnet.de with local (Exim 4.69) (envelope-from > <[EMAIL PROTECTED]>) id 1KxpkM-0005hy-Df; Wed, 05 Nov 2008 > 22:17:02 +0100 > Nachricht-ID: > <[EMAIL PROTECTED]> > Referenzen: > <[EMAIL PROTECTED]> > MIME-Version: > 1.0 > Content-Type: > text/plain; charset=iso-8859-1 > Content-Disposition: > inline > Content-Transfer-Encoding: > 8bit > In-Reply-To: > <[EMAIL PROTECTED]> > User-Agent: > Mutt/1.5.18 (2008-05-17) > X-SA-Exim-Connect-IP: > 87.166.233.174 > X-SA-Exim-Mail-From: > [EMAIL PROTECTED] > X-SA-Exim-Version: > 4.2.1 (built Wed, 25 Jun 2008 17:20:07 +0000) > X-SA-Exim-Scanned: > Yes (on mail01.freesources.org) > > > On 19/10/2008 Daniel Müller wrote: > >> If a linux PC is protected by luks hard disk encryption, you have to type >> two passwords: the luks boot password and the user password for the >> gnome/kde session. This is sometimes annoying. >> >> A single user could active gnome/kde auto login and type only the boot >> password. >> >> If the same computer is used by more than one user, this is not possible. >> >> Could luks pass the key slot number or a user name associated with the key >> slot number to gdm, so that the auto login user can depend on the boot >> password used? >> > > Hey Daniel, > > If at all, your request needs to be implemented in gdm. It's not only > out of cryptsetups scope to submit/forward a passphrase, it even would > be a grave security hole if it was supported. > > I cannot imagine a secure implementation for your requested > functionality at all. maybe you can do something with libpam-mount. > > sorry, the wishlist request is not valid for cryptsetup, thus I'm > closing the bugreport. > > greetings, > jonas > > > > ------------------------------------------------------------------------ > > Betreff: > cryptsetup: gnome autologin user should depend on boot passsword > Von: > Daniel Müller <[EMAIL PROTECTED]> > Datum: > Sun, 19 Oct 2008 17:33:10 +0200 > An: > Debian Bug Tracking System <[EMAIL PROTECTED]> > > An: > Debian Bug Tracking System <[EMAIL PROTECTED]> > > Received: > (at submit) by bugs.debian.org; 19 Oct 2008 15:33:05 +0000 > X-Spam-Checker-Version: > SpamAssassin 3.2.3-bugs.debian.org_2005_01_02 (2007-08-08) on > rietz.debian.org > X-Spam-Bayes: > score:0.0000 Tokens: new, 38; hammy, 133; neutral, 48; spammy, 4. > spammytokens:0.997-1--luks, 0.987-+--H*r:bugs.debian.org, > 0.961-+--associated, 0.899-+--H*r:sk:rietz.d > hammytokens:0.000-+--H*M:reportbug, 0.000-+--H*MI:reportbug, > 0.000-+--H*x:reportbug, 0.000-+--H*UA:reportbug, 0.000-+--Severity > X-Spam-Status: > No, score=-12.4 required=4.0 tests=BAYES_00,FOURLA,HAS_PACKAGE, > RCVD_IN_PBL,RCVD_IN_SORBS_DUL,SPF_FAIL,XMAILER_REPORTBUG,X_DEBBUGS_CC > autolearn=ham version=3.2.3-bugs.debian.org_2005_01_02 > Return-path: > <[EMAIL PROTECTED]> > Received: > from zc1c9.z.pppool.de ([89.61.193.201] helo=zebru.starfleet) by > rietz.debian.org with esmtp (Exim 4.63) (envelope-from > <[EMAIL PROTECTED]>) id 1KraHA-0004Ym-Mg for [EMAIL PROTECTED]; Sun, > 19 Oct 2008 15:33:04 +0000 > Content-Type: > text/plain; charset="us-ascii" > MIME-Version: > 1.0 > Content-Transfer-Encoding: > 7bit > Nachricht-ID: > <[EMAIL PROTECTED]> > X-Mailer: > reportbug 3.31 > X-Debbugs-Cc: > [EMAIL PROTECTED] > Delivered-To: > [EMAIL PROTECTED] > > > Package: cryptsetup > Version: 2:1.0.4+svn26-1 > Severity: wishlist > > > If a linux PC is protected by luks hard disk encryption, you have to type > two passwords: the luks boot password and the user password for the > gnome/kde session. This is sometimes annoying. > > A single user could active gnome/kde auto login and type only the boot > password. > > If the same computer is used by more than one user, this is not possible. > > Could luks pass the key slot number or a user name associated with the key > slot number to gdm, so that the auto login user can depend on the boot > password used? > > -- System Information: > Debian Release: 4.0 > APT prefers stable > APT policy: (500, 'stable') > Architecture: i386 (i686) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.6.18-6-686 > Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) > > Versions of packages cryptsetup depends on: > ii dms 2:1.02.08-1 The Linux Kernel Device Mapper > use > ii lib 2.3.6.ds1-13etch7 GNU C Library: Shared libraries > ii lib 2:1.02.08-1 The Linux Kernel Device Mapper > use > ii lib 1.2.3-2 LGPL Crypto library - runtime > libr > ii lib 1.4-1 library for common error values > an > ii lib 1.10-3 lib for parsing cmdline > parameters > ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 universally unique id library > > cryptsetup recommends no packages. > > -- no debconf information > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
