www.cendio.com
Bug 5831 - encrypted home directories aren't mounted
: encrypted home directories aren't mounted
Status: NEW
: ThinLinc
VSM Agent
: pre-1.0
: PC Unknown
: P2 Normal
: LowPrio
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-04-01 16:52 by
Modified: 2016-10-04 10:13 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2016-04-01 16:52:05
Using individually encrypted home directories doesn't work properly with
ThinLinc as they generally rely on being handled during PAM authentication.

This scenario is a good way of showing the issue:

 - Have a separate master and agent

 - Make sure the encrypted home directory is not mounted

 - Log in using the HTML client

This avoids a PAM authentication step on the agent and hence no home directory
gets mounted.

Tested on Ubuntu 16.04 which uses ecryptfs.
------- Comment #1 From cendio 2016-04-01 16:53:28 -------
pam_ecryptfs is present in the session stage of PAM so it might be possible to
solve this by having tl-session set the authentication token from the SSO
information.

(this could also in theory allow automatic unlocking of keyrings)
------- Comment #2 From cendio 2016-04-05 10:30:49 -------
For 4.6, document this problem (plat. spec. notes), then move bug to ---.
------- Comment #3 From cendio 2016-04-11 16:53:38 -------
I had a quick check to see if settting PAM_AUTHTOK would solve this.
Unfortunately it did not. Two issues:

 a) Applications aren't allowed to touch PAM_AUTHTOK, only modules. Could
probably be solved by creating a "pam_thinlinc".

 b) pam_ecryptfs relies on the password already being cached elsewhere from the
authentication step. It never looks at PAM_AUTHTOK during the session step, it
merely calls mount and expects it to succeed. (I also looked at pam_krb5 which
unfortunately also has the same assumption)

So it looks like we'd have to do something ecryptfs specific to fix this.