Bugzilla – Bug 5831
encrypted home directories aren't mounted
Last modified: 2016-10-04 10:13:42
You need to
before you can comment on or make changes to this bug.
Using individually encrypted home directories doesn't work properly with
ThinLinc as they generally rely on being handled during PAM authentication.
This scenario is a good way of showing the issue:
- Have a separate master and agent
- Make sure the encrypted home directory is not mounted
- Log in using the HTML client
This avoids a PAM authentication step on the agent and hence no home directory
Tested on Ubuntu 16.04 which uses ecryptfs.
pam_ecryptfs is present in the session stage of PAM so it might be possible to
solve this by having tl-session set the authentication token from the SSO
(this could also in theory allow automatic unlocking of keyrings)
For 4.6, document this problem (plat. spec. notes), then move bug to ---.
I had a quick check to see if settting PAM_AUTHTOK would solve this.
Unfortunately it did not. Two issues:
a) Applications aren't allowed to touch PAM_AUTHTOK, only modules. Could
probably be solved by creating a "pam_thinlinc".
b) pam_ecryptfs relies on the password already being cached elsewhere from the
authentication step. It never looks at PAM_AUTHTOK during the session step, it
merely calls mount and expects it to succeed. (I also looked at pam_krb5 which
unfortunately also has the same assumption)
So it looks like we'd have to do something ecryptfs specific to fix this.