From owner-freebsd-current@FreeBSD.ORG Tue Sep 7 17:52:31 2010 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5994810656D8 for ; Tue, 7 Sep 2010 17:52:31 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id D967E8FC15 for ; Tue, 7 Sep 2010 17:52:30 +0000 (UTC) Received: by ewy4 with SMTP id 4so2857391ewy.13 for ; Tue, 07 Sep 2010 10:52:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=mpDLBZ0MOPwoAvMV5ahcN/xZYgsqJuKqaU1EexGt30w=; b=FAE9drirKoj/UGKSoAdUE9OpdcKWUtnA8EK0oujfQ+yK+ZI6Ra+WXCLfDCWHDMrfLN IyVclSW5lM4gN19ILTLII0ua7mFAgJLu51tBcvIqOtF4lyO7AtkrmAK8ObF6FZfmaYeX QYYLeRPR3RnkBOOp29AyYeRgDolWnMPtK/pyU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=G620t86YJ/QDf0eYN91lDnVju6+hNXDIVBnaJmSs03T/om/VS0YGAzaTqwHSzLTTid 6Bqj9W49k7xp/7+gnSEci7TOnK781537XpmTaNH0aPEpsNWFdisH3/thLSwdAKPa/lhB cJxTrkHu6xtE7ih9oKomeXey4zuNvRfwMph88= Received: by 10.213.35.146 with SMTP id p18mr123726ebd.40.1283881949769; Tue, 07 Sep 2010 10:52:29 -0700 (PDT) Received: from localhost ([212.98.186.134]) by mx.google.com with ESMTPS id u9sm10289400eeh.17.2010.09.07.10.52.28 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 07 Sep 2010 10:52:29 -0700 (PDT) Date: Tue, 7 Sep 2010 20:52:07 +0300 From: Gleb Kurtsou To: Thomas Vogt Message-ID: <20100907175207.GB1793@tops> References: <20100906183838.GA3460@tops> <20100906230322.GA5457@tops> <4C86246B.9020802@bsdunix.ch> <20100907135326.GA1712@tops> <4C864D18.2010504@bsdunix.ch> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4C864D18.2010504@bsdunix.ch> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-current@freebsd.org Subject: pam_pefs setup (Re: RFC: pefs - stacked cryptographic filesystem) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2010 17:52:31 -0000 On (07/09/2010 16:32), Thomas Vogt wrote: [...] > > I've an issue with pam_pefs: > > ===> lib/libpam/modules/pam_pefs (install) > install -C -o root -g wheel -m 444 libpam_pefs.a /usr/lib > install -C -o root -g wheel -m 444 libpam_pefs_p.a /usr/lib > install -o root -g wheel -m 444 pam_pefs.8.gz /usr/share/man/man8 > > I do not see any pam_pefs.so which makes login not possible if > pam.d/system is modified as mentioned in your description: > > auth sufficient pam_pefs.so try_first_pass Sorry, I don't quite understand you here. Don't hesitate contacting me again if didn't understand you correctly. I've also missed one more line, which actually adds the key: session optional pam_pefs.so Setup I've posted makes possible to login using pefs key or standard pam_unix.so password. Here is my /etc/pam.d/system file: # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_pefs.so try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account account required pam_login_access.so account required pam_unix.so # session session optional pam_pefs.so session required pam_lastlog.so no_fail # password password required pam_unix.so no_warn try_first_pass I have "stronger" password for pefs, while traditional password is "weaker" and easier to type. I use pefs password to login only the first time and add key my home directory. Please note that your home directory has to be mounted, I mount it in /etc/rc.local, but don't add any keys. pam_pefs adds the key. Also note that it has to be exactly your home directory (/home/gleb in my case), to prevent possible attacks. And keychain database has to be created, so that pam_pefs knows how to verify the key. Details on how to create it available in my original email. That's rather inconvenient procedure, but you need to do it just once, it's so complicated because pefs is read-only if no key specified, but database should not be encrypted to make it accessible by pam_pefs: > 3. Mount pefs filesystem: > # pefs mount /home/ME /home/ME > > 4. Enter passphrase: > # pefs addkey /home/ME > > # pefs addchain -Z /home/ME > Don't encrypt .pefs.db: > # mv ~/Private/.pefs.db /tmp > # umount ~/Private > # mv /tmp/.pefs.db /home/ME > # pefs mount /home/ME /home/ME > Use -c option to verify key is in database > # pefs addkey -c /home/ME I'll try to make it easier, I didn't actually expect anyone to try it, and just mentioned it without providing instructions not to write long setup procedure. You can also try adding debug option to pam_pefs.so config if something goes wrong. I don't remember details but pefs/Makefile contains the following comment by me: # Should be built from sources tree # SUBDIR+= lib/libpam/modules/pam_pefs But if you are able to build it, it should be fine. Thanks, Gleb. > > Regards, > Thomas