From owner-freebsd-current@FreeBSD.ORG Wed Sep 8 02:25:22 2010 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5AD31065697 for ; Wed, 8 Sep 2010 02:25:22 +0000 (UTC) (envelope-from doconnor@gsoft.com.au) Received: from cain.gsoft.com.au (cain.gsoft.com.au [203.31.81.10]) by mx1.freebsd.org (Postfix) with ESMTP id A7A4D8FC14 for ; Wed, 8 Sep 2010 02:25:21 +0000 (UTC) Received: from ur.gsoft.com.au (Ur.gsoft.com.au [203.31.81.44]) (authenticated bits=0) by cain.gsoft.com.au (8.14.4/8.14.3) with ESMTP id o881tDFf025269 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 8 Sep 2010 11:25:18 +0930 (CST) (envelope-from doconnor@gsoft.com.au) Mime-Version: 1.0 (Apple Message framework v1081) Content-Type: multipart/signed; boundary=Apple-Mail-59-661035199; protocol="application/pkcs7-signature"; micalg=sha1 From: "Daniel O'Connor" In-Reply-To: <20100907175207.GB1793@tops> Date: Wed, 8 Sep 2010 11:25:13 +0930 Message-Id: References: <20100906183838.GA3460@tops> <20100906230322.GA5457@tops> <4C86246B.9020802@bsdunix.ch> <20100907135326.GA1712@tops> <4C864D18.2010504@bsdunix.ch> <20100907175207.GB1793@tops> To: Gleb Kurtsou X-Mailer: Apple Mail (2.1081) X-Spam-Score: -2.51 () ALL_TRUSTED,BAYES_00,T_RP_MATCHES_RCVD X-Scanned-By: MIMEDefang 2.67 on 203.31.81.10 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-current@freebsd.org, Thomas Vogt Subject: Re: pam_pefs setup (Re: RFC: pefs - stacked cryptographic filesystem) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2010 02:25:22 -0000 --Apple-Mail-59-661035199 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 08/09/2010, at 3:22, Gleb Kurtsou wrote: > Please note that your home directory has to be mounted, I mount it in > /etc/rc.local, but don't add any keys. pam_pefs adds the key. Also = note > that it has to be exactly your home directory (/home/gleb in my case), = to > prevent possible attacks. And keychain database has to be created, so > that pam_pefs knows how to verify the key. Have you considered something similar to pam_mount? = (http://pam-mount.sourceforge.net/) ie pam_pefs could mount your home directory itself and unmount it on = logout. -- Daniel O'Connor software and network engineer for Genesis Software - http://www.gsoft.com.au "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C --Apple-Mail-59-661035199--