From owner-freebsd-current@FreeBSD.ORG Wed Sep 8 11:45:53 2010 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3230F10656E2 for ; Wed, 8 Sep 2010 11:45:53 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id A87218FC08 for ; Wed, 8 Sep 2010 11:45:52 +0000 (UTC) Received: by ewy4 with SMTP id 4so3300129ewy.13 for ; Wed, 08 Sep 2010 04:45:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=XJ4SEgGDIeQde+cyBhwqMs/mtP7S+x7I9WqTYt4JrgQ=; b=kfqIsVTziNZ4A8WMfbOl40MzCYs18Foyr+QmufZtBEId3FYWMiL8Rw7DFfPyYsgQ9x Hg5FB4D0/1iv2kCe+NbwTfjjUAhR+fu6JEAziJS/tcH1Zu7nPY7spaO4xlK2CZ04CQLU BSioXxVThLjJFz0udDpxYwcnyjGlbVuZGOpkM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=Y/B/YkvXdBt7jygXkY64vAe+HmQ6zsdG9a8BhXIs2SfKRJ1U8jpqt9/h1LLw0jCSGH RThmYmytWititUe5WMdWCjJKx4c2RwQMopx3+iik1amOLT4FoDWHnKq/Ccv9jMMEvAYb pWC/fsXZ4t9u8czVD8nYsY0KAab0zkJWU7Of4= Received: by 10.14.13.206 with SMTP id b54mr95991eeb.26.1283946350445; Wed, 08 Sep 2010 04:45:50 -0700 (PDT) Received: from localhost ([212.98.186.134]) by mx.google.com with ESMTPS id v59sm11764376eeh.16.2010.09.08.04.45.48 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 08 Sep 2010 04:45:48 -0700 (PDT) Date: Wed, 8 Sep 2010 14:45:43 +0300 From: Gleb Kurtsou To: Daniel O'Connor Message-ID: <20100908114543.GA2312@tops> References: <20100906183838.GA3460@tops> <20100906230322.GA5457@tops> <4C86246B.9020802@bsdunix.ch> <20100907135326.GA1712@tops> <4C864D18.2010504@bsdunix.ch> <20100907175207.GB1793@tops> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-current@freebsd.org, Thomas Vogt Subject: Re: pam_pefs setup (Re: RFC: pefs - stacked cryptographic filesystem) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2010 11:45:53 -0000 On (08/09/2010 11:25), Daniel O'Connor wrote: > > On 08/09/2010, at 3:22, Gleb Kurtsou wrote: > > Please note that your home directory has to be mounted, I mount it in > > /etc/rc.local, but don't add any keys. pam_pefs adds the key. Also note > > that it has to be exactly your home directory (/home/gleb in my case), to > > prevent possible attacks. And keychain database has to be created, so > > that pam_pefs knows how to verify the key. > > Have you considered something similar to pam_mount? (http://pam-mount.sourceforge.net/) > > ie pam_pefs could mount your home directory itself and unmount it on logout. I knew about pam_mount before starting pam_pefs and my intent was to keep pam_pefs as simple as possible. Unlike some other stacked cryptographic filesystems, pefs can be mounted in read-only mode without providing a key. pam_mount can be used together with pam_pefs to mount/unmount filesystem on login/logout if needed. pam_mount is more generic then pam_pefs. At the moment pam_pefs doesn't remove key on logout because it is a bit tricky if there are several keys installed. I'm also against the idea of keeping keys installed by current session during the session to remove them on logout. Key chains for different sessions may overlap. I'd suggest to use pam_mount to unmount filesystem on logout in such scenario. Thanks, Gleb. > -- > Daniel O'Connor software and network engineer > for Genesis Software - http://www.gsoft.com.au > "The nice thing about standards is that there > are so many of them to choose from." > -- Andrew Tanenbaum > GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C