#57 different password for user and LUKS parition?

pam-mount
open
nobody
None
5
2014-07-04
2014-07-03
No

Hello.

If I want a different password for the user and the LUKS partition, then pam_mount is probably not the right way to do it, is it?

With kind regards
Dominik

Discussion

  • Dominik Tugend

    Dominik Tugend - 2014-07-03

    I should add, that I don't want to store the LUKS password anywhere.

     
  • Jan Engelhardt

    Jan Engelhardt - 2014-07-03

    Specifying a pam_mount key file (<volume fskeypath="...">) should probably work. This keyfile can either contain the password in cleartext (with the <volume> attribute fskeycipher="none") or be OpenSSL encrypted.

     
  • Jan Engelhardt

    Jan Engelhardt - 2014-07-03

    You have to store the LUKS password somewhere, in some form, to be able to open it with a different passphrase.

    Or, you could just change the password of the LUKS container itself, which is probably easiest.

     
  • Till Maas

    Till Maas - 2014-07-03

    Is it possible to make pam_mount ask for a LUKS password if the user password is not the LUKS password?

     
  • Jan Engelhardt

    Jan Engelhardt - 2014-07-03

    Use a <volume> without fskeypath, and change your pam configuration in /etc/pam.d/whatever such that it reads

        auth    optional        pam_mount.so    disable_pam_password
    

    which, if I documented this right in the past, will ignore a previously entered password and instead always ask for a new one. As subsequent "auth"-type pam modules will then use this new one too, you may need to rearrange the list.

    And I don't know if graphical login managers handle this kind of multi-prompting.

     
  • Dominik Tugend

    Dominik Tugend - 2014-07-04

    Thank you for your replies.

    I think the disable_pam_password and disable_propagate_password and enable_interactive options are probably what I was looking for, thank you.

     
  • Dominik Tugend

    Dominik Tugend - 2014-07-04

    There is one problem though with these options: It will ask the any user for a pam_mount password, regardless if he/she has a volume definition or not. I would have preferred when it would only ask when there is s.th. to actually mount for the user :(

     
  • Dominik Tugend

    Dominik Tugend - 2014-07-04

    I understand this is by design and cannot be changed easily, so this ticket can be closed I guess.

    I understand that options are either to have a LUKS password the same as the user password, or use a keyfile or to live with two password requests for every user :)

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks