If I want a different password for the user and the LUKS partition, then pam_mount is probably not the right way to do it, is it?
With kind regards
I should add, that I don't want to store the LUKS password anywhere.
Specifying a pam_mount key file (<volume fskeypath="...">) should probably work. This keyfile can either contain the password in cleartext (with the <volume> attribute fskeycipher="none") or be OpenSSL encrypted.
You have to store the LUKS password somewhere, in some form, to be able to open it with a different passphrase.
Or, you could just change the password of the LUKS container itself, which is probably easiest.
Is it possible to make pam_mount ask for a LUKS password if the user password is not the LUKS password?
Use a <volume> without fskeypath, and change your pam configuration in /etc/pam.d/whatever such that it reads
auth optional pam_mount.so disable_pam_password
which, if I documented this right in the past, will ignore a previously entered password and instead always ask for a new one. As subsequent "auth"-type pam modules will then use this new one too, you may need to rearrange the list.
And I don't know if graphical login managers handle this kind of multi-prompting.
Thank you for your replies.
I think the disable_pam_password and disable_propagate_password and enable_interactive options are probably what I was looking for, thank you.
There is one problem though with these options: It will ask the any user for a pam_mount password, regardless if he/she has a volume definition or not. I would have preferred when it would only ask when there is s.th. to actually mount for the user :(
I understand this is by design and cannot be changed easily, so this ticket can be closed I guess.
I understand that options are either to have a LUKS password the same as the user password, or use a keyfile or to live with two password requests for every user :)
Log in to post a comment.
Sign up for the SourceForge newsletter:
You seem to have CSS turned off.
Please don't fill out this field.