On (08/09/2010 11:25), Daniel O'Connor wrote: > > On 08/09/2010, at 3:22, Gleb Kurtsou wrote: > > Please note that your home directory has to be mounted, I mount it in > > /etc/rc.local, but don't add any keys. pam_pefs adds the key. Also note > > that it has to be exactly your home directory (/home/gleb in my case), to > > prevent possible attacks. And keychain database has to be created, so > > that pam_pefs knows how to verify the key. > > Have you considered something similar to pam_mount? (http://pam-mount.sourceforge.net/) > > ie pam_pefs could mount your home directory itself and unmount it on logout. I knew about pam_mount before starting pam_pefs and my intent was to keep pam_pefs as simple as possible. Unlike some other stacked cryptographic filesystems, pefs can be mounted in read-only mode without providing a key. pam_mount can be used together with pam_pefs to mount/unmount filesystem on login/logout if needed. pam_mount is more generic then pam_pefs. At the moment pam_pefs doesn't remove key on logout because it is a bit tricky if there are several keys installed. I'm also against the idea of keeping keys installed by current session during the session to remove them on logout. Key chains for different sessions may overlap. I'd suggest to use pam_mount to unmount filesystem on logout in such scenario. Thanks, Gleb. > -- > Daniel O'Connor software and network engineer > for Genesis Software - http://www.gsoft.com.au > "The nice thing about standards is that there > are so many of them to choose from." > -- Andrew Tanenbaum > GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8CReceived on Wed Sep 08 2010 - 09:45:53 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:07 UTC