Bug 5831 - encrypted home directories aren't mounted
Summary: encrypted home directories aren't mounted
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: VSM Agent (show other bugs)
Version: pre-1.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Pierre Ossman
Depends on:
Reported: 2016-04-01 16:52 CEST by Pierre Ossman
Modified: 2016-10-04 10:13 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Description Pierre Ossman cendio 2016-04-01 16:52:05 CEST
Using individually encrypted home directories doesn't work properly with ThinLinc as they generally rely on being handled during PAM authentication.

This scenario is a good way of showing the issue:

 - Have a separate master and agent

 - Make sure the encrypted home directory is not mounted

 - Log in using the HTML client

This avoids a PAM authentication step on the agent and hence no home directory gets mounted.

Tested on Ubuntu 16.04 which uses ecryptfs.
Comment 1 Pierre Ossman cendio 2016-04-01 16:53:28 CEST
pam_ecryptfs is present in the session stage of PAM so it might be possible to solve this by having tl-session set the authentication token from the SSO information.

(this could also in theory allow automatic unlocking of keyrings)
Comment 2 Peter Åstrand cendio 2016-04-05 10:30:49 CEST
For 4.6, document this problem (plat. spec. notes), then move bug to ---.
Comment 3 Pierre Ossman cendio 2016-04-11 16:53:38 CEST
I had a quick check to see if settting PAM_AUTHTOK would solve this. Unfortunately it did not. Two issues:

 a) Applications aren't allowed to touch PAM_AUTHTOK, only modules. Could probably be solved by creating a "pam_thinlinc".

 b) pam_ecryptfs relies on the password already being cached elsewhere from the authentication step. It never looks at PAM_AUTHTOK during the session step, it merely calls mount and expects it to succeed. (I also looked at pam_krb5 which unfortunately also has the same assumption)

So it looks like we'd have to do something ecryptfs specific to fix this.

Note You need to log in before you can comment on or make changes to this bug.