Using individually encrypted home directories doesn't work properly with ThinLinc as they generally rely on being handled during PAM authentication.
This scenario is a good way of showing the issue:
- Have a separate master and agent
- Make sure the encrypted home directory is not mounted
- Log in using the HTML client
This avoids a PAM authentication step on the agent and hence no home directory gets mounted.
Tested on Ubuntu 16.04 which uses ecryptfs.
pam_ecryptfs is present in the session stage of PAM so it might be possible to solve this by having tl-session set the authentication token from the SSO information.
(this could also in theory allow automatic unlocking of keyrings)
For 4.6, document this problem (plat. spec. notes), then move bug to ---.
I had a quick check to see if settting PAM_AUTHTOK would solve this. Unfortunately it did not. Two issues:
a) Applications aren't allowed to touch PAM_AUTHTOK, only modules. Could probably be solved by creating a "pam_thinlinc".
b) pam_ecryptfs relies on the password already being cached elsewhere from the authentication step. It never looks at PAM_AUTHTOK during the session step, it merely calls mount and expects it to succeed. (I also looked at pam_krb5 which unfortunately also has the same assumption)
So it looks like we'd have to do something ecryptfs specific to fix this.