On Tue, Sep 24, 2019 at 9:27 PM Chris Murphy <lists(a)colorremedies.com> wrote:
On Tue, Sep 24, 2019 at 3:32 PM Frantisek Zatloukal <fzatlouk(a)redhat.com> wrote:
>
> So, as I understand that, enforcing per-user encryption is not going to prevent
anybody from having automatic login?
It's a really good question. They are mutually exclusive because to
combine them is absurd.
Small clarification. The case where plymouth presents a box for the
user to enter a passphrase, with GNOME Shell user account set to
autologin, is not what I'm talking about. That's not really autologin,
even if it uses an autologin setting. In this case:
a. user interaction is mandatory
b. passphrase is forwarded to gnom-shell for login
c. passphrase is not stored
Authentication is still happening. Passphrase only is slightly weaker
than user selection plus passphrase. But it's authentication
nevertheless.
Whereas the case I'm referring to as absurd is:
a. no user interaction, expressly unattended autologin
b. The user data home encryption passphrase must somehow be stored;
there could be indirection by encrypting it in some wrapper that
includes a DEK and KEK, but the user passphrase is still trivially
obtainable by necessity of a.)
No authentication happens, and also the user's passphrase is exposed.
I think this use case is invalid, shouldn't be implemented, and in
fact should be blocked. Like if someone were to figure out a way to
make it possible, it's a possible vulnerability.
--
Chris Murphy