Lennart Poettering wrote:
The problem is that sshd's PAM implementation doesn't allow
PAM
modules to ask questions in login sessions which are authenticated via
authorized_keys instead of PAM. Because if we could ask questions
then, we could simply ask the user for the passphrase to derive the
LUKS key from if we need. That would mean that if you SSH login if you
already are logged in locally, then logins would be instant, but if
you SSH login otherwise then you'd get a prompt for the pw first.
I think a proper SSH integration would actually store a LUKS keyfile
encrypted with the SSH public key somewhere in .ssh, and on login, send that
to the client, have that decrypt it with the SSH private key and send it
back, and use the decrypted key to unlock the LUKS partition.
Kevin Kofler