On Tuesday, December 3, 2019 1:18:57 AM MST Lennart Poettering wrote:
systemd-homed integrates with sshd's AuthorizedKeysCommand and
supplies any SSH keys assoicated with the user account directly to SSH
without anyone needing access ~/.ssh/. i.e. integration with SSH is
actually already in place.
Excellent, that's what I mentioned in the other subthread. Does this use
sssd's existing AuthorizedKeysCommand, or would it interfere with it?
The problem is that sshd's PAM implementation doesn't allow
PAM
modules to ask questions in login sessions which are authenticated via
authorized_keys instead of PAM. Because if we could ask questions
then, we could simply ask the user for the passphrase to derive the
LUKS key from if we need. That would mean that if you SSH login if you
already are logged in locally, then logins would be instant, but if
you SSH login otherwise then you'd get a prompt for the pw first.
Is the key's passphrase always going to be based on the user's password with
systed-homed? Is there a mechanism to use a separate password?
--
John M. Harris, Jr.
Splentity