[Bug 179894] Re: passwd, pam_mount, and LUKS/dm_crypt need better integration

[Steve Langasek]

To fix this bug, some package would need to provide a PAM module to
integrate with this keystore and rekey when the password changes.  I
don't think pam itself is an appropriate place for this; it should be
maintained somewhere more closely tied to the implementation of the
keystore in question - either cryptsetup, or in some standalone package
that provides this integration.

Reassigning to cryptsetup for the moment.

** Package changed: pam (Ubuntu) => cryptsetup (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/179894

Title:
  passwd, pam_mount, and LUKS/dm_crypt need better integration

Status in “cryptsetup” package in Ubuntu:
  New

Bug description:
  Wishlist item.  If separate LUKS/dm_crypt volumes are being used for
  each user's home directory they can be auto-mounted at login using
  pam_mount by supplying a key file encrypted by the login password via
  openssl that contains the LUKS/dm_crypt key and specifying it in
  pam_mount.conf.  But there is no mechanism for re-encrypting the key
  file when the user changes their password resulting in them being left
  in the empty home mount directory on their next login.  While auto-
  mounting an encrypted volume via a generally weak login password
  reduces it's effectiveness, this can be mitigated somewhat by storing
  the keys somewhere like /etc/keys/dm_crypt with 700 permissions and
  root ownership, increasing the default minimum password length to
  something >6 characters, and using an encrypted root volume.  This
  setup is important for easing security implementation on laptops.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/179894/+subscriptions