Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Single password entry signon-on
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
msst
Apprentice
Apprentice


Joined: 07 Jun 2011
Posts: 213

PostPosted: Sat Jul 09, 2016 6:17 am    Post subject: Single password entry signon-on Reply with quote

Currently I have to enter my password multiple times - thanks to a bug in kwallet even 3x bevore everything is unocked and logged in. But really, 1x should be enough. I wonder if anyone managed the following scenario already:

1. Fully encrypted system partition (LUKS.root)
2. User enters password and partition is unlocked by initramfs and system boots (that part works here).
3. Password is automatically passed on (pam comes into mind - but how?) to sddm login manager and the user logged in.
4. kwalletd is opened with the same passwd. pam_kwalletd5 should do that, but is still buggy here.

Basically one login, useable desktop unlocked appears. That is how it should be. But I am not aware that this is possible at all currently or did anyone find out how yet??

P.S.: The closest I can get is by using autologin for sddm and using no pw portected kwalletd. But thats not entirely how its intended I think.
Back to top
View user's profile Send private message
gerdesj
l33t
l33t


Joined: 29 Sep 2005
Posts: 621
Location: Yeovil, Somerset, UK

PostPosted: Tue Aug 02, 2016 11:31 pm    Post subject: Re: Single password entry signon-on Reply with quote

Have you ever found yourself explaining to someone why it is a bad idea to have the same password on different websites?

To securely link your password from your boot prompt to your KDE session is a big ask. In effect you asking for your disc encryption to be as secure as your DM login and probably your browser logins. Whereas on Windows, int al, you might get a "yeah we'll reduce your disc encryption security to enable single sign on", your LUKS does not.

Either ditch LUKS because you can't be arsed with security or accept that greater security has a bit of a price. Bear in mind that there is probably nothing wrong in deciding to have a simple password for the LUKS login that is generally known in your organisation. LUKS is to ensure that if your systems are stolen then the data is is reasonably safe. Risk Assessment.
Back to top
View user's profile Send private message
msst
Apprentice
Apprentice


Joined: 07 Jun 2011
Posts: 213

PostPosted: Mon Aug 08, 2016 5:26 pm    Post subject: Reply with quote

Quote:
Have you ever found yourself explaining to someone why it is a bad idea to have the same password on different websites?


Yes, and it is a tough situation. There is likely not a single person using different passwards for each and every site. Unless you use a master password and all else is saved under this. Which is a matter of philosophy - you create also a single point of failure with it. In the end it comes all down to "pretty useable safety".

I think it would be a good compromise if luks, grub, whatever could pass on some at least "derived from boot password" auth token in a semi-volatile way to be reused for the boot-login process. Thats a bit the general problem with linux - it can do everything that windows and co. can do. Actually often better. But the usability and handling around it is here and there a bit sluggish.

Having to enter passwords multiple times or even multiple passwords to get a fully useable computer session booted up is simply such a thing - it may be conceptionally correct, but it sucks in terms of work-flow.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13490

PostPosted: Tue Aug 09, 2016 1:36 am    Post subject: Reply with quote

As regards master password - that is actually quite common now, and in my opinion it is better than reusing a password. With the master password approach, you rely on adversaries not obtaining the master password (which you never write down) and the password vault (which is on your disk). Contrast that with the reused password approach where you rely on adversaries not obtaining your password from one site because that password will work on four other sites. You can mitigate the single-point-of-failure problem by keeping good backups of the vault.

If you trust the user who has the drive password to such an extent, why not make the other resources password-free?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum