From Fedora Project Wiki
(created)
 
(100% :))
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section.  They are invisible when viewing this page.  To read it, choose the "edit" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR FEATURE.'''}}
{{admon/important | Set a Page Watch| Make sure you click ''watch'' on your new page so that you are notified of changes to it by others, including the Feature Wrangler}}
{{admon/note | All sections of this template are required for review by FESCo.  If any sections are empty it will not be reviewed }}
<!-- All fields on this form are required to be accepted by FESCo.
<!-- All fields on this form are required to be accepted by FESCo.
  We also request that you maintain the same order of sections so that all of the feature pages are uniform.  -->
  We also request that you maintain the same order of sections so that all of the feature pages are uniform.  -->
Line 25: Line 18:
== Current status ==
== Current status ==
* Targeted release: [[Releases/15|Fedora 15]]  
* Targeted release: [[Releases/15|Fedora 15]]  
* Last updated: 2010-12-22
* Last updated: 2011-02-09
* Percentage of completion: 30%
* Percentage of completion: 100%


== Detailed Description ==
== Detailed Description ==
Line 36: Line 29:


== Scope ==
== Scope ==
Changes are required to PAM, authconfig, and several pam users.  All of these have been identified.
Changes are required to PAM, authconfig, and several pam users.  All of these have been identified and patches posted to Bugzilla:
* https://bugzilla.redhat.com/show_bug.cgi?id=665061 (gdm)
* https://bugzilla.redhat.com/show_bug.cgi?id=665062 (util-linux)
* https://bugzilla.redhat.com/show_bug.cgi?id=665063 (passwd)
* https://bugzilla.redhat.com/show_bug.cgi?id=486152 (authconfig)
 
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


== How To Test ==
== How To Test ==
# Set up an ecryptfs private area under ~/Private using ecryptfs-setup-private.
# Add yourself to the ecryptfs group.
# Enable ecryptfs using authconfig (e.g. setting USE_ECRYPTFS=yes under /etc/sysconfig/authconfig and rerunning <tt>authconfig-tui --updateall</tt>)
# Set up an ecryptfs private area under ~/Private using <tt>ecryptfs-setup-private</tt>.
# Mount it with <tt>ecryptfs-mount-private</tt> and create a few files in it.  Unmount it with <tt>ecryptfs-umount-private</tt>.
# Enable ecryptfs using authconfig (e.g. setting <tt>USEECRYPTFS=yes</tt> under /etc/sysconfig/authconfig and rerunning <tt>authconfig-tui --updateall</tt>)
# Log out and log back in.
# Log out and log back in.
# <tt>mount</tt> should show an ecryptfs mount for ~/Private.
# <tt>mount</tt> should show an ecryptfs mount for ~/Private and the files you created in step 3 should show up.
# Log out and log in as root.
# The ecryptfs mount should not be there anymore.
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  


Line 54: Line 56:


== Contingency Plan ==
== Contingency Plan ==
The feature touches several independent packages, but all patches have precise dependencies included in their bugzilla entries (see [https://bugzilla.redhat.com/showdependencytree.cgi?id=486152 here]).  In case the feature will not be available for F15, it is possible to either revert changes that were already included, or leave them in.  In the latter case the changes will be unnecessary, but will not break anything.
All patches have been committed to Rawhide in time for F15 branch.  In case any problems are found during testing, the feature should not be considered complete and should not be included in the release notesThe changes in bug 486152 could be reverted, but that's not absolutely necessary.
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not. If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->


== Documentation ==
== Documentation ==
Line 63: Line 64:
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
Fedora 15 brings in improved support for eCryptfs the SCAP (Security Content Automation Protocol). Starting from Fedora 15, authconfig can be used to automatically mount a private encrypted part of the home directory when a user logs in.
Fedora 15 brings in improved support for eCryptfs, a stacked cryptographic filesystem for Linux. Starting from Fedora 15, authconfig can be used to automatically mount a private encrypted part of the home directory when a user logs in.


== Comments and Discussion ==
== Comments and Discussion ==
Line 69: Line 70:




[[Category:FeatureReadyForWrangler]]
[[Category:FeatureAcceptedF15]]
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 08:13, 15 February 2011


Support for ecryptfs in authconfig

Summary

Authconfig will allow the system administrator to configure automatic mounting of an encrypted area in each user's home directory.

Owner

Current status

  • Targeted release: Fedora 15
  • Last updated: 2011-02-09
  • Percentage of completion: 100%

Detailed Description

pam_ecryptfs is a PAM module that allows to mount a private part of the home directory (or the entire home directory) when a user logs in. However, using pam_ecryptfs in Fedora <=14 is complicated by the configuration style adopted by authconfig. This feature aims at simplifying this across various PAM users and integrating ecryptfs support into authconfig.

Benefit to Fedora

ecryptfs is a useful tool, but it is hard to configure under Fedora. Compared to encrypted partitions, for example, it easily lets the user do encrypted backups.

Scope

Changes are required to PAM, authconfig, and several pam users. All of these have been identified and patches posted to Bugzilla:


How To Test

  1. Add yourself to the ecryptfs group.
  2. Set up an ecryptfs private area under ~/Private using ecryptfs-setup-private.
  3. Mount it with ecryptfs-mount-private and create a few files in it. Unmount it with ecryptfs-umount-private.
  4. Enable ecryptfs using authconfig (e.g. setting USEECRYPTFS=yes under /etc/sysconfig/authconfig and rerunning authconfig-tui --updateall)
  5. Log out and log back in.
  6. mount should show an ecryptfs mount for ~/Private and the files you created in step 3 should show up.
  7. Log out and log in as root.
  8. The ecryptfs mount should not be there anymore.

Contingency Plan

All patches have been committed to Rawhide in time for F15 branch. In case any problems are found during testing, the feature should not be considered complete and should not be included in the release notes. The changes in bug 486152 could be reverted, but that's not absolutely necessary.

Documentation

  • pam_ecryptfs(8) man page (note the man page is a bit Ubuntu-centric, we do not have /etc/pam.d/common-auth and the Fedora implementation will be different in order to support authconfig)

Release Notes

Fedora 15 brings in improved support for eCryptfs, a stacked cryptographic filesystem for Linux. Starting from Fedora 15, authconfig can be used to automatically mount a private encrypted part of the home directory when a user logs in.

Comments and Discussion

Retrieved from "https://fedoraproject.org/w/index.php?title=Features/EcryptfsAuthConfig&oldid=221211"