From Fedora Project Wiki

Revision as of 15:28, 11 May 2016 by Mclasen (talk | contribs) (→‎Current status)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Automatic Login By Default

Summary

Change the workstation to use automatic login + luks encryption by default. Synchronize the two passwords.

Owner

  • Name: Ray Strode
  • Email: rstrode@redhat.com
  • Release notes owner:
  • Product: Workstation
  • Responsible WG: Workstation

Current status

  • Targeted release: Not Yet Targetted for release
  • Last updated: 2016-05-11
  • Tracker bug:

Systemd is writing the luks password to the kernel keyring.

Detailed Description

No detailed description yet, for now see these irc logs:

[10:29:10] <halfline> anyway, today when you type your password, systemd stuffs it on a kernel keyring
[10:29:17] <halfline> with an expiration time
[10:29:31] --> dcbw (dcbw@68-168-178-95.fttp.usinternet.com) has joined #fedora-desktop
[10:29:42] <halfline> all we need to do to get that moved to unlocking the session / gnome-keyring is a small pam module
[10:30:16] <halfline> it's one of those round tuit things i have on the back of my todo list
[10:30:34] <halfline> shouldn't take more than a couple of hours to write actually
[10:31:07] <halfline> just needs to query keyring for password and if it's there set the password as the auth token for the pam stack
[10:31:15] <halfline> then exit and let pam_unix take over
[10:32:16] <-- starmad has quit (Ping timeout: 180 seconds)
[10:32:17] <bochecha> halfline: but how does that work with autologin, in which case you don't type your password
[10:33:20] <mclasen> it works if you type your password to unlock your disk
[10:33:25] <mclasen> its about typing it only once
[10:33:34] <bochecha> ah, so your session password must be the same as the encryption one
[10:33:40] <halfline> bochecha: we already have a pam module that forwards the password from pam to gnome-keyring
[10:33:41] <bochecha> which is what I do here, so that's great :)
[10:33:46] <halfline> yup exactly
[10:35:10] <mclasen> will password changes just work in this scenario ? can the same pam module handle that ?
[10:35:44] <hergertme> halfline: +++ please write this :)
[10:35:50] <halfline> mclasen: you mean what happens if the user changes their password so it no longer matches the encrypted disk ?
[10:36:00] <mclasen> yes
[10:36:04] <halfline> we just need to construct the stack to fall back to the current way
[10:36:13] <mclasen> well, thats sucks
[10:36:22] <bochecha> or change the encryption password?
[10:36:32] <hergertme> so have the pam module update LUKS key?
[10:36:56] <mclasen> you can't change your password on os x ?
[10:37:01] <hergertme> (does pam even get notified of changes?)
[10:37:21] <halfline> we could supplement the pam module to also implement a password stack
[10:37:27] <halfline> in addition to the authstack
[10:37:38] <halfline> and then change /etc/pam.d/passwd to reference it
[10:37:41] <mclasen> that was my question above
[10:37:49] <mcatanzaro> It sounds like we are really close... then we'll be able to turn on LUKS by default, this is a really big deal!
[10:38:17] <mcatanzaro> With disk encryption, we'll be as secure as Android!  D:
[10:38:31] <halfline> mclasen: yea we could do that i guess
[10:39:24] <halfline> there is one tricky issue
[10:39:36] <halfline> where we only want to do this if autologin is enabled
[10:39:54] <hergertme> mcatanzaro: didn't they back off from FDE and only use ext4 directory encryption now?
[10:40:24] <mcatanzaro> hergertme: tbh I dunno... it's a bad joke, don't take it too seriously ;)
[10:40:34] <halfline> well we only want to read password from kernel keyring if autologin is enabled, and i guess we only want to synchronize user's password to luks password if it's a single user system
[10:40:36] <hergertme> halfline: how about ignoring that and really just "if there is only one user account"
[10:40:46] <halfline> and of course anaconda asks for two passwords at install time
[10:41:00] <halfline> so "is single user system?" isn't exactly the right question
[10:41:28] <hergertme> so drop root for F25? :)
[10:41:32] <mcatanzaro> halfline: We always want autologin to be enabled if there is LUKS and only one user account.
[10:41:47] <mcatanzaro> halfline: And we have infrastructure now to drop the root password prompt from anaconda. We already planned to do that.
[10:42:06] <mclasen> whats the danger in always trying the keyring password ?
[10:42:07] <mcatanzaro> They gave us a config file we can use to hide spokes!
[10:42:37] <halfline> mclasen: what do you mean by "always" ?
[10:42:50] <mcatanzaro> I think if gdm sees only one user account, we should always try the keyring password.
[10:42:52] <mclasen> autologin or not
[10:42:57] <mclasen> singleuser or not
[10:43:37] <halfline> mclasen: so if you have autologin disabled, you want the first user picked in the user list to have the password used on it?
[10:43:52] <halfline> i think people might find that unexpected
[10:44:06] <halfline> they think the system is logged out but it's effectively not
[10:44:15] <mclasen> if it doesn't fit, we ask for the password anyway, no ?
[10:44:22] <mcatanzaro> halfline: It's a detail... we just want it to work for new installs out of the box. I guess we could just have gnome-initial-setup set autologin on the initial user account, then people can turn it off and type their password twice if they really want to.
[10:44:45] <halfline> mclasen: the point is, if i'm sitting at the login screen i don't expect someone to be able to walk over and click my name and get into the session
[10:44:47] --> starmad (starmad@LPuteaux-657-1-19-167.w193-248.abo.wanadoo.fr) has joined #fedora-desktop
[10:45:15] <halfline> mcatanzaro: yea it's an interesting question
[10:45:17] <mclasen> didn't you say there's an expiry ?
[10:45:17] <halfline> which way to go
[10:45:26] <halfline> single user + luks => assume autologin
[10:45:44] <halfline> or just set autologin at the same time we set single user + luks
[10:45:56] <halfline> yes there's an expiry
[10:46:03] <halfline> but that doesn't mean it's a good idea !
[10:46:14] <halfline> we have separate stacks for autologin and password anyway
[10:46:26] <halfline> what's wrong with only enabling it for autologin ?
[10:46:32] <hergertme> clear the kernel keyring on logout?
[10:46:33] <mclasen> nothing
[10:46:38] <halfline> what's the advantage of doing it for a user list?
[10:46:43] <hergertme> (or lock screen)
[10:46:53] <halfline> hergertme: we'll probably clear the keyring after we grab the password
[10:47:01] <mclasen> I didn't expect it to be used when you pick a user from the list
[10:47:14] <halfline> oh then what did you mean by always ?
[10:47:20] <hergertme> right, i would think after the first login attempt you let go of it
[10:47:39] <mclasen> there was lots of suggestions for how to determine when you want to use it
[10:48:02] <mclasen> so I was exploring what the harm is if you get it wrong, and try the keyring password after boot, anyway
[10:48:12] <halfline> ah okay
[10:48:20] <halfline> yea i think the best option is to put it in the gdm-autologin service
[10:48:31] <halfline> then it just makes that case better for free
[10:48:38] <halfline> and people can still turn it off if they want
[10:48:38] --> Muhannad_ (muhannad@5.156.117.223) has joined #fedora-desktop
[10:48:42] <halfline> and we can get the defaults right
[10:48:57] <-- sesivany has quit (Quit: sesivany)
[10:49:11] <halfline> and if it fails in the gdm-autologin service we fall back to the current autologin situation
[10:49:19] --- Muhannad_ is now known as Muhannad__
[10:49:34] <halfline> but for extra credit we can add some feature to try to keep luks and the user password synchronized
[10:49:38] <halfline> so it won't fail in practice
[10:50:05] <halfline> the unsolved question is how do we know when to try to keep the luks password and user password synchronized, but we can figure something out
[10:50:24] <mclasen> thats the part where getting it wrong probably hurts more
[10:50:42] <mclasen> 'something changed my disk password without me knowing - all my data is now toast'
[10:50:50] <halfline> yea exactly
[10:51:16] <halfline> although luks does support multiple passwords
[10:51:33] <halfline> so we could get sloppy and keep the old one in there
[10:51:37] <halfline> probably not a good idea
[10:52:39] <halfline> maybe just have gnome-initial-setup write out some state saying the two are lockstep is good enough
[10:53:06] <-- xkahn has quit (Ping timeout: 180 seconds)
[10:53:49] <mclasen> it would be good to have a backup password in there
[10:54:14] <mcatanzaro> halfline: It doesn't seem TOO hard... gnome-disks can already change your LUKS password, gnome-control-center should be able to as well.
[10:56:21] <halfline> yea should be totally doable
[10:56:44] <halfline> so we're going to hide the "add root user" spoke from anaconda
[10:56:52] <halfline> and i guess we're going to hide the "add first user" spoke too ?
[10:56:54] <halfline> mcatanzaro: ^ 
[10:57:10] <-- ssp has quit (Ping timeout: 181 seconds)
[10:57:20] <mcatanzaro> halfline: The (tentative) plan is to hide all the spokes except disk layout.
[10:57:45] <halfline> okay
[10:57:51] <mcatanzaro> Nobody is scheduled to work on it and we need to revisit it to make sure stakeholders are OK with this since it hasn't been discussed in a while.
[10:59:12] <halfline> well if we handle adding the user from gnome-initial-setup, then I guess we can turn on automatic login if the password the user picks is the same as the luks password
[10:59:23] <mcatanzaro> halfline: Yes exactly
[10:59:47] <mclasen> how would we know that ?
[10:59:49] <mcatanzaro> (It's stupid that we currently have two supported ways to create the initial user account; should remove it from one place or the other!)
[11:00:28] <halfline> mclasen: it'll be a little tricky since gnome-initial-setup can't read the kernel keyring directly
[11:00:37] <mcatanzaro> "how would we know that" <-- Not sure :(
[11:00:54] <mclasen> but why do this backwards like that ?
[11:01:05] <halfline> what do you consider forwards ?
[11:01:14] <mclasen> can't we just do a "Also use this password to unlock the disk" checkbox ?
[11:01:35] <halfline> that would mean asking the user twice for an ecnryption password
[11:01:38] <halfline> once at install time
[11:01:41] <halfline> and once right after install
[11:02:00] <mclasen> your proposal also involved asking twice
[11:02:02] <-- Muhannad__ has quit (Ping timeout: 180 seconds)
[11:02:09] <mclasen> and then comparing the two passwords
[11:02:25] <-- fabiand has quit (Quit: Verlassend)
[11:02:28] <halfline> okay three times in your case, if the passwords are different
[11:03:10] <mclasen> no ?
[11:03:21] <mclasen> or maybe, yes
[11:03:24] <halfline> scenario: user picks password for encryption during install
[11:03:28] <mclasen> since there's a reboot in between
[11:03:40] <halfline> user gets asked later if they want to change their disk password to match their user password
[11:04:21] <mclasen> so that makes three times in your proposal too, then
[11:04:31] <halfline> damnit
[11:04:36] <halfline> i can't wiggle my way out of this
[11:04:52] <mclasen> unless you replace the password entry with a  "Use the disk password" checkbox
[11:05:00] <mclasen> and figure out how to get at it
[11:05:33] <halfline> yea we could do that, except we may hit a problem with it expiring
[11:05:46] <mclasen> grab it early...
[11:06:10] --> xkahn (xkahn@nat-pool-bos-u.redhat.com) has joined #fedora-desktop
[11:06:51] <halfline> yea that's probably the best bet
[11:07:16] <halfline> though if we're expecting users to do that by default...
[11:07:23] <halfline> then we could just add the user up front
[11:07:26] <mclasen> should we write this 'plan' up somewhere so we can speed up the discussion the next time this comes up ?
[11:07:26] <halfline> with that password
[11:07:31] <halfline> and run gnome-initial-setup in the session
[11:07:49] <halfline> uh i can copy and paste it into a wiki page or something
[11:08:11] <bochecha> halfline: what about the oem scenario though? (where the person installing is not the person booting the first time and creating their account)
[11:08:13] <halfline> oh i guess we couldn't add the user up front, since we don't know the username
[11:08:38] <hergertme> i think its reasonable to not ask for an encryption password at all at install time
[11:08:49] <hergertme> and so its "empty password" until they've gone through initial-setup
[11:08:59] <hergertme> that is in fact 2 less things to ask for at install!
[11:09:26] <bochecha> hergertme: and there's no data to protect with encryption until after the user account is created anyway
[11:09:33] <hergertme> yup
[11:10:20] <bochecha> another solution would be for the whole install procedure to happen at first boot (before that, the system is effectively like a liveusb)
 

Benefit to Fedora

Less questions for user, automatic login will automatically unlock keyring


Scope

  • Proposal owners:
  • Other developers:
  • Release engineering: No release engineering changes needed
  • Policies and guidelines: No policy or guideline changes needed

Upgrade/compatibility impact

How To Test

User Experience

Dependencies

Contingency Plan

Documentation

TBD

Release Notes

TBD