https://bugs.kde.org/show_bug.cgi?id=460958
Bug ID: 460958
Summary: Make password change friendly for fscrypt users
Classification: Applications
Product: systemsettings
Version: unspecified
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: kcm_users
Assignee: plasma-b...@kde.org
Reporter: xalt7x.serv...@gmail.com
CC: uhh...@gmail.com
Target Milestone: ---
Fscrypt is a modern alternative for escryptfs (which at some point Ubuntu used
for a "home" encryption). After initial setup fscrypt is generally hassle-free
largely thanks to it's PAM module.
Password change is automatically handled as well but there's a little caveat:
"Usually, the PAM module pam_fscrypt.so will automatically detect changes to a
user's login passphrase and update the user's fscrypt login protector so that
they retain access their login-passphrase protected directories. However,
sometimes a user's login passphrase can become desynchronized from their
fscrypt login protector."
So user shouldn't use sudo or root account for a 'passwd' command, otherwise he
will have to update login-passphrase protector manually (or change password
back).
Unfortunately fscrypt users which change password with a standard KDE Plasma
"System settings" dialogs face the same issue as with "elevated" 'passwd'
command. For some reason fscrypt pam module doesn't receive new password so
user need to rollback it or update manually with a command (which fscrypt
nicely prints on CLI but obviously it's not visible for GUI users)
P.S. I've also tried the same on GNOME 42. There password change with native
dialogs happens imperceptibly for fscrypt user.
STEPS TO REPRODUCE
*** Disclaimer: not all distros and filesystems provide fscrypt support yet.
My steps where tested on Kubuntu and KDE Neon with EXT4 filesystem ***
1. Setup and configure fscrypt with a PAM module
a) sudo apt -y install libpam-fscrypt
b) sudo tune2fs -O encrypt "/dev/<root disk device>" # (e,g, /dev/sda2 ,
/dev/nvme0n1p2 , /dev/vda1 ; check yours with "sudo fisk -l")
c) sudo fscrypt setup
d) mkdir ~/fscrypt
e )sudo fscrypt encrypt ~/fscrypt --user=$USER
f) touch ~/fscrypt/file
- select "1 - Your login passphrase (pam_passphrase)"
- input $USER password
2. Log-out and Log-in
3. Make sure that ~/fscrypt/file gets unlocked after login
4. Try to change user password with a command
passwd $USER
5) Log-out, log-in and make sure that ~/fscrypt/file is still gets unlocked
automatically
6) Change user password with "systemsettings" dialogs
OBSERVED RESULT
~/fscrypt/file is encrypted
EXPECTED RESULT
~/fscrypt/file is decrypted
SOFTWARE/OS VERSIONS
Linux/KDE Plasma: KDE Neon 5.26
KDE Plasma Version: 5.26.1
KDE Frameworks Version: 5.99.0
Qt Version: 5.15.6
ADDITIONAL INFORMATION
I've also tried the same on GNOME 42. There password change happens
imperceptibly for fscrypt user.
--
You are receiving this mail because:
You are watching all bug changes.
