www/ Specifications/ login-unlock

Unsuck Login Unlock

This spec is being planned

Goals:

  • Don't prompt a user more than once for a login password
  • Use a disk unlock password to log user in if possible
  • Don't prompt a user for a login password after auto-login, fingerprint, or PIN login

Obstacles:

  • systemd unlocking the disk needs a way to pass the password securely all the way up to gdm to use it to try and log in.
  • Things like auto-login or fingerprint login do not provide a secret to the session, so keyring applications try to prompt the user for a login password anyway

Rough Plan:

  • Use the kernel keyring to pass the login password from disk unlock to PAM stack
  • When configuring auto-login, fingerprint or PIN login, store the user's password somewhere on the system, and make it available to the PAM stack.

Diagram

Notes: Things that want access to the user's login password

  • Local unix login: pam_unix
  • gss-ntlmssp wants to use it for NTLM auth
  • gnome-keyring wants to use it to unlock database
  • Disk unlock wants to use it if matches disks password
    • or rather other way around so we can login based on disk password if match
  • ...

Components and Tasks

Very rough, just sketched here for now.

Kernel keyring

  • Plan: Figure out kernel keyring key attributes and type
  • Plan: File layout for auth_tok files

systemd

  • Task: Have systemd create per service keyrings, and a way to declare linking them between services
  • Task: Modify cryptsetup code to store password in kernel keyring
    • Use timeout for disk password

PAM module

  • Task: PAM authenticate to read from kernel keyring and set PAM_AUTHTOK
  • Task: PAM password to rewrite auth_tok file when user password changes
    • If file is present, and PAM_OLDAUTHTOK matches

AccountsService

  • Task: Set and change passwords through PAM
  • Task: Update PasswordMode code
  • Task: Fix SetPassword() which is really broken

GNOME

  • Design: Should GDM completely avoid prompting for the user, if disk password is present in kernel keyring, and somehow try to log last user in?
  • Task: Modify gnome-control-center logic so that there is always a user password.