Unsuck Login Unlock
This spec is being planned
Goals:
- Don't prompt a user more than once for a login password
- Use a disk unlock password to log user in if possible
- Don't prompt a user for a login password after auto-login, fingerprint, or PIN login
Obstacles:
- systemd unlocking the disk needs a way to pass the password securely all the way up to gdm to use it to try and log in.
- Things like auto-login or fingerprint login do not provide a secret to the session, so keyring applications try to prompt the user for a login password anyway
Rough Plan:
- Use the kernel keyring to pass the login password from disk unlock to PAM stack
- When configuring auto-login, fingerprint or PIN login, store the user's password somewhere on the system, and make it available to the PAM stack.
Diagram
Notes: Things that want access to the user's login password
- Local unix login: pam_unix
- gss-ntlmssp wants to use it for NTLM auth
- gnome-keyring wants to use it to unlock database
- Disk unlock wants to use it if matches disks password
- or rather other way around so we can login based on disk password if match
- ...
Components and Tasks
Very rough, just sketched here for now.
Kernel keyring
- Plan: Figure out kernel keyring key attributes and type
- Plan: File layout for auth_tok files
systemd
- Task: Have systemd create per service keyrings, and a way to declare linking them between services
- Task: Modify cryptsetup code to store password in kernel keyring
- Use timeout for disk password
PAM module
- Task: PAM authenticate to read from kernel keyring and set PAM_AUTHTOK
- Task: PAM password to rewrite auth_tok file when user password changes
- If file is present, and PAM_OLDAUTHTOK matches
AccountsService
- Task: Set and change passwords through PAM
- Task: Update PasswordMode code
- Task: Fix SetPassword() which is really broken
GNOME
- Design: Should GDM completely avoid prompting for the user, if disk password is present in kernel keyring, and somehow try to log last user in?
- Task: Modify gnome-control-center logic so that there is always a user password.