You are not logged in.
I would like to be queried for my password at boot only once, i.e. entering the luks password for the encrypted root fs and then start my desktop session, including opening kwallet.
SDDM has the autologin feature, but there it won't open kwallet unless its password is empty. But an empty wallet password is obviously not what I'm looking for.
The systemd changelog for version 227 says:
* The "ask-password" framework used to query for LUKS harddisk
passwords or SSL passwords during boot gained support for
caching passwords in the kernel keyring, if it is
available. This makes sure that the user only has to type in
a passphrase once if there are multiple objects to unlock
with the same one. Previously, such password caching was
available only when Plymouth was used; this moves the
caching logic into the systemd codebase itself. The
"systemd-ask-password" utility gained a new --keyname=
switch to control which kernel keyring key to use for
caching a password in. This functionality is also useful for
enabling display managers such as gdm to automatically
unlock the user's GNOME keyring if its passphrase, the
user's password and the harddisk password are the same, if
gdm-autologin is used.
The last sentence is exactly what I want to do. They also have something about it in the systemd-ask-password manpage:
--keyname=
Configure a kernel keyring key name to use as cache for the password. If set, then the
tool will try to push any collected passwords into the kernel keyring of the root
user, as a key of the specified name. If combined with --accept-cached, it will also
try to retrieve such cached passwords from the key in the kernel keyring instead of
querying the user right away. By using this option, the kernel keyring may be used as
effective cache to avoid repeatedly asking users for passwords, if there are multiple
objects that may be unlocked with the same password. The cached key will have a
timeout of 2.5min set, after which it will be purged from the kernel keyring. Note
that it is possible to cache multiple passwords under the same keyname, in which case
they will be stored as NUL-separated list of passwords. Use keyctl(1) to access the
cached key via the kernel keyring directly. Example: "--keyname=cryptsetup"
The idea would be as follows:
When entering it on boot, systemd securely stores the cryptsetup password in the kernel keyring
SDDM reads that password and passes it to pam_kwallet5.so
SDDM logs me in automatically, kwallet will be open.
The wallet can then be used to feed other applications (e.g. ssh-agent)
I don't know much about pam, but I guess it could be done by modifying /etc/pam.d/sddm-autologin sch that the cached encryption key is passed as password to the session modules.
Has anyone been successful with such a setup?
Offline
I'm not sure this can work with an encrypted root. Presumably, you are using a hook in mkinitcpio.conf to deal with the encryption on boot. As I understand it, the systemd LUKS stuff is used for unlocking other partitions/volumes/containers later in the boot sequence.
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
@cfr systemd-cryptsetup will store a valid password in roots keyring under the key cryptsetup with an expiry of 2.5 minutes.
gdm extracts the password from the keyring and makes it available as a PAM_AUTHTOK https://github.com/GNOME/gdm/blob/ce066 … _gdm.c#L45
anything following in the pam stack can use the token as though it were a user entered password.
sddm does not appear to have equivalent functionality.
Offline
@loqs thanks for the pointer to the gdm implementation of that feature. This is exactly what I had in mind.
On the other hand, I don't fancy installing gdm with all its dependencies just for this single feature.
I submitted a feature request for sddm instead. If it hasn't been done by christmas then I might look into it myself, even though I'm not a C programmer
Offline
@cfr systemd-cryptsetup will store a valid password in roots keyring under the key cryptsetup with an expiry of 2.5 minutes.
Thanks. I didn't realise you could do that from the initramfs. I thought it only applied to stuff happening later. Good to know it works earlier also.
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline