You are not logged in.

#1 2017-11-07 16:40:17

Sebastian256
Member
Registered: 2017-11-06
Posts: 4

systemd-ask-password, sddm autologin & kwallet

I would like to be queried for my password  at boot only once, i.e. entering the luks password for the encrypted root fs and then start my desktop session, including opening kwallet.
SDDM has the autologin feature, but there it won't open kwallet unless its password is empty. But an empty wallet password is obviously not what I'm looking for.

The systemd changelog for version 227 says:

        * The "ask-password" framework used to query for LUKS harddisk
          passwords or SSL passwords during boot gained support for
          caching passwords in the kernel keyring, if it is
          available. This makes sure that the user only has to type in
          a passphrase once if there are multiple objects to unlock
          with the same one. Previously, such password caching was
          available only when Plymouth was used; this moves the
          caching logic into the systemd codebase itself. The
          "systemd-ask-password" utility gained a new --keyname=
          switch to control which kernel keyring key to use for
          caching a password in. This functionality is also useful for
          enabling display managers such as gdm to automatically
          unlock the user's GNOME keyring if its passphrase, the
          user's password and the harddisk password are the same, if
          gdm-autologin is used.

The last sentence is exactly what I want to do. They also have something about it in the systemd-ask-password manpage:

       --keyname=
           Configure a kernel keyring key name to use as cache for the password. If set, then the
           tool will try to push any collected passwords into the kernel keyring of the root
           user, as a key of the specified name. If combined with --accept-cached, it will also
           try to retrieve such cached passwords from the key in the kernel keyring instead of
           querying the user right away. By using this option, the kernel keyring may be used as
           effective cache to avoid repeatedly asking users for passwords, if there are multiple
           objects that may be unlocked with the same password. The cached key will have a
           timeout of 2.5min set, after which it will be purged from the kernel keyring. Note
           that it is possible to cache multiple passwords under the same keyname, in which case
           they will be stored as NUL-separated list of passwords. Use keyctl(1) to access the
           cached key via the kernel keyring directly. Example: "--keyname=cryptsetup"

The idea would be as follows:

  • When entering it on boot, systemd securely stores the cryptsetup password in the kernel keyring

  • SDDM reads that password and passes it to pam_kwallet5.so

  • SDDM logs me in automatically, kwallet will be open.

  • The wallet can then be used to feed other applications (e.g. ssh-agent)

I don't know much about pam, but I guess it could be done by modifying /etc/pam.d/sddm-autologin sch that the cached encryption key is passed as password to the session modules.

Has anyone been successful with such a setup?

Offline

#2 2017-11-07 17:02:42

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,131

Re: systemd-ask-password, sddm autologin & kwallet

I'm not sure this can work with an encrypted root. Presumably, you are using a hook in mkinitcpio.conf to deal with the encryption on boot. As I understand it, the systemd LUKS stuff is used for unlocking other partitions/volumes/containers later in the boot sequence.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#3 2017-11-07 17:52:06

loqs
Member
Registered: 2014-03-06
Posts: 17,197

Re: systemd-ask-password, sddm autologin & kwallet

@cfr systemd-cryptsetup will store a valid password in roots keyring under the key cryptsetup with an expiry of 2.5 minutes.
gdm extracts the password from the keyring and makes it available as a PAM_AUTHTOK https://github.com/GNOME/gdm/blob/ce066 … _gdm.c#L45
anything following in the pam stack can use the token as though it were a user entered password.
sddm does not appear to have equivalent functionality.

Offline

#4 2017-11-07 21:07:12

Sebastian256
Member
Registered: 2017-11-06
Posts: 4

Re: systemd-ask-password, sddm autologin & kwallet

@loqs thanks for the pointer to the gdm implementation of that feature. This is exactly what I had in mind.
On the other hand, I don't fancy installing gdm with all its dependencies just for this single feature.

I submitted a feature request for sddm instead. If it hasn't been done by christmas then I might look into it myself, even though I'm not a C programmer big_smile

Offline

#5 2017-11-07 23:43:44

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,131

Re: systemd-ask-password, sddm autologin & kwallet

loqs wrote:

@cfr systemd-cryptsetup will store a valid password in roots keyring under the key cryptsetup with an expiry of 2.5 minutes.

Thanks. I didn't realise you could do that from the initramfs. I thought it only applied to stuff happening later. Good to know it works earlier also.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

Board footer

Powered by FluxBB