You are not logged in.
- Topics: Active | Unanswered
#1 2022-01-08 10:17:21
- lugge
- Member
- Registered: 2017-03-17
- Posts: 33
Automatic login only when I'm in my home Wifi
Hi there,
have a portable device running Arch linux.
At the moment, I have automatic login set up, using a getty service. My .bash_profile then starts into X.
A display manager is not installed at the moment.
As this is a portable device, there may be the case that it gets lost or stolen during vacation.
So, I was thinking about activating auto login only when I'm at home or in a safe environment.
This might be the case when I'm logged into my Wifi.
So, I was thinking about means of checking if I'm in my Wifi during boot time and then switch between auto login / no auto login.
Long story short:
Is there a way of achieving such functionality?
Only thing I can imagine is setting up two configuration files for getty (or GDM if I consider using it) and replace them during boot time with a helper script or service.
Obviously, this would be no real security because someone who knows about this can just set up an access point with my SSID (but he needs also the same passphrase).
Also, using a Linux live media, someone could just edit my script.
However, all my data is on a LUKS encrypted partition which is not auto mounted.
But, for the sake of discussion, any ideas for this?
Whats your opinion about "conditional auto login"?
Last edited by lugge (2022-01-08 10:20:43)
Offline
#2 2022-01-08 15:39:55
- seth
- Member
- Registered: 2012-09-03
- Posts: 51,064
Re: Automatic login only when I'm in my home Wifi
Obviously, this would be no real security because someone who knows about this can just set up an access point with my SSID (but he needs also the same passphrase).
Also, using a Linux live media, someone could just edit my script.
And therefore this is a futile exercise.
However, all my data is on a LUKS encrypted partition which is not auto mounted.
Well, afaiu I already get access to your WLAN 
You could rather fetch a key to auto-decrypt your $HOME from the WLAN - that is either provided or not.
Offline
#3 2022-01-08 17:47:05
- lugge
- Member
- Registered: 2017-03-17
- Posts: 33
Re: Automatic login only when I'm in my home Wifi
Obviously, this would be no real security because someone who knows about this can just set up an access point with my SSID (but he needs also the same passphrase).
Also, using a Linux live media, someone could just edit my script.And therefore this is a futile exercise.
Depends.
The attacker needs to get an idea of the script. This will stop about 90% of random guys finding a lone laptop.
But yes, if he has basic linux knowledge and time, he will eventually boot the device from USB and discover the script (which obviously holds the SSID in plaintext).
Thus, we only have security by obscurity, which is bad.
However, he still will only be able to boot the device into desktop.
Nevertheless, the data partition is still encrypted, Thus, all he can do is see which DE I'm using and which programs I have installed. But using a live USB, this is also possible, even with no autologin.
Only measure to prevent from live USB attack is to encrypt root partition.
So, yes, I know that the security gain is minimal (or zero, if one consider security by obscurity as no security, what I do).
But the data would still be save.
You could rather fetch a key to auto-decrypt your $HOME from the WLAN - that is either provided or not.
Guess fetching decrypt key for root via wifi is not possible? ;-)
Offline
#4 2022-01-08 18:07:48
- seth
- Member
- Registered: 2012-09-03
- Posts: 51,064
Re: Automatic login only when I'm in my home Wifi
Guess fetching decrypt key for root via wifi is not possible? ;-)
You can have an NFS root device…
You'd have to add network access to the initramfs (so /boot cannot be encrypted) but it's probably not even required to encrypt the root in this scenario.
You're still exposing your wifi password and if all other private data is kept in your $HOME, there's no reason to protect the root system (unless you want to prevent it from being tampered with, but at this point we're not talking about some random stranger stealing your device, but an explicit attack)
Offline
#5 2022-01-08 18:18:27
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,190
Re: Automatic login only when I'm in my home Wifi
Guess fetching decrypt key for root via wifi is not possible? ;-)
Network bound encryption like with clevis and tang exists. Whether it is useful here is debatable.
https://access.redhat.com/documentation … ption-nbde
https://access.redhat.com/documentation … -hardening
Last edited by progandy (2022-01-08 18:28:51)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#6 2022-01-08 18:28:14
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,523
- Website
Re: Automatic login only when I'm in my home Wifi
However, he still will only be able to boot the device into desktop.
Nevertheless, the data partition is still encrypted, Thus, all he can do is see which DE I'm using and which programs I have installed.
And this is all that they would be able to access if you didn't take any steps to prevent autologin in public which is why this makes no sense at all.
You don't want the machine to autologin in public in order to protect ... something. But everything that needs to be protected is encrypted, so autologin or not is completely irrelevant. So why add useability hurdles for yourself in order to get zero increment in security?
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
#7 2022-01-08 23:54:26
- AndroGR
- Member
- From: Athens, Greece.
- Registered: 2021-10-15
- Posts: 53
Re: Automatic login only when I'm in my home Wifi
Hi there,
At the moment, I have automatic login set up, using a getty service. My .bash_profile then starts into X.
A display manager is not installed at the moment.
Please don't do this. Just use a display manager, it provides much better functionality.
As for the initial question, yes, there is a way to have automatic login. But it works, once again, only with major display managers (SDDM and KDE for me but anything you like). You can then enable auto login in the display manager's settings. For lightdm, check the config file, and find the autologin line, uncomment it and put your username on it.
E: I'm not sure if you actually can configure a display manager for WiFi unlocking. You can however, have LightDM unlock if it's connected to the internet, regardless of wifi or not.
Last edited by AndroGR (2022-01-08 23:56:58)
Arch | AMD Ryzen 5 1500X | AMD Radeon RX550 4GB | 16GB RAM (3200Mhz) | KDE Plasma | Linux Zen / Custom Kernel
Offline
#8 2022-01-08 23:57:16
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,523
- Website
Re: Automatic login only when I'm in my home Wifi
nonsense
No, just no. Display managers offer no benefit here at all. Further it's clear you have not read the thread as it is all about selectively automatically logging in depending on physical location - which a display manager config does not address at all.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline