Re: [dm-crypt] Shared library for cryptsetup

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Heinz Diehl <htd@fancy-poultry.org>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Shared library for cryptsetup
Date: Mon, 12 Oct 2009 14:53:24 +0200	[thread overview]
Message-ID: <87ococdb97.wl%htd@fancy-poultry.org> (raw)
In-Reply-To: <20091012111229.64a374ac@tanana.suse.de>

At Mon, 12 Oct 2009 11:12:29 +0200,
Ludwig Nussel wrote:

> > Another reason is that tokentube allows for different deployment options: it's
> > possible to configure the system in such a way that the user's auth files (key
> > files) are in fact owned by the user. That's not a common scenario but I've
> > seen environments which required such setups.

> Wouldn't that expose the master key to the users?

This is exactly what I thought, too.

> > > Also, as long as you're using local authentication you don't need to
> > > store the password for pam authentication. Should be sufficient to
> > > just reconfigure the displaymanager to auto login the user that
> > > unlocked the root device.

Adding a big amount of complex code to an already working solution raises the chance of
putting a security hole into it. And there is also to consider that by far not
all users are using PAM at all. 

Generally, I think the level of adding complex and new code to cryptographic
software should be a hundred times higher than usual, because every line of
code raises the possibility of introducing a flaw, which often renders the whole
software unuseable.

     prev parent reply	other threads:[~2009-10-12 12:53 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-09-24 19:44 [dm-crypt] Shared library for cryptsetup Jürgen Pabel
2009-09-25 13:02 ` Milan Broz
2009-09-29 11:44 ` Ludwig Nussel
2009-10-11 23:17   ` Jürgen Pabel
2009-10-12  9:12     ` Ludwig Nussel
2009-10-12 12:53       ` Heinz Diehl [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87ococdb97.wl%htd@fancy-poultry.org \
    --to=htd@fancy-poultry.org \
    --cc=dm-crypt@saout.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.