* [dm-crypt] Verify LUKS password @ 2011-11-29 15:22 Marcos Barbosa 2011-11-29 17:31 ` Arno Wagner 0 siblings, 1 reply; 6+ messages in thread From: Marcos Barbosa @ 2011-11-29 15:22 UTC (permalink / raw) To: dm-crypt [-- Attachment #1: Type: text/plain, Size: 169 bytes --] I have a problem: I need authenticate gnome-screensaver (via PAM) with LUKS password. How i do that? Best regards. -- Marcos Barbosa <marcosestevesbarbosa@gmail.com> [-- Attachment #2: Type: text/html, Size: 310 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dm-crypt] Verify LUKS password 2011-11-29 15:22 [dm-crypt] Verify LUKS password Marcos Barbosa @ 2011-11-29 17:31 ` Arno Wagner 2011-11-29 17:40 ` Yves-Alexis Perez 2011-11-29 17:42 ` Marcos Barbosa 0 siblings, 2 replies; 6+ messages in thread From: Arno Wagner @ 2011-11-29 17:31 UTC (permalink / raw) To: dm-crypt I am not clear on what you want to do: Use the LUKS passphrase also for the Gnome screen-locker? If so, set one of the keyslots to the passphrase of the screen-locker. If you actually want to remove the LUKS mapping (i.e. "close" the LUKS container) when the screen safer engages and remap the LUKS container when the screensaver is unlocked, then this is complicated. It mau also not be what you want, given that unmapping the LUKS container with open files is eiter not possible or can result in arbitrary data corruption (I have not tried it). So you would need to do something like this on screenlocker-engage: 1. Determine all open files in the LUKS container 2. Terminate all applications that have these files open 3. Unmount the LUKS container and verify it did unmount. If unmount fails, go to 1. (An application could have opened a file in between...) Maybe you can also do a ro remount first. 4. Unmap the LUKS container. Now, this would need to be somehow script-driven from the screensaver. Whether automated application clsoe is a good idea depends very much on the situation and is generally _not_ a good idea. Arno On Tue, Nov 29, 2011 at 01:22:35PM -0200, Marcos Barbosa wrote: > I have a problem: I need authenticate gnome-screensaver (via PAM) with LUKS > password. How i do that? > > Best regards. > > -- > Marcos Barbosa <marcosestevesbarbosa@gmail.com> > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dm-crypt] Verify LUKS password 2011-11-29 17:31 ` Arno Wagner @ 2011-11-29 17:40 ` Yves-Alexis Perez 2011-11-29 18:17 ` Arno Wagner 2011-11-29 17:42 ` Marcos Barbosa 1 sibling, 1 reply; 6+ messages in thread From: Yves-Alexis Perez @ 2011-11-29 17:40 UTC (permalink / raw) To: Arno Wagner; +Cc: dm-crypt [-- Attachment #1: Type: text/plain, Size: 1153 bytes --] On mar., 2011-11-29 at 18:31 +0100, Arno Wagner wrote: > If you actually want to remove the LUKS mapping (i.e. "close" the > LUKS container) when the screen safer engages and remap the LUKS > container when the screensaver is unlocked, then this is complicated. > It mau also not be what you want, given that unmapping the LUKS > container with open files is eiter not possible or can result in > arbitrary data corruption (I have not tried it). So you would > need to do something like this on screenlocker-engage: > > 1. Determine all open files in the LUKS container > 2. Terminate all applications that have these files open > 3. Unmount the LUKS container and verify it did unmount. > If unmount fails, go to 1. (An application could have opened > a file in between...) Maybe you can also do a ro remount first. > 4. Unmap the LUKS container. > > Now, this would need to be somehow script-driven from the > screensaver. Whether automated application clsoe is a good idea > depends very much on the situation and is generally _not_ a good > idea. > What about luksSuspend operation? Regards, -- Yves-Alexis [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 836 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dm-crypt] Verify LUKS password 2011-11-29 17:40 ` Yves-Alexis Perez @ 2011-11-29 18:17 ` Arno Wagner 2011-11-29 18:33 ` Marcos Barbosa 0 siblings, 1 reply; 6+ messages in thread From: Arno Wagner @ 2011-11-29 18:17 UTC (permalink / raw) To: dm-crypt On Tue, Nov 29, 2011 at 06:40:18PM +0100, Yves-Alexis Perez wrote: > On mar., 2011-11-29 at 18:31 +0100, Arno Wagner wrote: > > If you actually want to remove the LUKS mapping (i.e. "close" the > > LUKS container) when the screen safer engages and remap the LUKS > > container when the screensaver is unlocked, then this is complicated. > > It mau also not be what you want, given that unmapping the LUKS > > container with open files is eiter not possible or can result in > > arbitrary data corruption (I have not tried it). So you would > > need to do something like this on screenlocker-engage: > > > > 1. Determine all open files in the LUKS container > > 2. Terminate all applications that have these files open > > 3. Unmount the LUKS container and verify it did unmount. > > If unmount fails, go to 1. (An application could have opened > > a file in between...) Maybe you can also do a ro remount first. > > 4. Unmap the LUKS container. > > > > Now, this would need to be somehow script-driven from the > > screensaver. Whether automated application clsoe is a good idea > > depends very much on the situation and is generally _not_ a good > > idea. > > > > What about luksSuspend operation? Well, maybe. If _all_ used applications can deal with I/O calls to take forever. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dm-crypt] Verify LUKS password 2011-11-29 18:17 ` Arno Wagner @ 2011-11-29 18:33 ` Marcos Barbosa 0 siblings, 0 replies; 6+ messages in thread From: Marcos Barbosa @ 2011-11-29 18:33 UTC (permalink / raw) To: dm-crypt [-- Attachment #1: Type: text/plain, Size: 2105 bytes --] There's a function in a shared library to check the password? A function to pass the password and return is is correct or not. 2011/11/29 Arno Wagner <arno@wagner.name> > On Tue, Nov 29, 2011 at 06:40:18PM +0100, Yves-Alexis Perez wrote: > > On mar., 2011-11-29 at 18:31 +0100, Arno Wagner wrote: > > > If you actually want to remove the LUKS mapping (i.e. "close" the > > > LUKS container) when the screen safer engages and remap the LUKS > > > container when the screensaver is unlocked, then this is complicated. > > > It mau also not be what you want, given that unmapping the LUKS > > > container with open files is eiter not possible or can result in > > > arbitrary data corruption (I have not tried it). So you would > > > need to do something like this on screenlocker-engage: > > > > > > 1. Determine all open files in the LUKS container > > > 2. Terminate all applications that have these files open > > > 3. Unmount the LUKS container and verify it did unmount. > > > If unmount fails, go to 1. (An application could have opened > > > a file in between...) Maybe you can also do a ro remount first. > > > 4. Unmap the LUKS container. > > > > > > Now, this would need to be somehow script-driven from the > > > screensaver. Whether automated application clsoe is a good idea > > > depends very much on the situation and is generally _not_ a good > > > idea. > > > > > > > What about luksSuspend operation? > > Well, maybe. If _all_ used applications can deal with > I/O calls to take forever. > > Arno > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: > arno@wagner.name > GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 > 338F > ---- > Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- Marcos Barbosa <marcosestevesbarbosa@gmail.com> [-- Attachment #2: Type: text/html, Size: 3046 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [dm-crypt] Verify LUKS password 2011-11-29 17:31 ` Arno Wagner 2011-11-29 17:40 ` Yves-Alexis Perez @ 2011-11-29 17:42 ` Marcos Barbosa 1 sibling, 0 replies; 6+ messages in thread From: Marcos Barbosa @ 2011-11-29 17:42 UTC (permalink / raw) To: dm-crypt [-- Attachment #1: Type: text/plain, Size: 2650 bytes --] Is more simple. Just use the same password configured on LUKS volume to unlock gnome-screensaver. I believe make a fast test: Get the password and try mount again the device. If no error ocurs then the password is correct. Close the second mount point and unlock screen. If password is incorrect then no unlock the screen. But the question is: How a make this with a beatiful way? or use a dirty script to do that? 2011/11/29 Arno Wagner <arno@wagner.name> > I am not clear on what you want to do: Use the LUKS passphrase > also for the Gnome screen-locker? If so, set one of the keyslots > to the passphrase of the screen-locker. > > If you actually want to remove the LUKS mapping (i.e. "close" the > LUKS container) when the screen safer engages and remap the LUKS > container when the screensaver is unlocked, then this is complicated. > It mau also not be what you want, given that unmapping the LUKS > container with open files is eiter not possible or can result in > arbitrary data corruption (I have not tried it). So you would > need to do something like this on screenlocker-engage: > > 1. Determine all open files in the LUKS container > 2. Terminate all applications that have these files open > 3. Unmount the LUKS container and verify it did unmount. > If unmount fails, go to 1. (An application could have opened > a file in between...) Maybe you can also do a ro remount first. > 4. Unmap the LUKS container. > > Now, this would need to be somehow script-driven from the > screensaver. Whether automated application clsoe is a good idea > depends very much on the situation and is generally _not_ a good > idea. > > Arno > > > On Tue, Nov 29, 2011 at 01:22:35PM -0200, Marcos Barbosa wrote: > > I have a problem: I need authenticate gnome-screensaver (via PAM) with > LUKS > > password. How i do that? > > > > Best regards. > > > > -- > > Marcos Barbosa <marcosestevesbarbosa@gmail.com> > > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: > arno@wagner.name > GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 > 338F > ---- > Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- Marcos Barbosa <marcosestevesbarbosa@gmail.com> [-- Attachment #2: Type: text/html, Size: 3651 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-11-29 18:33 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-11-29 15:22 [dm-crypt] Verify LUKS password Marcos Barbosa 2011-11-29 17:31 ` Arno Wagner 2011-11-29 17:40 ` Yves-Alexis Perez 2011-11-29 18:17 ` Arno Wagner 2011-11-29 18:33 ` Marcos Barbosa 2011-11-29 17:42 ` Marcos Barbosa
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox