On Mon, 09 Jan 2017 23:58:11 +0100 Laurent Bigonville <bi...@debian.org>
wrote:
> Hi,
>
> Since gdm 3.22, there is a new pam module that unlock the gnome-keyring
> using the keyring using the password of the luks partition.
>
> The idea is that on a single user laptop, the user uses the same
> password for his encrypted root and user in addition to autologin.
>
> Tje pam module read the kernel keyring to find that password with the
> followin code:
>
> serial = find_key_by_type_and_desc ("user", "cryptsetup", 0);
> if (serial == 0)
> return PAM_AUTHINFO_UNAVAIL;
>
> r = keyctl_read_alloc (serial, &cached_password);
>
> So it would be nice if cryptsetup could store that password in the
> keyring after opening successfully the main luks partition.
Looking at systemd, I see that they are doing something similar:
serial = add_key("user", keyname, p, n, KEY_SPEC_USER_KEYRING);
with keyname="cryptsetup"
I see two options here, either debian/askpass.c is modified to either
call add_key() function directly or "--keyname=cryptsetup" is passed to
systemd-ask-password.
Or the keyctl command line is used with something like: keyctl add user
cryptsetup my_password @u
