Control: tags -1 + moreinfo
On Thu, 22 Apr 2021 at 09:37:19 +0100, Simon McVittie wrote:
> On Wed, 21 Apr 2021 at 08:33:01 +0200, intrig...@debian.org wrote:
> > On LUKS-encrypted systems, by default the GNOME keyring is encrypted
> > using the LUKS passphrase typed on boot. pam_gdm unlocks the keyring
> > using that passphrase. So far, so good.
>
> Does testing this require any particular system configuration, for example
> enabling autologin in gdm, or having the logging-in user's Unix password
> be the same as the LUKS passphrase, or having LUKS v2 rather than LUKS v1?
Sorry, I can't work out how to get a system where the bug you reported
would even be relevant. At this stage in the release process I am reluctant
to apply changes that I can't test - please could you describe how I can?
Here are some attempts that I made to reproduce your setup:
- Configure a new VM in virt-manager
- Boot from firmware-bullseye-DI-rc1-amd64-netinst.iso
- Create uid 1000 named 'user' with password 'user'
- Use guided partitioning with encrypted LVM, setting passphrase 'luks'
- Install GNOME
- Reboot to installed system
- Power off without logging in
- Copy the disk image
- Restore copied disk image
- Log in to gdm as 'user' with password 'user'
- Run seahorse
- Lock login keyring
- Unlock login keyring
- Password 'luks' does not unlock it, as expected
- Password 'user' unlocks it, as expected
- Restore copied disk image
- Log in on console as root
- vi /etc/gdm3/daemon.conf, configure like this:
[daemon]
AutomaticLoginEnable = true
AutomaticLogin = user
- Reboot
- Run seahorse
- No login keyring was created at all
- Restore copied disk image
- Log in on console as root
- vi /etc/gdm3/daemon.conf, configure like this:
[daemon]
TimedLoginEnable = true
TimedLogin = user
TimedLoginDelay = 5
- Reboot
- Run seahorse
- No login keyring was created at all
... and none of them seem to be using the LUKS passphrase to create a
gnome-keyring login keyring.
How do I get to a system configuration where pam_gdm matters?
Thanks,
smcv
