From Fedora Project Wiki
(Moved to FeatureAcceptedF15 category per 2011/01/05 meeting)
(100% :))
 
(5 intermediate revisions by the same user not shown)
Line 18: Line 18:
== Current status ==
== Current status ==
* Targeted release: [[Releases/15|Fedora 15]]  
* Targeted release: [[Releases/15|Fedora 15]]  
* Last updated: 2010-12-22
* Last updated: 2011-02-09
* Percentage of completion: 30%
* Percentage of completion: 100%


== Detailed Description ==
== Detailed Description ==
Line 29: Line 29:


== Scope ==
== Scope ==
Changes are required to PAM, authconfig, and several pam users.  All of these have been identified.
Changes are required to PAM, authconfig, and several pam users.  All of these have been identified and patches posted to Bugzilla:
* https://bugzilla.redhat.com/show_bug.cgi?id=665061 (gdm)
* https://bugzilla.redhat.com/show_bug.cgi?id=665062 (util-linux)
* https://bugzilla.redhat.com/show_bug.cgi?id=665063 (passwd)
* https://bugzilla.redhat.com/show_bug.cgi?id=486152 (authconfig)
 
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


== How To Test ==
== How To Test ==
# Set up an ecryptfs private area under ~/Private using ecryptfs-setup-private.
# Add yourself to the ecryptfs group.
# Enable ecryptfs using authconfig (e.g. setting USE_ECRYPTFS=yes under /etc/sysconfig/authconfig and rerunning <tt>authconfig-tui --updateall</tt>)
# Set up an ecryptfs private area under ~/Private using <tt>ecryptfs-setup-private</tt>.
# Mount it with <tt>ecryptfs-mount-private</tt> and create a few files in it.  Unmount it with <tt>ecryptfs-umount-private</tt>.
# Enable ecryptfs using authconfig (e.g. setting <tt>USEECRYPTFS=yes</tt> under /etc/sysconfig/authconfig and rerunning <tt>authconfig-tui --updateall</tt>)
# Log out and log back in.
# Log out and log back in.
# <tt>mount</tt> should show an ecryptfs mount for ~/Private.
# <tt>mount</tt> should show an ecryptfs mount for ~/Private and the files you created in step 3 should show up.
# Log out and log in as root.
# The ecryptfs mount should not be there anymore.
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  
<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  


Line 47: Line 56:


== Contingency Plan ==
== Contingency Plan ==
The feature touches several independent packages, but all patches have precise dependencies included in their bugzilla entries (see [https://bugzilla.redhat.com/showdependencytree.cgi?id=486152 here]).  In case the feature will not be available for F15, it is possible to either revert changes that were already included, or leave them in.  In the latter case the changes will be unnecessary, but will not break anything.
All patches have been committed to Rawhide in time for F15 branch.  In case any problems are found during testing, the feature should not be considered complete and should not be included in the release notesThe changes in bug 486152 could be reverted, but that's not absolutely necessary.
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not. If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->


== Documentation ==
== Documentation ==

Latest revision as of 08:13, 15 February 2011


Support for ecryptfs in authconfig

Summary

Authconfig will allow the system administrator to configure automatic mounting of an encrypted area in each user's home directory.

Owner

Current status

  • Targeted release: Fedora 15
  • Last updated: 2011-02-09
  • Percentage of completion: 100%

Detailed Description

pam_ecryptfs is a PAM module that allows to mount a private part of the home directory (or the entire home directory) when a user logs in. However, using pam_ecryptfs in Fedora <=14 is complicated by the configuration style adopted by authconfig. This feature aims at simplifying this across various PAM users and integrating ecryptfs support into authconfig.

Benefit to Fedora

ecryptfs is a useful tool, but it is hard to configure under Fedora. Compared to encrypted partitions, for example, it easily lets the user do encrypted backups.

Scope

Changes are required to PAM, authconfig, and several pam users. All of these have been identified and patches posted to Bugzilla:


How To Test

  1. Add yourself to the ecryptfs group.
  2. Set up an ecryptfs private area under ~/Private using ecryptfs-setup-private.
  3. Mount it with ecryptfs-mount-private and create a few files in it. Unmount it with ecryptfs-umount-private.
  4. Enable ecryptfs using authconfig (e.g. setting USEECRYPTFS=yes under /etc/sysconfig/authconfig and rerunning authconfig-tui --updateall)
  5. Log out and log back in.
  6. mount should show an ecryptfs mount for ~/Private and the files you created in step 3 should show up.
  7. Log out and log in as root.
  8. The ecryptfs mount should not be there anymore.

Contingency Plan

All patches have been committed to Rawhide in time for F15 branch. In case any problems are found during testing, the feature should not be considered complete and should not be included in the release notes. The changes in bug 486152 could be reverted, but that's not absolutely necessary.

Documentation

  • pam_ecryptfs(8) man page (note the man page is a bit Ubuntu-centric, we do not have /etc/pam.d/common-auth and the Fedora implementation will be different in order to support authconfig)

Release Notes

Fedora 15 brings in improved support for eCryptfs, a stacked cryptographic filesystem for Linux. Starting from Fedora 15, authconfig can be used to automatically mount a private encrypted part of the home directory when a user logs in.

Comments and Discussion

Retrieved from "https://fedoraproject.org/w/index.php?title=Features/EcryptfsAuthConfig&oldid=221211"