Features/EcryptfsAuthConfig

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(How To Test)
Line 18: Line 18:
 
== Current status ==
 
== Current status ==
 
* Targeted release: [[Releases/15|Fedora 15]]  
 
* Targeted release: [[Releases/15|Fedora 15]]  
* Last updated: 2010-12-22
+
* Last updated: 2011-02-09
* Percentage of completion: 80%
+
* Percentage of completion: 95%
  
 
== Detailed Description ==
 
== Detailed Description ==
Line 56: Line 56:
  
 
== Contingency Plan ==
 
== Contingency Plan ==
The feature touches several independent packages, but all patches have precise dependencies included in their bugzilla entries (see [https://bugzilla.redhat.com/showdependencytree.cgi?id=486152 here]).  In case the feature will not be available for F15, it is possible to either revert changes that were already included, or leave them inIn the latter case the changes will be unnecessary, but will not break anything.
+
All patches have been committed to Rawhide in time for F15 branch, except the one for gdmSo ecryptfs as of February 9, 2011 won't work for graphical logins.  This is a bug and it should be fixed before the release.  If it is not fixed, the feature should not be considered complete and should not be included in the release notes.
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "None necessary, revert to previous release behaviour." Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. -->
+
  
 
== Documentation ==
 
== Documentation ==

Revision as of 12:25, 9 February 2011


Contents

Support for ecryptfs in authconfig

Summary

Authconfig will allow the system administrator to configure automatic mounting of an encrypted area in each user's home directory.

Owner

Current status

  • Targeted release: Fedora 15
  • Last updated: 2011-02-09
  • Percentage of completion: 95%

Detailed Description

pam_ecryptfs is a PAM module that allows to mount a private part of the home directory (or the entire home directory) when a user logs in. However, using pam_ecryptfs in Fedora <=14 is complicated by the configuration style adopted by authconfig. This feature aims at simplifying this across various PAM users and integrating ecryptfs support into authconfig.

Benefit to Fedora

ecryptfs is a useful tool, but it is hard to configure under Fedora. Compared to encrypted partitions, for example, it easily lets the user do encrypted backups.

Scope

Changes are required to PAM, authconfig, and several pam users. All of these have been identified and patches posted to Bugzilla:


How To Test

  1. Add yourself to the ecryptfs group.
  2. Set up an ecryptfs private area under ~/Private using ecryptfs-setup-private.
  3. Mount it with ecryptfs-mount-private and create a few files in it. Unmount it with ecryptfs-umount-private.
  4. Enable ecryptfs using authconfig (e.g. setting USEECRYPTFS=yes under /etc/sysconfig/authconfig and rerunning authconfig-tui --updateall)
  5. Log out and log back in.
  6. mount should show an ecryptfs mount for ~/Private and the files you created in step 3 should show up.
  7. Log out and log in as root.
  8. The ecryptfs mount should not be there anymore.

Contingency Plan

All patches have been committed to Rawhide in time for F15 branch, except the one for gdm. So ecryptfs as of February 9, 2011 won't work for graphical logins. This is a bug and it should be fixed before the release. If it is not fixed, the feature should not be considered complete and should not be included in the release notes.

Documentation

  • pam_ecryptfs(8) man page (note the man page is a bit Ubuntu-centric, we do not have /etc/pam.d/common-auth and the Fedora implementation will be different in order to support authconfig)

Release Notes

Fedora 15 brings in improved support for eCryptfs, a stacked cryptographic filesystem for Linux. Starting from Fedora 15, authconfig can be used to automatically mount a private encrypted part of the home directory when a user logs in.

Comments and Discussion