Bug 390810

Created attachment 215613 [details]
y2logs

Michael?

This massage is from pam-config. You cannot have pam_mount and pam_thinkfinger at the same time.

Maybe the yast module should try to disable pam_thinkfinger if a user requested encrypted home partitions. 

This is bad. Why is it not possible? This looks like a bug in pam_whatever.

Anyway, I can't really silently disable some service that is already configured. 

The ease part would be, if pam_thinkfinger is configured, do not allow encrypted directories. But user should know why it is not possible (and we can't add new texts now, can we?)

The other way is, do not allow pam_thinkfinger when pam_mount is configured. Does it mean that even installing of pam_thinkfinger fails (because it does PAM configuration in the post-script)?
On the YaST side, again thingfinger configuration should be disabled (btw, how do I check pam_mount is configured to disable it? Does it mean, "volume" section is defined?)

Hm, OK, ecrypted dirs are locked with the password, not the fingerprint.

Michael, please answer the last question about a correct check for configured pam_mount.

Karl, looks like some new texts will be necessary.

I think yast has an agent for pam-config. 
pam-config has a query option. 

# enabled
$> pam-config -q --thinkfinger
auth:
account:
password:
session:
$>

# disabled
$> pam-config -q --thinkfinger
$>

Have a look how the pam agent support this.

Yes, I know how to check if thinkfinger is enabled, I'm asking how to check if pam_mount is, for the case that there already are ecrypted directories enabled and user tries to enable thinkfinger via YaST.

Should I just check "pam-config -q --mount" (or something similar) or should I parse pam_mont.conf.xml for something specific (as I'm doing it to know the information about user's homes)?

Ahh, sorry. 

pam_mount has a special handling in pam-config, so the command is a little bit different. But checking via pam-config is ok.

pam_mount is configured only in some special pam service files, not in the common-XXX-pc files. You have to query explicite the services.

Example:

$> pam-config --service xdm -q --mount

Normally encrypted homepartitions are configured using cryptconfig.
cryptconfig has a configfile where is configured which services should be changed.

But I think it is ok, to check against a fixed list.

gdm;login;kdm;xdm;sudo

Call pam-config 5 times with the different values for --service above. If any of this query return that it is enabled, then it is enabled. 

Parsing pam_mount.conf.xml is not needed.

So, what about this message, shown in case user starts yast2 fingerprint-reader and has pam_mount configured:

"Fingerprint reader device cannot be used when encrypted directories are present."


(Adding Tanja: additionally, is it possible to mention in manual that those 2 features cannot work together?)

Or 
"Fingerprint reader device cannot be used when encrypted directories are uses"

I don't know what is better.

Re:#9: sorry, we are past any authoring or localization deadline for the 11.0 manuals, so we can only add a note to the release notes for now. 

Karl, can you please add this to the current release notes? 

I'll make a note to add this to the manuals for the next revision, unless the problem can be solved technically until then.

Thanks. I added the check and a new text into yast2-fingerprint-reader-2.16.8

And the other part is done in yast2-users-2.16.31.

@tanja, yes that's fine.

reopening, so I do not forget about it.

I'm going to add this small snippet:

  <!-- Bug 390810 -->
  <sect3 id="fingerprint-crypt" status="2008-05-20">
   <title>Fingerprint Reader Devices and Encrypted Directories</title>

   <para>Fingerprint reader devices cannot be used when directories are
   encrypted.</para>
  </sect3>

done. -> /work

*** Bug 395125 has been marked as a duplicate of this bug. ***

Ladislav complains that the RN entry is too short (bug 395125):

There is this paragraph in Rel. Notes:
--
Fingerprint Reader Devices and Encrypted Directories

Fingerprint reader devices cannot be used when directories are encrypted.
--

But this information is too generic. Couldn't it be more specific which
directories should not be encrypted? Just home directories or system
directories? Or any? I have no idea how it works and many users either.
=========================================================================

What do you think?

*** Bug 395125 has been marked as a duplicate of this bug. ***

IMHO this is only related to home directories, as pam_thinkfinger provides access to it when the user tries to log in (using a finger[print]), but they are encrypted using the password. Michael, could you help with release notes text?

to play save, I'll add "such as home directories" for the moment.

Well, you can decrypt any directory on your local machine using pam_mount, but it is often used for home directories and YaST does only support home directories. 

The real problem is, that you cannot use pam_thinkfinger together with pam_mount, but I think this is too abstract for a user. 

Maybe we can say something like this?

You cannot decrypt directores during login, if you use the Fingerprint reader. 

We need it more positive ;)  Thus I propose this version:

  <!-- Bug 390810 -->
  <sect3 id="fingerprint-crypt" status="2008-05-30">
   <title>Fingerprint Reader Devices and Encrypting Directories</title>

   <para>If you want to use a fingerprint reader device, you must not encrypt
the home directory.  Otherwise logging in will fail, because decrypting during
login is not possible in combination with an active fingerprint reader
device.</para>

   <para>To work around this limitation, setup a separate directory outside of
the home directory and encrypt it manually.</para>
  </sect3>

-> /work

forgot to click "fixed"...

>Hm, OK, ecrypted dirs are locked with the password, not the fingerprint.

This does not mean you could not use your finger as a key to your personal volume ;-)  though leaving your fingerprints on every surface would kinda void the security of the volume.