From nobody Sun Sep 05 13:54:26 2021
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A013717AF35E;
	Sun,  5 Sep 2021 13:54:20 +0000 (UTC)
	(envelope-from eric@metricspace.net)
Received: from mail.metricspace.net (static-74-106-232-4.bltmmd.fios.verizon.net [74.106.232.4])
	by mx1.freebsd.org (Postfix) with ESMTP id 4H2Y172ct2z4mNl;
	Sun,  5 Sep 2021 13:54:19 +0000 (UTC)
	(envelope-from eric@metricspace.net)
Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:becd] (unknown [IPv6:2001:470:1f11:617:3210:b3ff:fe77:becd])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: eric)
	by mail.metricspace.net (Postfix) with ESMTPSA id 0FA121208;
	Sun,  5 Sep 2021 13:54:13 +0000 (UTC)
To: FreeBSD Hackers <freebsd-hackers@freebsd.org>,
 freebsd-current <freebsd-current@freebsd.org>, freebsd-security@freebsd.org
From: Eric McCorkle <eric@metricspace.net>
Subject: PAM module for loading ZFS keys on login
Message-ID: <b4d216da-d4b8-12a6-3873-566e5044678c@metricspace.net>
Date: Sun, 5 Sep 2021 09:54:26 -0400
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101
 Thunderbird/78.12.0
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4H2Y172ct2z4mNl
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=none (mx1.freebsd.org: domain of eric@metricspace.net has no SPF policy when checking 74.106.232.4) smtp.mailfrom=eric@metricspace.net
X-Spamd-Result: default: False [-0.71 / 15.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 ARC_NA(0.00)[];
	 FREEFALL_USER(0.00)[eric];
	 FROM_HAS_DN(0.00)[];
	 RCPT_COUNT_THREE(0.00)[3];
	 TO_DN_SOME(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 MIME_GOOD(-0.10)[text/plain];
	 DMARC_NA(0.00)[metricspace.net];
	 AUTH_NA(1.00)[];
	 MID_RHS_MATCH_FROM(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 NEURAL_SPAM_SHORT(0.29)[0.288];
	 R_SPF_NA(0.00)[no SPF record];
	 RCVD_NO_TLS_LAST(0.10)[];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:701, ipnet:74.106.224.0/19, country:US];
	 RCVD_COUNT_TWO(0.00)[2];
	 MAILMAN_DEST(0.00)[freebsd-security]
X-ThisMailContainsUnwantedMimeParts: N

All,

This patch creates a new PAM module that will load a ZFS key upon a
successful login: https://reviews.freebsd.org/D31844.  It will use the
user's auth token as the key argument to loading a ZFS encryption key on
a user-specific ZFS data set.

This is the other side of my changeset to have autounmountd unload ZFS
keys when it unloads a filesystem.  (Here:
https://reviews.freebsd.org/D31725)  With these two changes, it should
be possible to have ZFS encrypted home directories with keys dynamically
loaded when users log in, and unloaded when their home directories are
unmounted.

Please review and comment.