Re: PAM module for loading ZFS keys on login

From: Eric McCorkle <eric_at_metricspace.net>
Date: Mon, 6 Sep 2021 17:44:18 -0400
I looked at the upstream one too.

Mine is simple because I modified libzfs to be able to take the key
directly in the key location override argument.

If you look at my patch, it adds a "direct" key location, which
basically works like "direct:keydata", where "keydata" is your key.

In the case of the PAM module, this ends up being "direct:password".

It looks like they essentially pull in all the libzfs logic for
preparing keys.  If you notice, they go directly to lzc_load_key (that
is basically a thin wrapper around the ioctl).

It's worth noting that apparently they change the key to the dataset
when the user changes their password.

Anyway, I've seen enough.  I'm going to abandon the review for my PAM
module and use the upstream one.  I'm going to keep the review for the
autounmountd patch live, though.

On 9/6/21 2:53 PM, Steffen Nurpmeso wrote:
> Eric McCorkle wrote in
>  <e4a853db-f73b-a53d-c18a-22acb22b3d56_at_metricspace.net>:
>  ...
>   >> This patch creates a new PAM module that will load a ZFS key upon a
>   >> successful login: https://reviews.freebsd.org/D31844.  It will use the
>   >> user's auth token as the key argument to loading a ZFS encryption key on
>   >> a user-specific ZFS data set.
>   ...
> 
> Without knowing about libzfs i personally was stunned about the
> simplicity of your patch, having read the upstream one.
> 
> --steffen
> |
> |Der Kragenbaer,                The moon bear,
> |der holt sich munter           he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)
> 
Received on Mon Sep 06 2021 - 21:44:18 UTC

Original text of this message