From nobody Mon Sep 06 21:44:18 2021 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3232017A532B; Mon, 6 Sep 2021 21:44:09 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (static-74-106-232-4.bltmmd.fios.verizon.net [74.106.232.4]) by mx1.freebsd.org (Postfix) with ESMTP id 4H3MNm3cKLz3HZN; Mon, 6 Sep 2021 21:44:08 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:becd] (unknown [IPv6:2001:470:1f11:617:3210:b3ff:fe77:becd]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 5062912FB; Mon, 6 Sep 2021 21:44:02 +0000 (UTC) Subject: Re: PAM module for loading ZFS keys on login To: freebsd-current@freebsd.org, Greg , FreeBSD Hackers References: <67F44CFE-2496-4B13-8583-8A80D9ED3A4A@unrelenting.technology> <20210906140137.iGt2J%steffen@sdaoden.eu> <20210906185354.D5ymE%steffen@sdaoden.eu> From: Eric McCorkle Message-ID: <61e11d16-17d2-5f5e-a02a-ba1f1b56bbc7@metricspace.net> Date: Mon, 6 Sep 2021 17:44:18 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 In-Reply-To: <20210906185354.D5ymE%steffen@sdaoden.eu> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4H3MNm3cKLz3HZN X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of eric@metricspace.net has no SPF policy when checking 74.106.232.4) smtp.mailfrom=eric@metricspace.net X-Spamd-Result: default: False [-0.32 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[eric]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[metricspace.net]; AUTH_NA(1.00)[]; NEURAL_SPAM_SHORT(0.68)[0.680]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_SPF_NA(0.00)[no SPF record]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:701, ipnet:74.106.224.0/19, country:US]; RCVD_COUNT_TWO(0.00)[2]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N I looked at the upstream one too. Mine is simple because I modified libzfs to be able to take the key directly in the key location override argument. If you look at my patch, it adds a "direct" key location, which basically works like "direct:keydata", where "keydata" is your key. In the case of the PAM module, this ends up being "direct:password". It looks like they essentially pull in all the libzfs logic for preparing keys. If you notice, they go directly to lzc_load_key (that is basically a thin wrapper around the ioctl). It's worth noting that apparently they change the key to the dataset when the user changes their password. Anyway, I've seen enough. I'm going to abandon the review for my PAM module and use the upstream one. I'm going to keep the review for the autounmountd patch live, though. On 9/6/21 2:53 PM, Steffen Nurpmeso wrote: > Eric McCorkle wrote in > : > ... > >> This patch creates a new PAM module that will load a ZFS key upon a > >> successful login: https://reviews.freebsd.org/D31844. It will use the > >> user's auth token as the key argument to loading a ZFS encryption key on > >> a user-specific ZFS data set. > ... > > Without knowing about libzfs i personally was stunned about the > simplicity of your patch, having read the upstream one. > > --steffen > | > |Der Kragenbaer, The moon bear, > |der holt sich munter he cheerfully and one by one > |einen nach dem anderen runter wa.ks himself off > |(By Robert Gernhardt) >