Pluggable and encrypted home directories
Ulrich Eckhardt
Hi!
I had an idea this weekend and I'm wondering if anybody had the idea before
me and already implemented it. First some background...
What I have here is a setup with an encrypted home directory, which seems
like a good idea, in particular for portable data which this is about. One
thing that bothers me is that I have to mount it during boot, while I would
like to postpone that to the time I log in. So, the login-manager should
actually ask me for the passphrase to decrypt the partition. However, if I
had that running, I would still wonder why I have to first enter a password
and then enter a passphrase. One of both should be enough.
So, what I'm thinking could work is something like this:
1. Authentication doesn't use a password but a pair of keys, similar to SSH.
One of the keys is stored on the encrypted partition, the other on the
system. The user thus authenticates by providing the passphrase to the
partition and thus providing the secret key. Obviously, this means that you
_must_ use an encrypted partition. I could imagine additional partitions
though which are not all encrypted, or an encrypted filesystem inside a file
on a non-encrypted one.
2. The secret key is generated and stored when the system and the partition
are introduced to each other. This is like Bluetooth pairing, though a bit
more permanent. This is also the only time that write access (read: root-
access) to the host system is required.
3. You reserve a user-ID for a pluggable user. Every user (think public
computer room in a university) will run locally as this user. Their home
partition must be mounted in a way that maps any stored UIDs/GIDs to that
one. Optionally, the info in the normal user database is updated, so that
finger works, but generally I wouldn't bother, because few people care
nowadays.
4. No write access outside their own partition. This means that
TMP/TEMP/TMPDIR/TEMPDIR must be set to e.g. ~/tmp. Programs that give a fuck
for this must either be SUID or they will fail (and deserve the ensuing
shame/bug report).
5. Obviously, one home partition should not match exclusively to one
computer where it can be plugged in, so you can use your data at home just
like at work. Rather, a pluggable partition can be paired with multiple
computers without them interfering with each other.
6. The data is stored in normal files on the filesystem. If a user decides
they need a bigger home dir, they can change that without any admin help by
just copying the data. Similarly, any backup responsibility rests on the
user's shoulders.
7. Unplugging the medium should suspend or at least terminate all user
processes. The simple reason is that the next user will run under the hosts
same UID. Maybe a chroot-style enclosing would provide additional separation
and allow the aforementioned programs that don't honour $TEMPDIR to run.
Now, my questions:
1. Can anyone see any showstopping drawbacks in the idea?
2. Do you know of any project with a similar goal? Maybe even existing and
working implementations of the idea?
3. In case you know of a better place to ask (I'm unhappy with the Linux
part, since it should be portable beyond that and with both the apps/system
part since neither is totally suitable) I'm happy with suggestions.
Cheers!
Uli
Joe Beanfish
Consider use of or integration with NIS, automount, and PAM.
Redesign any part of your system that is "one only" or "once only"
as in the bluetooth like pairing or only one of these users on at once.
Joe Pfeiffer
to keep me happy.