On Fri Aug 28 18:21:08 UTC 2009 Kees Cook wrote:
> On Fri, Aug 28, 2009 at 01:33:11PM -0000, James Westby wrote:
> > I'm pretty certain that If we just pass the new password to pam then it
> > can do the rest. I belive that using "sudo passwd <user>" doesn't break
> > eCryptfs.
>
> Unfortunately, AFAIK, that does break it -- it must be the user themselves
> calling "passwd" since then PAM will prompt for the old password to
> pass through the PAM stack. eCryptfs (and potentially other things)
> use it to decrypt the mount passphrase, and then re-encrypt it with the
> new PAM password.
Ah, my apologies.
So changing gst to use pam buys us nothing over just special casing the
current user?
On Fri Aug 28 18:21:08 UTC 2009 Kees Cook wrote:
> On Fri, Aug 28, 2009 at 01:33:11PM -0000, James Westby wrote:
> > I'm pretty certain that If we just pass the new password to pam then it
> > can do the rest. I belive that using "sudo passwd <user>" doesn't break
> > eCryptfs.
>
> Unfortunately, AFAIK, that does break it -- it must be the user themselves
> calling "passwd" since then PAM will prompt for the old password to
> pass through the PAM stack. eCryptfs (and potentially other things)
> use it to decrypt the mount passphrase, and then re-encrypt it with the
> new PAM password.
Ah, my apologies.
So changing gst to use pam buys us nothing over just special casing the
current user?
Thanks,
James