coordination #9536
closedTest all DMs for working encrypted home support
100%
Description
We are currently testing only "encrypt all" scenario. But seems few people are encrypting home partition only.
We need to tweak install phase to allow disk layout change for the encryption of home only
Then we need to have test for each DM (xdm/kdm/sddm/whatever) to see they still can log to the machine just fine.
This is spin-off bnc#954419.
Suggestions¶
- Cover three most common display managers: sddm, gdm, xdm
- Add test suite that encrypt home for a user and then logs in to those three DM's
- Talk to Yast team to sync work.
Files
Updated by RBrownSUSE about 9 years ago
- Category set to New test
- Priority changed from Normal to Low
- Target version set to 154
Updated by scarabeus_iv about 9 years ago
Copy from the bug:
To create the encrypted home, I just opened YAST, User and Group management, selected the user, Edit, and select to encrypt home, give a size, password is asked, and that's all.
One thing that never happens is that the user's files are moved. They are copied but remain in the home folder.
Updated by scarabeus_iv almost 9 years ago
To create the encrypted home, I just opened YAST, User and Group management, selected the user, Edit, and select to encrypt home, give a size, password is asked, and that's all.
One thing that never happens is that the user's files are moved. They are copied but remain in the home folder.
This morning I added a comment but it is gone, so here again.
I fixed the problem by changing /etc/pa.d/sddm to
auth optional pam_mount.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_cryptpass.so
session optional pam_mount.so
The first line and last two lines were added, and since then I was able to log in.
What still is an issue is that the encrypted home is not properly dismounted after log out, which could result in corrupted files, as I discovered in earlier opensuse versions.
Updated by RBrownSUSE almost 9 years ago
- Checklist item changed from to [ ] TW, [ ] SLE, [ ] Leap
- Target version deleted (
154)
Updated by RBrownSUSE over 8 years ago
- Assignee set to dheidler
- Priority changed from Low to Normal
Updated by dheidler over 8 years ago
- File j.log j.log added
- Subject changed from Test all DMs for working encrypted home support to [BLOCKED] Test all DMs for working encrypted home support
Blocked on bnc#954419.
Also I tried it with tumbleweed:
- I created a user 'tux'
- I changed its home to encrypted using yast
- I rebooted
- I cannot login using gdm (It asks me for 2 passwords: pam and keyfile and then behaves as described in bnc#954419)
- I can login to tty but I seem to get the old unencrypted version of the home directory (with the files I created before setting the home to encrypted). Also I get error messages (see attached log).
Updated by okurz over 7 years ago
so the bug is still open and looks like will never be fixed. @dheidler, what do you propose?
Updated by dheidler over 7 years ago
If the bug won't get fixed, we can't do anything but drop the feature.
Updated by scarabeus_iv over 7 years ago
dheidler wrote:
If the bug won't get fixed, we can't do anything but drop the feature.
As the bug still talks about gdm only why didn't you put the information it fails on gdm too there?
Also maybe it could be reassigned to pam people...
Updated by scarabeus_iv over 7 years ago
I mean the bug now describes the issue only on sddm.
Updated by okurz over 6 years ago
- Related to action #29986: [functional][u][opensuse][hard]test fails in multi_users_dm added
Updated by okurz over 6 years ago
- Subject changed from [BLOCKED] Test all DMs for working encrypted home support to [functional][u] Test all DMs for working encrypted home support
- Target version set to future
Let's put it on the QSF backlog
Updated by okurz over 5 years ago
- Checklist item changed from [ ] TW, [ ] SLE, [ ] Leap to
- Priority changed from Normal to Low
let's focus more on improving our current tests and workflows first. Putting to "holding tank" :)
Updated by szarate over 4 years ago
- Priority changed from Low to High
- Target version changed from future to Milestone 30
Let's look at this for the next grooming session perhaps? ask the y team about possible scenarios already implemented
Updated by szarate over 4 years ago
Spoke to Rodion, they don't have said scenarios, so we could simply create them, but he's also proposing to automate them with autoyast (which is a great idea)
A quick idea:
- gnome + separate home encrypted on btrfs with snapshots
- minimal x + lvm with encrypted separate home + xfs
Having HDD with these on the functional job group we could spin up other tests that touch the x11 applications mostly, and maybe things like evolution (although SLED might have more interest?)
Updated by riafarov over 4 years ago
After discussion with Yifan, we will wait for the feedback to know if such scenario is supported and if so what are expectations and then act on this accordingly.
Updated by SLindoMansilla over 4 years ago
- Description updated (diff)
- Status changed from New to Workable
- Estimated time set to 42.00 h
Updated by szarate over 4 years ago
- Status changed from Workable to New
- Estimated time deleted (
42.00 h)
For now, we're waiting on Yfan's feedback. Kicking this back to the backlog
Updated by yfjiang over 4 years ago
Hi folks,
Checked with release and product side, and talked to people who had experiences with this. The encrypted home is indeed a supported use case for SLED, though the techniques of implementing it evolves.
Thank you for bringing it up, it is worthy of doing, and I think the implementation timeline is best scheduled by the agile team :-) Hope the information helps.
Updated by riafarov over 4 years ago
- Target version changed from Milestone 30 to Milestone 33
yfjiang wrote:
Hi folks,
Checked with release and product side, and talked to people who had experiences with this. The encrypted home is indeed a supported use case for SLED, though the techniques of implementing it evolves.
Thank you for bringing it up, it is worthy of doing, and I think the implementation timeline is best scheduled by the agile team :-) Hope the information helps.
Hi Yifan! Thanks a lot for the confirmation! We can start with SLES+WE which will be easy to migrate to SLED afterwards.
Updated by szarate over 4 years ago
@Rodion, would you like to move forward with the autoyast approach? This sparked the idea to have an autoyast workshop for the QSFU team, and would then... be a perfect candidate, wdyt?
Updated by riafarov over 4 years ago
- Subject changed from [functional][u] Test all DMs for working encrypted home support to [functional][epic][u][y] Test all DMs for working encrypted home support
- Assignee set to riafarov
- Target version changed from Milestone 33 to Milestone 35+
szarate wrote:
@Rodion, would you like to move forward with the autoyast approach? This sparked the idea to have an autoyast workshop for the QSFU team, and would then... be a perfect candidate, wdyt?
I will convert this one in epic and create subtasks for autoyast for now and we can proceed from there. I did some autoyast sessions before, so even have some slides. Will talk to Mazte to organize it, sounds like a good idea.
Updated by riafarov over 4 years ago
- Due date changed from 2020-04-21 to 2020-05-05
due to changes in a related task
Updated by riafarov over 4 years ago
- Due date changed from 2020-05-05 to 2020-05-19
due to changes in a related task: #65172
Updated by ybonatakis over 4 years ago
- Due date changed from 2020-05-19 to 2020-05-05
due to changes in a related task: #65172
Updated by ybonatakis over 4 years ago
- Due date changed from 2020-05-05 to 2020-05-19
- Start date changed from 2020-04-02 to 2020-05-05
due to changes in a related task: #65172
Updated by riafarov over 4 years ago
- Target version changed from Milestone 35+ to SLE 15 SP3
Updated by riafarov over 4 years ago
- Due date changed from 2020-05-19 to 2020-09-08
due to changes in a related task: #66862
Updated by riafarov over 4 years ago
- Due date changed from 2020-09-08 to 2020-09-22
due to changes in a related task: #66862
Updated by riafarov about 4 years ago
- Project changed from openQA Tests to qe-yam
- Category deleted (
New test)
Updated by riafarov about 4 years ago
- Project changed from qe-yam to openQA Tests
Updated by szarate about 4 years ago
- Tracker changed from action to coordination
Updated by szarate about 4 years ago
See for the reason of tracker change: http://mailman.suse.de/mailman/private/qa-sle/2020-October/002722.html
Updated by riafarov about 4 years ago
- Project changed from openQA Tests to qe-yam
Updated by riafarov about 4 years ago
- Subject changed from [functional][epic][u][y] Test all DMs for working encrypted home support to Test all DMs for working encrypted home support
- Target version changed from SLE 15 SP3 to future
Gnome is covered, other DMs are low prio at the moment.
Updated by oorlov almost 3 years ago
- Assignee changed from oorlov to JERiveraMoya