0

Is it possible to set the LUKS key of a specific slot to the user password? So if user bob has a password of 12345 I want to set slot#2 to 12345.

I know I can set the key of a specific slot using cryptsetup luksAddKey /dev/sda5 -S 2, but how do I get the password of the user?

ChaChaPoly
  • 243
  • 1
  • 3
  • 16

3 Answers3

2

I think https://github.com/google/pam-cryptsetup can do what you want.

Edit: + you can achieve the same with systemd and PAM alone

Robert Cutajar
  • 113
  • 6
Osqui
  • 135
  • 1
  • 8
1

Basically you have two choices:

  1. Query an LDAP-Server to get the current password of the user that logs in
  2. use ecryptfs to encrypt your home directory and interact with pam

option 1.) leaves you with a messy crypttab script and configuration setup, as well as the need to switch your entire authentication scheme to LDAP

2.) is the most common way to have an encrypted home directory in current linux distributions, but forces you to ditch LUKS

mojo
  • 329
  • 1
  • 2
  • 11
0

There is no way to get the password of a user (but you can use something like john the ripper to try to guess it, but if it is good, your efforts will be wasted). The only possibly reliable way to achieve what your want is if LUKS can use the same hashing as is used in /etc/shadow (I don't know if it can), and if so find a way to put that into the right place in the LUKS header.

Henrik supports the community
  • 318
  • 2
  • 10
  • This answer is misleading. 1) Surely you can get the password of the user while the user is logging in. It is available in PAM auth context. 2) Indeed as @Osqui pointed out, PAM has been used to unlock and mount encrypted partitions. No need for hashing to match. – Robert Cutajar Jul 30 '20 at 11:38