Feature Request: Enable some way for pam_fscrypt to not lock policies on logout

[josephlr]

My use case is the following:

Normally, I have a a directory (say /mnt/foo/bar) that is unlocked whenever I login, and is protected by my login passphrase. It uses pam_fscrypt to automatically unlock directory bar, and everything works fine. This directory's contents are also read by system services running on the machine.

However, things get weird if I manually unlock the directory. This sometimes is necessary to fix system bugs (unrelated to fscrypt) or when accessing the computer over SSH (where I don't provide a passphrase on login). Even if I manually unlock the directory with a different, non-login protector, the directory is locked on logout.

This is different from the behavior of a directory only protected with a non-login protector, where it will not be locked on logout.

I see some potential ways to make this more user-friendly:

• When unlocking the directory, print a message to the user if it will be autolocked on logout.
• Only auto-lock policies that were unlocked with the login passphrase (maybe this should be opt-in?)
• A non-default options to pam_fscrypt to just disable directory locking on logout.

@ebiggers what are your thoughts here?

[plumbeo]

Hi, I didn't see this and replied on #281 where the option was removed.

My use case is a partially headless machine with the occasional VM and where long-running processes are often executed under screen or tmux: when I logout from the SSH session now everything gets locked.

If there is a way to prevent locking when screen/tmux are running that would be good enough for me without needing an option to disable it globally, but I couldn't find anything that worked.

[ebiggers]

On the master branch, pam_fscrypt supports the unlock_only option now. @plumbeo can you check whether it works for you?

[plumbeo]

I just tested 0.3.3 with this patch added and it works as expected, thank you very much!