ecryptfs-users team mailing list archive

Thread
Date

pam_keyinit question (trying to setup encryption for $HOME)

To: ecryptfs-users@xxxxxxxxxxxxxxxxxxx
From: Arkadiusz Miskiewicz <arekm@xxxxxxxx>
Date: Sun, 6 Feb 2011 00:27:05 +0100
User-agent: KMail/1.13.6 (Linux/2.6.37; KDE/4.6.0; x86_64; ; )

Hi,

I'm trying to setup configuration with $HOME of user being encrypted. Using 
2.6.37 kernel and ecryptfs-utils 85.

$HOME was migrated using ecryptfs-migrate-home.

First problem is "Error attempting to add filename encryption key to user 
session keyring; rc = [1]". 

From looking into code:
A) ecryptfs_insert_wrapped_passphrase_into_keyring() calls
B) ecryptfs_add_passphrase_key_to_keyring().

If B) returns non zero then it is treated as an error but "1" means key 
already exits. Doesn't this mean that 1 should also be treated as "ok" ?

I'm using pam_keyinit.so which adds/revokes keys at start/end of session and I 
guess this causes error "1".

If I drop pam_keyinit, setup everything ecryptfs related then everything works 
fine (even if I set pam_keyinit back in pam configs).

[root@bigarm ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth            required        pam_listfile.so item=user sense=deny 
file=/etc/security/blacklist.sshd onerr=succeed
auth            include         system-auth
account         required        pam_shells.so
account         required        pam_nologin.so
account         required        pam_access.so
account         include         system-auth
password        include         system-auth
session         optional        pam_keyinit.so force revoke debug
session         include         system-auth
session         optional        pam_mail.so

[root@bigarm ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
auth            required        pam_listfile.so item=user sense=deny 
file=/etc/security/blacklist onerr=succeed
auth            required        pam_env.so
auth            required        pam_tally.so deny=0 file=/var/log/faillog 
onerr=succeed
auth            required        pam_unix.so try_first_pass
auth            optional        pam_ecryptfs.so unwrap

account         required        pam_tally.so file=/var/log/faillog 
onerr=succeed
account         required        pam_time.so
account         required        pam_unix.so

# password      [success=1 ignore=reset abort=die default=bad]  pam_pwgen.so 
upper=1 digit=1
password        required        pam_cracklib.so try_first_pass difok=2 
minlen=8 dcredit=2 ocredit=2 retry=3
password        required        pam_unix.so try_first_pass sha512 shadow 
use_authtok
password        required        pam_ecryptfs.so
password        required        pam_exec.so failok seteuid /usr/bin/make -C 
/var/db
# password      required        pam_exec.so failok seteuid /usr/bin/make -C 
/var/yp

session         optional        pam_keyinit.so revoke debug
session         required        pam_limits.so change_uid
session         [success=1 default=ignore]      pam_succeed_if.so service in 
crond quiet use_uid
session         required        pam_unix.so
session         optional        pam_ecryptfs.so unwrap


-- 
Arkadiusz Miśkiewicz        PLD/Linux Team
arekm / maven.pl            http://ftp.pld-linux.org/

Follow ups

Re: pam_keyinit question (trying to setup encryption for $HOME)
From: Dustin Kirkland, 2011-02-16