ecryptfs-users team mailing list archive
-
ecryptfs-users team
-
Mailing list archive
-
Message #00060
pam_keyinit question (trying to setup encryption for $HOME)
Hi,
I'm trying to setup configuration with $HOME of user being encrypted. Using
2.6.37 kernel and ecryptfs-utils 85.
$HOME was migrated using ecryptfs-migrate-home.
First problem is "Error attempting to add filename encryption key to user
session keyring; rc = [1]".
From looking into code:
A) ecryptfs_insert_wrapped_passphrase_into_keyring() calls
B) ecryptfs_add_passphrase_key_to_keyring().
If B) returns non zero then it is treated as an error but "1" means key
already exits. Doesn't this mean that 1 should also be treated as "ok" ?
I'm using pam_keyinit.so which adds/revokes keys at start/end of session and I
guess this causes error "1".
If I drop pam_keyinit, setup everything ecryptfs related then everything works
fine (even if I set pam_keyinit back in pam configs).
[root@bigarm ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny
file=/etc/security/blacklist.sshd onerr=succeed
auth include system-auth
account required pam_shells.so
account required pam_nologin.so
account required pam_access.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke debug
session include system-auth
session optional pam_mail.so
[root@bigarm ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny
file=/etc/security/blacklist onerr=succeed
auth required pam_env.so
auth required pam_tally.so deny=0 file=/var/log/faillog
onerr=succeed
auth required pam_unix.so try_first_pass
auth optional pam_ecryptfs.so unwrap
account required pam_tally.so file=/var/log/faillog
onerr=succeed
account required pam_time.so
account required pam_unix.so
# password [success=1 ignore=reset abort=die default=bad] pam_pwgen.so
upper=1 digit=1
password required pam_cracklib.so try_first_pass difok=2
minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_unix.so try_first_pass sha512 shadow
use_authtok
password required pam_ecryptfs.so
password required pam_exec.so failok seteuid /usr/bin/make -C
/var/db
# password required pam_exec.so failok seteuid /usr/bin/make -C
/var/yp
session optional pam_keyinit.so revoke debug
session required pam_limits.so change_uid
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_ecryptfs.so unwrap
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
Follow ups