ecryptfs-users team mailing list archive
-
ecryptfs-users team
-
Mailing list archive
-
Message #00083
Re: pam_keyinit question (trying to setup encryption for $HOME)
On Sat, Feb 5, 2011 at 5:27 PM, Arkadiusz Miskiewicz <arekm@xxxxxxxx> wrote:
> I'm trying to setup configuration with $HOME of user being encrypted. Using
> 2.6.37 kernel and ecryptfs-utils 85.
Bleeding edge user, I love it ;-)
> $HOME was migrated using ecryptfs-migrate-home.
First, can you make absolutely sure that ~/.ecryptfs/wrapped-passphrase exists?
ecryptfs-migrate-home generates a random key as the root user and does
the migration using the rsync. The randomly generated key is stored
in a file in /dev/shm (shared memory) permissioned 400 and owned by
the target user. That user *must* login before you reboot the system
such that pam_ecryptfs can pick up the existence of the file and
encrypt it to your ~/.ecryptfs/wrapped-passphrase.
If you rebooted before that user logged in, then that random key would
be lost, and cause login failures, etc.
Can you check this before we dig into the rest of this below?
Cheers!
Dustin
> First problem is "Error attempting to add filename encryption key to user
> session keyring; rc = [1]".
>
> From looking into code:
> A) ecryptfs_insert_wrapped_passphrase_into_keyring() calls
> B) ecryptfs_add_passphrase_key_to_keyring().
>
> If B) returns non zero then it is treated as an error but "1" means key
> already exits. Doesn't this mean that 1 should also be treated as "ok" ?
>
> I'm using pam_keyinit.so which adds/revokes keys at start/end of session and I
> guess this causes error "1".
>
> If I drop pam_keyinit, setup everything ecryptfs related then everything works
> fine (even if I set pam_keyinit back in pam configs).
>
> [root@bigarm ~]# cat /etc/pam.d/sshd
> #%PAM-1.0
> auth required pam_listfile.so item=user sense=deny
> file=/etc/security/blacklist.sshd onerr=succeed
> auth include system-auth
> account required pam_shells.so
> account required pam_nologin.so
> account required pam_access.so
> account include system-auth
> password include system-auth
> session optional pam_keyinit.so force revoke debug
> session include system-auth
> session optional pam_mail.so
>
> [root@bigarm ~]# cat /etc/pam.d/system-auth
> #%PAM-1.0
> auth required pam_listfile.so item=user sense=deny
> file=/etc/security/blacklist onerr=succeed
> auth required pam_env.so
> auth required pam_tally.so deny=0 file=/var/log/faillog
> onerr=succeed
> auth required pam_unix.so try_first_pass
> auth optional pam_ecryptfs.so unwrap
>
> account required pam_tally.so file=/var/log/faillog
> onerr=succeed
> account required pam_time.so
> account required pam_unix.so
>
> # password [success=1 ignore=reset abort=die default=bad] pam_pwgen.so
> upper=1 digit=1
> password required pam_cracklib.so try_first_pass difok=2
> minlen=8 dcredit=2 ocredit=2 retry=3
> password required pam_unix.so try_first_pass sha512 shadow
> use_authtok
> password required pam_ecryptfs.so
> password required pam_exec.so failok seteuid /usr/bin/make -C
> /var/db
> # password required pam_exec.so failok seteuid /usr/bin/make -C
> /var/yp
>
> session optional pam_keyinit.so revoke debug
> session required pam_limits.so change_uid
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_ecryptfs.so unwrap
>
>
> --
> Arkadiusz Miśkiewicz PLD/Linux Team
> arekm / maven.pl http://ftp.pld-linux.org/
>
> _______________________________________________
> Mailing list: https://launchpad.net/~ecryptfs-users
> Post to : ecryptfs-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ecryptfs-users
> More help : https://help.launchpad.net/ListHelp
>
--
:-Dustin
Dustin Kirkland
Ubuntu Core Developer
References