← Back to team overview

ecryptfs team mailing list archive

  1. ecryptfs team
  2. Mailing list archive
  3. Message #01061

[Bug 295429] Re: pam_encryptfs.so causes authentication to be slow

  Thread PreviousDate PreviousThread Next 
OK, my proposal was missing something - you need the password to
unwrap... :-p

So the best would IMHO that you simply check that the password is the right one during the auth phase, and only unwrap the folder after, for example in a child process. For now, in the pam_sm_authenticate function, there's at the end:
>  178         tmp_pid = waitpid(child_pid, NULL, 0);

The only interest of waiting for the child to finish is to return
PAM_SUCCESS on success, which is  not really useful since ecryptfs is
always optional. So I suggest the module forks ASAP and only returns
error if the password is not the right one.

Please do something, that's really lousy that you need 2 seconds to
unlock gnome-screensaver! ;-)

-- 
pam_encryptfs.so causes authentication to be slow
https://bugs.launchpad.net/bugs/295429
You received this bug notification because you are a member of eCryptfs,
which is subscribed to ecryptfs-utils in ubuntu.

Status in “ecryptfs-utils” source package in Ubuntu: Incomplete

Bug description:
Binary package hint: ecryptfs-utils

I have the encrypted ~/Private enabled. In /etc/pam.d/common-auth is the line:
auth    optional    pam_encryptfs.so unwrap

If that line is commented out, then doing something like 'sudo ls' is instantanious after I enter my password. 

If that line is not commented out (like normal), 'sudo ls', or anything else involving my password such as logging in, and unlocking the screensaver take about 4 or 5 seconds longer than they need to.

The following is also syslogged. I'm not sure if it's relevant or not, but that 5 second delay seems to be the pause that occurs.

Nov 8 17:33:00 gulik sudo: pam_sm_authenticate: Called 
Nov 8 17:33:00 gulik sudo: pam_sm_authenticate: username = [robin] 
Nov 8 17:33:00 gulik sudo: Error attempting to parse .ecryptfsrc file; rc = [-5]
Nov 8 17:33:00 gulik sudo: Unable to read salt value from user's .ecryptfsrc file; using default 
Nov 8 17:33:05 gulik sudo: Passphrase key already in keyring 
Nov 8 17:33:05 gulik sudo: Error attempting to add passphrase key to user session keyring; rc = [1] 
Nov 8 17:33:05 gulik sudo: There is already a key in the user session keyring for the given passphrase. 

This doesn't seem to impair the functionality, but it is a little bit annoying.

References

  Thread PreviousDate PreviousThread Next