← Back to team overview

touch-packages team mailing list archive

[Bug 1377924] Re: ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING)

 

The reason for the failure seems to be in default configuration of PAM
for SSH.

If I understand correctly, PAM is configured to enforce session keys revocation upon termination of parent SSHD process:
--- /etc/pam.d/sshd ---
...
# Create a new session keyring.
session    optional     pam_keyinit.so force revoke
...
---

Some environments connect using ssh and then "detach" from it, which
probably causes session key termination.

As a workaround I propose commenting out "force revoke" in
/etc/pam.d/sshd.

Note: There might be security related repercussions!


** Package changed: apparmor (Ubuntu) => pam (Ubuntu)

** Package changed: linux (Ubuntu) => x2goclient (Ubuntu)

** Changed in: x2goclient (Ubuntu)
       Status: Opinion => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1377924

Title:
  ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into
  the KEY_SPEC_SESSION_KEYRING)

Status in openssh package in Ubuntu:
  Confirmed
Status in pam package in Ubuntu:
  Confirmed
Status in x2goclient package in Ubuntu:
  Confirmed

Bug description:
  This is a reincarnation of Bug #1234412.

  Looks like issue is not related to specific kernel versions.

  Currently I am observing two Trusty (14.04) machines, with very close configuration, running same kernel:
  3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64.

  One is able to mount without the problem but the other is refusing:
  $ mount -t ecryptfs sec sec
  Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING; there is something wrong with your kernel keyring. Did you build key retention support into your kernel?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1377924/+subscriptions