Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Automatically mount dm-crypt encrypted home with pam_mount
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
kwisatz_haderais
Tux's lil' helper
Tux's lil' helper


Joined: 28 Sep 2004
Posts: 143

PostPosted: Tue May 22, 2007 7:47 pm    Post subject: Reply with quote

The only order of "auth lines" in system-auth that worked for me (without login asking for the password twice) is the following:

Code:
auth       required     pam_env.so
auth       optional     pam_mount.so
auth       sufficient   pam_unix.so likeauth nullok use_first_pass
auth       required     pam_deny.so
Back to top
View user's profile Send private message
Mirza
n00b
n00b


Joined: 22 Nov 2005
Posts: 5

PostPosted: Sun Jun 03, 2007 6:27 pm    Post subject: Reply with quote

kwisatz_haderais wrote:
The only order of "auth lines" in system-auth that worked for me (without login asking for the password twice) is the following:

Code:

auth       required     pam_env.so
auth       optional     pam_mount.so
auth       sufficient   pam_unix.so likeauth nullok use_first_pass
auth       required     pam_deny.so


This is finally working for me. Thanks.


Are there any possible security considerations when changing
Code:
auth       required   pam_unix.so likeauth nullok use_first_pass


to

Code:
auth       sufficient   pam_unix.so likeauth nullok use_first_pass


I don't know what is difference between "sufficient" and "required", because I am not able to log in at all when I am using "required" for pam_unix in the above configuration.

M.
Back to top
View user's profile Send private message
schachti
Advocate
Advocate


Joined: 28 Jul 2003
Posts: 3765
Location: Gifhorn, Germany

PostPosted: Mon Sep 03, 2007 4:12 pm    Post subject: Re: Automatically mount dm-crypt encrypted home with pam_mou Reply with quote

tuxophil wrote:
Code:
echo $KEY | openssl aes-256-ecb > /home/frodo.key


How can I decrypt this key? I have a fsck error when pam_mount tries to open my encrypted home, so I have to do fsck by hand (and to do so, I have to use cryptsetup with the decrypted key).

EDIT: Solution:

Code:

openssl aes-256-ecb -d -in /home/frodo.key | cryptsetup create frodo /dev/loop1


It's not part of the man page of openssl, otherwise I would not have asked.
_________________
Never argue with an idiot. He brings you down to his level, then beats you with experience.

How-To: Daten verschlüsselt auf DVD speichern.
Back to top
View user's profile Send private message
pillgrim
n00b
n00b


Joined: 23 Sep 2007
Posts: 1

PostPosted: Sun Sep 23, 2007 1:48 pm    Post subject: Re: Automatically mount dm-crypt encrypted home with pam_mou Reply with quote

I've spent several hours trying to get this working on my box with pam_mount = 0.19, so here is howto for those who still experiences problems running pam_mount >= 0.19 with xml config files and LUKS:

1. generate key as mentionned in this topic

Code:
KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`


2. save key. When prompted for password - use your login password

Code:
echo $KEY | openssl aes-256-ecb > /home/ag.key


3. prepare file from /dev/zero (it is much faster than /dev/urandom)
Code:

dd if=/dev/zero of=/home/ag.img bs=1M count=10240


4. attach file to a loopback device
Code:
losetup /dev/loop0 /home/ag.img


5. format it for LUKS
Code:
openssl aes-256-ecb -d -in /home/ag.key | cryptsetup -v -c aes -s 256 luksFormat /dev/loop0


6. open it
Code:
openssl aes-256-ecb -d -in /home/ag.key | cryptsetup luksOpen /dev/loop0 ag


7. make filesystem of your choice
Code:
mkreiserfs /dev/mapper/ag


8. close it
Code:
cryptsetup luksClose ag


9. remove loopback
Code:
losetup -d /dev/loop0


10. emege pam_mount for it
Code:
emerge pam_mount


11. setup /etc/pam.d/system-auth, mine looks like this
Code:

auth       required         pam_env.so
# this is important
auth       optional         pam_mount.so
auth       sufficient       pam_unix.so likeauth nullok use_first_pass
auth       required         pam_deny.so

account    required         pam_unix.so

password   required         pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient       pam_unix.so nullok md5 shadow use_authtok use_first_pass
password   required         pam_deny.so

session    required         pam_limits.so
session    required         pam_unix.so
# this is important too
session    optional         pam_mount.so


12. put the following lines into /etc/security/pam_mount.conf.xml
Code:

    <volume path="/home/ag.img"
            mountpoint="/home/ag2"
            fstype="crypt"
            options="loop"
            fskeypath="/home/ag.key"
            fskeycipher="aes-256-ecb" />


Everything worked for me
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1210
Location: PB, Germany

PostPosted: Sun Nov 18, 2007 8:20 pm    Post subject: Reply with quote

After following the PAM upgrade-0.99 guide I was able to get PAM working with the new pam_mount-0.29.

Now some question about 0.29:

  • The ebuild brings /sbin/umount.crypt and there I'd like to add some modifications like "$FUSER" -km "$1". But that script is just never called. /etc/security/pam_mount.conf.xml doesn't give a hint to an unmount script for crypted devices.

  • How can I get pam_mount working with sshd? With this PAM configuration login and su work with pam_mount while ssh login doesn't:
    /etc/pam.d/system-auth:
    auth       required     pam_env.so
    auth       optional     pam_mount.so
    auth       sufficient   pam_unix.so likeauth nullok use_first_pass
    auth       required     pam_deny.so use_first_pass

    account    required     pam_unix.so

    password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
    password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow
    password   required     pam_deny.so

    session    required     pam_limits.so
    session    required     pam_unix.so
    session    optional     pam_mount.so
    /etc/pam.d/sshd:
    auth       required     pam_shells.so
    auth       required     pam_nologin.so
    auth       include      system-auth

    account    include      system-auth

    password   include      system-auth

    session    include      system-auth
    ssh would be useful since I use unison to synchronize home directories. unison connects via ssh and home is only mounted after user login (using pam_mount and luks). Would be fine if ssh login would do that too.

_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G | amd64:Acer Z5610 (Core2QuadQ8200),i5-3470 | amd64-prefix:OpenSuse | Lila-Theme


Last edited by Massimo B. on Fri Feb 15, 2008 6:42 pm; edited 1 time in total
Back to top
View user's profile Send private message
swingman
Tux's lil' helper
Tux's lil' helper


Joined: 19 Mar 2003
Posts: 88
Location: Sweden

PostPosted: Sun Jan 06, 2008 8:30 am    Post subject: Reply with quote

After much hassle, I sort of got this to work. It mounts nicely, and unmounts, but doesn't clean up everything.

Before login:
Quote:

bf@hallucinator ~ $ ls /dev/mapper/
control crypt-swap crypt-tmp
bf@hallucinator ~ $ sudo /sbin/losetup -a
bf@hallucinator ~ $


After login:
Quote:

bf@hallucinator ~ $ ls /dev/mapper/
_dev_sda7 control crypt-swap crypt-tmp temporary-cryptsetup-28660
bf@hallucinator ~ $ sudo /sbin/losetup -a
/dev/loop/0: [000c]:2041 (/dev/sda7)
bf@hallucinator ~ $


After logout, I get:
Quote:

bf@hallucinator ~ $ ls /dev/mapper/
control crypt-swap crypt-tmp temporary-cryptsetup-28660
bf@hallucinator ~ $ sudo /sbin/losetup -a
/dev/loop/0: [000c]:2041 (/dev/sda7)
bf@hallucinator ~ $


/dev/mapper-cryptsetup-$$ uses /dev/loop/0 for /dev/sda7, just like /dev/mapper/_dev_sda7 does.

Since temporary-cryptsetup-$$ leaks it is impossible to remove /dev/loop/0.

I guess temparory-cryptsetup-$$ should've gone already in the login step.

How to find out what's wrong, and how to fix it?
_
/Bjorn
Back to top
View user's profile Send private message
swingman
Tux's lil' helper
Tux's lil' helper


Joined: 19 Mar 2003
Posts: 88
Location: Sweden

PostPosted: Sun Jan 06, 2008 9:03 am    Post subject: Reply with quote

More info from syslog with debug enabled in pam_mount.

Quote:

Jan 6 09:53:14 hallucinator login[29502]: pam_tally(login:auth): unknown option: no_magic_root
Jan 6 09:53:14 hallucinator login[29502]: pam_mount(pam_mount.c:202) enter read_password
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(pam_mount.c:311) saving authtok for session code
Jan 6 09:53:16 hallucinator login[29502]: pam_tally(login:account): option deny=0 allowed in auth phase only
Jan 6 09:53:16 hallucinator login[29502]: pam_tally(login:account): unknown option: no_magic_root
Jan 6 09:53:16 hallucinator login[29502]: pam_tally(login:setcred): unknown option: no_magic_root
Jan 6 09:53:16 hallucinator login[29502]: pam_unix(login:session): session opened for user dd by LOGIN(uid=0)
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(pam_mount.c:460) Entered pam_mount sessionstage
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(pam_mount.c:481) back from global readconfig
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(pam_mount.c:483) per-user configurations not allowed by pam_mount.conf.xml
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(misc.c:56) Session open: (uid=0, euid=0, gid=1011, egid=1011)
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(rdconf2.c:209) checking sanity of volume record (/dev/sda7)
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(pam_mount.c:535) about to perform mount operations
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:409) information for mount:
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:410) ----------------------
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:411) (defined by globalconf)
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:412) user: dd
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:413) server:
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:414) volume: /dev/sda7
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:415) mountpoint: /local_home
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:416) options: loop,
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:417) fs_key_cipher:
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:418) fs_key_path:
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:419) use_fstab: 0
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:420) ----------------------
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:182) realpath of volume "/local_home" is "/local_home"
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:186) checking to see if /dev/mapper/_dev_sda7 is already mounted at /local_home
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:873) checking for encrypted filesystem key configuration
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:899) about to start building mount command
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(misc.c:285) command: mount [-t] [crypt] [-o loop,] [/dev/sda7] [/local_home]
Jan 6 09:53:16 hallucinator login[29982]: pam_mount(misc.c:56) set_myuid<pre>: (uid=0, euid=0, gid=1011, egid=1011)
Jan 6 09:53:16 hallucinator login[29982]: pam_mount(misc.c:56) set_myuid<post>: (uid=0, euid=0, gid=1011, egid=1011)
Jan 6 09:53:16 hallucinator device-mapper: ioctl: unable to remove open device temporary-cryptsetup-29996
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(mount.c:104) mount errors:
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(mount.c:107) Failed to setup dm-crypt key mapping.
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(mount.c:107) Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/loop0 contains at least 261 sectors.
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(mount.c:107) Failed to read from key storage
Jan 6 09:53:17 hallucinator device-mapper: ioctl: unable to remove open device temporary-cryptsetup-29996
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(mount.c:107) Command successful.
Jan 6 09:53:17 hallucinator ReiserFS: dm-3: found reiserfs format "3.6" with standard journal
Jan 6 09:53:17 hallucinator ReiserFS: dm-3: using ordered data mode
Jan 6 09:53:17 hallucinator ReiserFS: dm-3: journal params: device dm-3, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
Jan 6 09:53:17 hallucinator ReiserFS: dm-3: checking transaction log (dm-3)
Jan 6 09:53:17 hallucinator ReiserFS: dm-3: Using r5 hash to sort names
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(mount.c:933) waiting for mount
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(pam_mount.c:134) clean system authtok (0)
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(misc.c:285) command: pmvarrun [-u] [dd] [-o] [1]
Jan 6 09:53:17 hallucinator login[30021]: pam_mount(misc.c:56) set_myuid<pre>: (uid=0, euid=0, gid=1011, egid=1011)
Jan 6 09:53:17 hallucinator login[30021]: pam_mount(misc.c:56) set_myuid<post>: (uid=0, euid=0, gid=1011, egid=1011)
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(pam_mount.c:425) pmvarrun says login count is 1
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(pam_mount.c:548) done opening session (ret=0)


What gives?
_
/Bjorn
Back to top
View user's profile Send private message
swingman
Tux's lil' helper
Tux's lil' helper


Joined: 19 Mar 2003
Posts: 88
Location: Sweden

PostPosted: Wed Jan 09, 2008 7:39 pm    Post subject: Reply with quote

Solved it. Had an old cryptsetup, with a documented race vis-a-vis HAL, and on top of that I really shouldn't have had option="loop" in pam_mount.conf.xml.

Now it's just the matter of PAM lowering priv from root too early when leaving from "su", which makes it impossible to unmount. Grr.
_
/Bjorn
Back to top
View user's profile Send private message
grimm26
Guru
Guru


Joined: 23 May 2004
Posts: 311
Location: Chicagoland, IL

PostPosted: Mon Feb 11, 2008 4:04 am    Post subject: Reply with quote

For some reason this does not work for me. I have followed the steps. I have sys-auth/pam_mount-0.32 and sys-fs/cryptsetup-1.0.5-r1 and the right stuff for dmcrypt in the kernel. I can do everyting fine manually, but I cannot get pam_mount to mount a homedir for a test user that I set up.
from /etc/security/pam_mount.conf.xml
Code:

<volume path="/home/protected"
mountpoint="/home/mktest"
fstype="crypt"
options="loop,cipher=aes"
fskeypath="/home/protected.key"
fskeycipher="aes-256-ecb" />

/home/protected is my encrypted loop file and I want it to mount into /home/mktest. I can login with mktest and I see this in messages:
Code:
b 10 21:34:15 qa4437-11 login[14432]: pam_mount(pam_mount.c:202) enter read_password
Feb 10 21:34:19 qa4437-11 login[14432]: pam_mount(pam_mount.c:311) saving authtok for session code
Feb 10 21:34:20 qa4437-11 login[14432]: pam_unix(login:session): session opened for user mktest by (uid=0)
but the loop is not created or mounted. and then when I logout.
Code:

Feb 10 21:38:06 qa4437-11 login[14432]: pam_unix(login:session): session closed for user mktest
Feb 10 21:38:06 qa4437-11 login[14432]: pam_mount(pam_mount.c:134) clean system authtok (0)

Any ideas?
_________________
"Blessed is he who finds happiness in his own foolishness, for he will always be happy".
Back to top
View user's profile Send private message
schachti
Advocate
Advocate


Joined: 28 Jul 2003
Posts: 3765
Location: Gifhorn, Germany

PostPosted: Mon Feb 11, 2008 7:19 am    Post subject: Reply with quote

Try to set

Code:

<debug enable="1" />


in your config file to get more detailled output.
_________________
Never argue with an idiot. He brings you down to his level, then beats you with experience.

How-To: Daten verschlüsselt auf DVD speichern.
Back to top
View user's profile Send private message
grimm26
Guru
Guru


Joined: 23 May 2004
Posts: 311
Location: Chicagoland, IL

PostPosted: Mon Feb 11, 2008 2:49 pm    Post subject: Reply with quote

I did. That's how I got the messages that I did post. I didn't see anything else from pam_mount, though.
_________________
"Blessed is he who finds happiness in his own foolishness, for he will always be happy".
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1210
Location: PB, Germany

PostPosted: Fri Feb 15, 2008 8:07 pm    Post subject: pam_mount with ssh Reply with quote

Massimo B. wrote:
  • ...login and su work with pam_mount while ssh login doesn't...

..according to Guschtel on the channel this should fix it:
/etc/pam.d/system-auth:
#%PAM-1.0
 
auth       required     pam_env.so
auth       required     pam_unix.so try_first_pass likeauth nullok
# added
auth       sufficient   pam_mount.so use_first_pass
# end added
auth       required     pam_deny.so
 
account    required     pam_unix.so
 
password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow
password   required     pam_deny.so
 
session    required     pam_limits.so
session    required     pam_unix.so
# added
session    optional     pam_mount.so
# end added
/etc/ssh/sshd_config:
UsePAM yes
 
## Changed 2008-02-15
## IMPORTANT for PAM_MOUNT
PasswordAuthentication yes
ChallengeResponseAuthentication no
 
--
#UsePrivilegeSeparation yes
 
## Changed 2008-02-15
## IMPORTANT for PAM_MOUNT
UsePrivilegeSeparation no
 
#PermitUserEnvironment no

_________________
ppc:PowerBook5,8 15"(1440)-G4/1.67,2G | amd64:Acer Z5610 (Core2QuadQ8200),i5-3470 | amd64-prefix:OpenSuse | Lila-Theme
Back to top
View user's profile Send private message
Guschtel
n00b
n00b


Joined: 29 Dec 2005
Posts: 5

PostPosted: Fri Feb 15, 2008 8:26 pm    Post subject: Reply with quote

When only setting "PrivilegeSeparation no" one gets this error:
Code:
pam_mount(pam_mount.c:460) Entered pam_mount session stage
pam_mount(pam_mount.c:481) back from global readconfig
pam_mount(pam_mount.c:483) per-user configurations not allowed by pam_mount.conf.xml
pam_mount(pam_mount.c:512) error trying to retrieve authtok from auth code
pam_mount(pam_mount.c:202) enter read_password
pam_mount(pam_mount.c:170) conv->conv(...): Conversation error
pam_mount(pam_mount.c:515) error trying to read password
pam_mount(pam_mount.c:548) done opening session (ret=7)


This is solved by the two other Config directives, see also pam_mount FAQ:
Code:
bzcat /usr/share/doc/pam_mount-0.32/faq.txt.bz2 | grep -2 PasswordAuthentication
        Since you have OpenSSH 3.9p1, you can set
        "ChallengeResponseAuthentication no" and
        "PasswordAuthentication yes" in sshd_config and it ought to
        work (with or without privsep).


Setting "UsePrivilegeSeparation yes" disables pam_mount for me.
Back to top
View user's profile Send private message
PssD
n00b
n00b


Joined: 19 Jan 2006
Posts: 13

PostPosted: Sun Mar 09, 2008 3:25 pm    Post subject: passwdehd Reply with quote

hello,

maybe its trivial but changing my password took me quite some time.

somehow my /usr/bin/passwdehd doesn`t like /etc/security/pam_mount.conf.xml.
changing pam_mount.conf in the script to pam_mount.conf.xml didn`t help (is there a new version of passwdehd available?).

Quote:
"If a user changes his login password, regenerate the efsk that was created in step 1b."

(pam_mount.conf.xml)

so:
Quote:

openssl enc -d -aes-256-ecb -in /home/key.key -out /secure/key.txt
[old password]
mv /home/key.key /home/old.key
openssl enc -e -aes-256-ecb -in /secure/key.txt -out /home/key.key
[new passwd]

did it.

thanks for this nice howto (will change password more often from now on :) )
Back to top
View user's profile Send private message
driden91
Apprentice
Apprentice


Joined: 26 Jul 2004
Posts: 232
Location: paris

PostPosted: Sat May 16, 2009 1:48 pm    Post subject: Reply with quote

hello

after an upgrade pam_mount doesn't work :

Code:
Password:
pam_mount(mount.c:67): Command failed: device-mapper: reload ioctl failed: Invalid argument
pam_mount(pam_mount.c:537): mount of /dev/sda7 failed


with debug enable :

Code:
pam_mount(pam_mount.c:458): pam_mount 1.24: entering session stage
reenter password for pam_mount:
pam_mount(misc.c:38): Session open: (uid=0, euid=0, gid=1008, egid=1008)
pam_mount(mount.c:172): Mount info: globalconf, user=driden91 <volume fstype="crypt" server="(null)" path="/dev/sda7" mountpoint="/home/driden91" cipher="aes-256-ecb" fskeypath="/home/driden91.key" fskeycipher="aes-256-ecb" fskeyhash="(null)" options="cipher=aes" /> fstab=0
command: [mount] [-t] [crypt] [-o cipher=aes] [/dev/sda7] [/home/driden91]
pam_mount(misc.c:38): set_myuid<pre>: (uid=0, euid=0, gid=1008, egid=1008)
pam_mount(misc.c:38): set_myuid<post>: (uid=0, euid=0, gid=1008, egid=1008)
Password:
pam_mount(mount.c:64): mount messages:
pam_mount(mount.c:67): Command failed: device-mapper: reload ioctl failed: Invalid argument
Filesystem    Type   1K-blocks      Used Available Use% Mounted on
rootfs      rootfs     1036124    868324    167800  84% /
/dev/root reiserfs     1036124    868324    167800  84% /
proc          proc           0         0         0   -  /proc
rc-svcdir    tmpfs        1024        68       956   7% /lib64/rc/init.d
sysfs        sysfs           0         0         0   -  /sys
udev         tmpfs       10240       120     10120   2% /dev
devpts      devpts           0         0         0   -  /dev/pts
shm          tmpfs     1029408         0   1029408   0% /dev/shm
/dev/sda5 reiserfs     8393656   8206584    187072  98% /usr
/dev/sda6 reiserfs     2104376    213788   1890588  11% /var
usbfs        usbfs           0         0         0   -  /proc/bus/usb
pam_mount(pam_mount.c:537): mount of /dev/sda7 failed
command: [pmvarrun] [-u] [driden91] [-o] [1]
pam_mount(misc.c:38): set_myuid<pre>: (uid=0, euid=0, gid=1008, egid=1008)
pam_mount(misc.c:38): set_myuid<post>: (uid=0, euid=0, gid=1008, egid=1008)
pmvarrun(pmvarrun.c:248): parsed count value 0
pam_mount(pam_mount.c:418): pmvarrun says login count is 1
pam_mount(pam_mount.c:548): done opening session (ret=0)


what is the problem ?

regards
_________________
l'ange des tenebres vit la lumiere au fond de la nature humaine....
Back to top
View user's profile Send private message
mattst88
Developer
Developer


Joined: 28 Oct 2004
Posts: 362

PostPosted: Mon Jan 18, 2010 4:02 am    Post subject: Reply with quote

I just got this error.
Code:
bad pad on end of encrypted file


And I fortunately just figured it out. I was encrypting my keyfile with aes-256-cbc; encrypting it with aes-256-ecb allows it to work properly. I googled and saw this error in a couple places with no solution, so I thought I'd be nice to post the solution somewhere.
_________________
My 1U Dual 833 MHz Alphaserver DS20L
The AlphaLinux.org Wiki
Back to top
View user's profile Send private message
Havin_it
Veteran
Veteran


Joined: 17 Jul 2005
Posts: 1076
Location: Edinburgh, UK

PostPosted: Mon Apr 26, 2010 3:54 pm    Post subject: Reply with quote

Apologies if someone has already mentioned this, but although it's no longer supported, a simple-ish hack can enable TrueCrypt to be used with this too. Here's my /etc/security/pam_mount.conf.xml, with "mememe" as the user:

Code:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
        See pam_mount.conf(5) for a description.
-->

<pam_mount>

                <!-- debug should come before everything else,
                since this file is still processed in a single pass
                from top-to-bottom -->

<debug enable="0" />

                <!-- Volume definitions -->
<cryptmount>tc-nl --text --protect-hidden=no --keyfiles="" %(VOLUME) %(MNTPT)</cryptmount>
<cryptumount>truecrypt --text -d</cryptumount>

                <!-- pam_mount parameters: General tunables -->

<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>

<logout wait="0" hup="0" term="0" kill="0" />


                <!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="0" remove="false" />

<volume user="mememe" fstype="crypt" path="/path/to/truecrypt-image" mountpoint="/home/%(USER)" />

</pam_mount>


You can change the truecrypt options as desired in the <cryptmount> element. You also need to create the script here called "tc-nl" somewhere in your path - this is because of something truecrypt does with newlines that pam_mount doesn't like (this is not my work, and I lost the source :shrug: )

The tc-nl script is very simple:
Code:
#!/bin/sh
# Helper for truecrypt via pam_mount
(cat; echo)| truecrypt $*


dm-crypt is better to use in many ways, but I have a dual-boot setup and while Windows tools do exist for dm-crypt/luks mounting, they are nowhere near as robust as TrueCrypt. Hope this helps someone.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5
Page 5 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum