Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Automatically mount dm-crypt encrypted home with pam_mount
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
SilentShadow
n00b
n00b


Joined: 25 Oct 2004
Posts: 36
Location: Italia

PostPosted: Wed Feb 23, 2005 3:28 pm    Post subject: Reply with quote

thanks,

so I need a user log-on to have the file decrypted?

I try you explain better my problem.

I'm new in a software house tha have a software based on php and postgres.
They newer think about the security of their sources so now I try to figure out how to protect the code.
The big issue with the crypt of partition or folder is the boot password.
I can't give the password to customers because with the password they are able to read the code, and also I can't run to the customers any time the machine reboot to write the password at the console.

I Think you solution don't resolve my personal problem, I have just scheduled to try as soon as is possible..... my laptoop need a litle bit of security too.

Thank Dario
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Wed Feb 23, 2005 4:03 pm    Post subject: Reply with quote

SilentShadow wrote:
so I need a user log-on to have the file decrypted?

So you want encryption that doesn't need any password, dongle, biometric and so on? Sorry, but that's just impossible. After all, there must be "something" that gives you (i.e. your company) and nobody else access to the data. This doesn't have to be a password, but it should be clear that some kind of authentication is necessary.

In any case, if you're really worried about your data, you'll also have to consider the possibility that your customer boots a LiveCD and modifies the system to log the password. This is far from impossible. The only way to guarantee the security of your data would be to never again mount the partition or to do a complete audit of the machine before mounting.

If you don't trust your customers, don't do business with them. ;)
Back to top
View user's profile Send private message
SilentShadow
n00b
n00b


Joined: 25 Oct 2004
Posts: 36
Location: Italia

PostPosted: Wed Feb 23, 2005 4:34 pm    Post subject: Reply with quote

I think I see the problem in the wrong side, I don't need to encrypt teh partition I probably need to encode and obscure the code.

I found on the net this two link (is out of topic, but for completing the discussion)

http://www.sourceguardian.com/index.html
http://www.zend.com/store/products/zend-encoder.php

thanks Dario
Back to top
View user's profile Send private message
linux_girl
Apprentice
Apprentice


Joined: 12 Sep 2003
Posts: 287

PostPosted: Wed Feb 23, 2005 7:12 pm    Post subject: Reply with quote

hehehe i found more usefull to encrypt the /home :

Code:

.:[Managing 0/82 jobs.] [CPU Load: 0.24 Uptime: 0h13m]:.
.:[8 files using 1,1M] [root@localhost ~]:.
.:[21:09:35]:. $ cat /etc/conf.d/local.start
# /etc/conf.d/local.start:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/conf.d/local.start,v 1.4 2002/11/18 19:39:22 azarah Exp $

# This is a good place to load any misc.
# programs on startup ( 1>&2 )
               
cryptsetup -c aes create home /dev/hdb1
mount /dev/mapper/home /home


Code:

.:[Managing 0/82 jobs.] [CPU Load: 0.24 Uptime: 0h13m]:.
.:[8 files using 1,1M] [root@HackXoR ~]:.
.:[21:09:36]:. $ cat /etc/conf.d/local.stop
# /etc/conf.d/local.stop:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/conf.d/local.stop,v 1.4 2002/11/18 19:39:22 azarah Exp $

# This is a good place to unload any misc.
# programs you started above.
# For example, if you are using OSS and have
# "/usr/local/bin/soundon" above, put
# "/usr/local/bin/soundoff" here.

/etc/init.d/mldonkey stop
umount /home/john/nfs && echo nfs unmounted
umount /home &&echo HOME unmounted



i plan to make a SUID c prog that use system(2): && MODE xscrensaver src to umount it when i am idle for more safty to store ultra important info
in any case the RIA : wont be able to uncrypte my /home to find /home/p2p/.mldonkey/incoming/*.mp3 and my users files

Code:

.:[Managing 0/81 jobs.] [CPU Load: 0.62 Uptime: 0h15m]:.
.:[53 files using 746k] [root@localhost /home/john/bin]:.
.:[21:11:54]:. $ cat secmount
#!/bin/bash
su -c 'cd ~john; /sbin/losetup /dev/loop2 /home/john/secret;/bin/cryptsetup create secret /dev/loop2;mount /dev/mapper/secret /home/john/nfs;mount -o,remount exec ~john/nfs/'



Code:

.:[Managing 0/81 jobs.] [CPU Load: 0.57 Uptime: 0h15m]:.
.:[53 files using 746k] [root@localhost /home/john/bin]:.
.:[21:11:59]:. $ cat secumount
su -c 'umount /home/john/nfs;cryptsetup remove secret;/sbin/losetup -d /dev/loop2'

_________________
:D :D


Last edited by linux_girl on Fri Dec 15, 2006 3:08 am; edited 1 time in total
Back to top
View user's profile Send private message
ian!
Bodhisattva
Bodhisattva


Joined: 25 Feb 2003
Posts: 3829
Location: Essen, Germany

PostPosted: Fri Mar 04, 2005 1:03 pm    Post subject: Reply with quote

Nice How-To. I had to put some umount-foo into my local.stop so that the loop will be umounted when shutting down when the loop was mounted via kdm before.

/etc/conf.d/local.stop:
Code:
/bin/umount /home/<foo> && echo "/home/<foo> unmounted"
/bin/cryptsetup remove /dev/mapper/<bar> && echo "/dev/mapper/<bar> removed"
/sbin/losetup -d /dev/loop<number> && echo "loopdevice removed"

_________________
"To have a successful open source project, you need to be at least somewhat successful at getting along with people." -- Daniel Robbins
Back to top
View user's profile Send private message
yem
n00b
n00b


Joined: 05 Nov 2002
Posts: 63
Location: Aotearoa

PostPosted: Fri Mar 11, 2005 10:53 am    Post subject: Reply with quote

Great HOWTO! _b Hopefully pam_mount will make it into portage soon.

A couple of points:

1) Where it says that you can theoretically login now and try creating/deleting files. Might be worth noting that you need to chown the mount point to the user after it is mounted. Confused me for a few minutes because the mountpoint changed ownership to root:root when mounted.

2) | (cd /home/frodo2; tar xpf -) could be written more clearly as | tar -xpf - -C /home/frodo2

3) If you use a login manager (guessing most people do - particularly on laptops) you need to add the auth/session lines to /etc/pam.d/{xdm,gdm,kdm}. /etc/pam.d/login is not sufficient.

Did you find anything more about using journalled filesystems on dm-crypted block devices? I have the backing file stored on an ext3 partition, but its not the same. Quick google didn't turn anything up.
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Sat Mar 12, 2005 12:23 am    Post subject: Reply with quote

ian! wrote:
Nice How-To.

Thanks! :D
ian! wrote:
I had to put some umount-foo into my local.stop so that the loop will be umounted when shutting down when the loop was mounted via kdm before.


Yes, I should have added some lines about that problem. In fact there are still some processes left when you leave KDE, but only for a few ms. Adding a one second sleep to umount.crypt solves this problem. This should be more elegant.
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Sat Mar 12, 2005 12:41 am    Post subject: Reply with quote

yem wrote:
1) Where it says that you can theoretically login now and try creating/deleting files. Might be worth noting that you need to chown the mount point to the user after it is mounted. Confused me for a few minutes because the mountpoint changed ownership to root:root when mounted.

I think if you follow the guide this is taken care of ;)
(Have a closer look at the code in section 5.)

yem wrote:
2) | (cd /home/frodo2; tar xpf -) could be written more clearly as | tar -xpf - -C /home/frodo2

Changed.

yem wrote:
3) If you use a login manager (guessing most people do - particularly on laptops) you need to add the auth/session lines to /etc/pam.d/{xdm,gdm,kdm}. /etc/pam.d/login is not sufficient.

After emerge pam_mount you're advised to run etc-update which should point out the changes in the pam files.

yem wrote:
Did you find anything more about using journalled filesystems on dm-crypted block devices? I have the backing file stored on an ext3 partition, but its not the same. Quick google didn't turn anything up.

I've recently read somewhere (IIRC some remarks by Hans Reiser) that in order to have a completely fail-safe (even unencrypted!) reiserfs partition it's in fact necessary to turn off the drive's write buffering. That sounds quite reasonable since the HDD's buffering does a reordering of the write operations.
In light of this I think that it would be somewhat irrealistic to have an absolutely fail-safe encrypted partition, but I'm by no means an expert and information seems to be scarce :-/.

Thanks for your feedback!
Back to top
View user's profile Send private message
yem
n00b
n00b


Joined: 05 Nov 2002
Posts: 63
Location: Aotearoa

PostPosted: Sat Mar 12, 2005 8:09 am    Post subject: Reply with quote

tuxophil wrote:
I think if you follow the guide this is taken care of ;)
(Have a closer look at the code in section 5.)
I see that, but the instuctions to "relogin as frodo. try copying some files" (paraphrasing) wont work without a chown first.

yem wrote:
2) | (cd /home/frodo2; tar xpf -) could be written more clearly as | tar -xpf - -C /home/frodo2
hmm or even "rsync -arv /home/frodo/ /home/frodo2/" ?

tixophil wrote:
After emerge pam_mount you're advised to run etc-update which should point out the changes in the pam files.
IIRC it modifies /etc/pam.d/login only, not the [xgk]dm profiles.

It's really a great HOWTO. These are just things that confused me. YMMV :)
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Sat Mar 12, 2005 9:15 am    Post subject: Reply with quote

yem wrote:
tuxophil wrote:
I think if you follow the guide this is taken care of ;)
(Have a closer look at the code in section 5.)
I see that, but the instuctions to "relogin as frodo. try copying some files" (paraphrasing) wont work without a chown first.

Crap! You're right :) I'll fix it later. Thanks.

yem wrote:
hmm or even "rsync -arv /home/frodo/ /home/frodo2/" ?

I just had a look at man rsync, it seems that it should preserve everything (special files, attributes, etc.), but I'm not sure, since ACLs and extended attributes aren't mentioned. In man tar neither, but until somebody can confirm that rsync would work at least as good as tar, I'll stick to using tar.

yem wrote:
IIRC it modifies /etc/pam.d/login only, not the [xgk]dm profiles.

Hmm, strange, on the two systems I did this kdm was also modified. Hopefully nothing's wrong with the ebuild...
Back to top
View user's profile Send private message
yem
n00b
n00b


Joined: 05 Nov 2002
Posts: 63
Location: Aotearoa

PostPosted: Sat Mar 12, 2005 10:09 am    Post subject: Reply with quote

tuxophil wrote:
Hmm, strange, on the two systems I did this kdm was also modified. Hopefully nothing's wrong with the ebuild...
Ah I see what happened. The ebuild includes kde (but not kdm - are they the same thing?) and login. However, I don't use kde and thus the kde file was created by pam_login. Being a new file, etc-update didn't show any diff on that file.

I would suggest either modifying kde/m, gdm and xdm OR modify login only, and include an einfo in the ebuild to tell the user that they'll need to modify the file for their chosen *dm appropriately. Something like this:

Code:
--- pam_mount-0.9.22.ebuild     2005-03-12 22:58:46.000000000 +1300
+++ pam_mount-0.9.22-r1.ebuild  2005-03-12 23:06:22.000000000 +1300
@@ -29,7 +29,7 @@
        insopts -m0644
        doins ${FILESDIR}/pam_mount.conf
        insinto /etc/pam.d
-       doins ${FILESDIR}/login ${FILESDIR}/kde
+       doins ${FILESDIR}/login
        # fixed mount.crypt
        #insinto /usr/bin
        #doins ${FILESDIR}/mount.crypt
@@ -38,3 +38,13 @@
        dosym /usr/bin/mount.crypt /sbin/mount.crypt
        dodoc README TODO AUTHORS ChangeLog FAQ INSTALL NEWS
 }
+
+pkg_postinst() {
+       einfo "This ebuild modifies /etc/pam.d/login to include pam_mount hooks."
+       einfo "If you use a graphical login manager such as xdm, kdm or gdm, you"
+       einfo "will need to add the following lines to the appropriate file"
+       einfo "in /etc/pam.d/:"
+       einfo
+       einfo "auth       optional     /lib/security/pam_mount.so use_first_pass"
+       einfo "session    optional     /lib/security/pam_mount.so"
+}
(untested!)
Back to top
View user's profile Send private message
thomash
n00b
n00b


Joined: 25 Oct 2003
Posts: 14

PostPosted: Fri Apr 08, 2005 5:30 pm    Post subject: Reply with quote

Hello everyone.

This looks like a really great guide, and I want to use a partition instead of a file.

I also want the entire /home directory encrypted, and not only the homedir of my regular user (thomas).
I have only two users on my laptop, and it's no problem to use the same password for both, if needed.

Anyone interested in giving me a step-by-step guide to achieve this (I'm pretty new to it)

I get stuck on where to store the key, and I'm not supposed to mkdir /home/home I assume?
Perimissions on various files would also be a problem =)

I appriciate any help!

Thanks.
Thomas Hoff
Back to top
View user's profile Send private message
thomash
n00b
n00b


Joined: 25 Oct 2003
Posts: 14

PostPosted: Fri Apr 08, 2005 9:22 pm    Post subject: Reply with quote

Before attempting to encrypt all of /home, I thought I should give this tutorial a try (setting up an encrypted homedir for a specific user, from a partition)

This is what I did:

Code:

dd if=/dev/urandom of=/dev/sda4 bs=1M

KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`

echo $KEY | cryptsetup create bleh /dev/sda4

mke2fs /dev/mapper/bleh

echo $KEY | openssl aes-256-ecb > /home/bleh.key

touch /home/bleh.key.old
chown bleh /home/bleh.key /home/bleh.key.old
chmod 600 /home/bleh.key /home/bleh.key.old

mkdir /home/bleh2
chown bleh /home/bleh2
chgrp users /home/bleh2
chmod 700 /home/bleh2


Then I added this line to my /etc/security/pam_mount.conf:
Code:

volume bleh crypt - /dev/sda4 /home/bleh2 cipher=aes aes-256-ecb /home/bleh.key


Then I exited all sessions with "bleh" and logged in again. The messages i get after login looks good. No errors.
But I start in /home/bleh and not /home/bleh2

I did a 'ls /home' and got:
drwx------ 18 bleh users 1448 Apr 8 23:08 bleh
-rw------- 1 bleh root 112 Apr 8 22:52 bleh.key
-rw------- 1 bleh root 0 Apr 8 22:52 bleh.key.old
drwxr-xr-x 3 root root 4096 Apr 8 22:51 bleh2

It changes the owner, group and permission of /home/bleh2 when i login. I verified that it had the proper permissions before login.

Anyone know what the problem is? Can it be because I'm using an external USB HDD? Or am i missing something?
Back to top
View user's profile Send private message
thomash
n00b
n00b


Joined: 25 Oct 2003
Posts: 14

PostPosted: Sat Apr 09, 2005 9:07 pm    Post subject: Reply with quote

Sorry, ignore my last post.
After the partition is mounted, i su'd and changed the owner, group and permisssions of /home/bleh2 (as section 5 tells me to do)
I saw someone else were asking about this too, guess i shoul've looked more closely =)

I'd still like to see how someone encrypted all of /home though
Back to top
View user's profile Send private message
thomash
n00b
n00b


Joined: 25 Oct 2003
Posts: 14

PostPosted: Sat Apr 09, 2005 10:09 pm    Post subject: Reply with quote

Here is what i did to have all of /home encrypted, using a partition (on an external USB HDD):

bleh is my user.

Code:

dd if=/dev/urandom of=/dev/sda4 bs=1M

KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`

echo $KEY | cryptsetup create bleh /dev/sda4

mke2fs /dev/mapper/bleh

echo $KEY | openssl aes-256-ecb > /etc/bleh.key

touch /etc/bleh.key.old
chown bleh /etc/bleh.key /etc/bleh.key.old
chmod 600 /etc/bleh.key /etc/bleh.key.old


Add the following line to /etc/security/pam_mount.conf:

Code:

volume bleh crypt - /dev/sda4 /home cipher=aes aes-256-ecb /etc/bleh.key


Exit all sessions as bleh, login as root and do:

Code:

mv /home /home2
mkdir /home
chown bleh /home
chgrp users /home
chmod 700 /home


Exit root, login as bleh and do:

Code:

su
mkdir /home/bleh
chown bleh /home/bleh
chgrp users /home/bleh
chown 700 /home/bleh


Exit bleh and relogin. Now you should start in your new homedir in the encrypted /home.
You can now move all your files in /home2/bleh to your new homedir.

I haven't added a second user yet. Not sure how/if it would work. But i'll post more info as soon as i have it.
Back to top
View user's profile Send private message
kueka
n00b
n00b


Joined: 09 Oct 2004
Posts: 3
Location: Germany

PostPosted: Sun Apr 10, 2005 10:15 pm    Post subject: little add to this howto Reply with quote

the setup works fine, only a little thing goes wrong.
i have tested the ssh login and it's fail with some errors.
after a little search on the web i have found the solution:
in /etc/ssh/sshd_conf set this parameters:
ChallengeResponseAuthentication no
PasswordAuthentication yes
and ssh login works.

so long
Back to top
View user's profile Send private message
gregory_bleiker
n00b
n00b


Joined: 22 Aug 2005
Posts: 1

PostPosted: Mon Aug 22, 2005 4:00 pm    Post subject: Reply with quote

Hi All

Thanks for the nice HOWTO. However, I am (unfortunately) not getting it completely to work with SSH. I'm trying to have encrypted directories in a user's home and the user logs in (exclusively) via SSH.
What I have done so far:

The problem is that the drive is not unmounted on logout. I have applied the patch of http://bugzilla.mindrot.org/show_bug.cgi?id=926 to OpenSSH and changed /etc/ssh/sshd_config to not use privilege separation, without success...
Mounting the drive is no problem, but I have so far not been able to unmount a drive through pam_mount.
If I have UsePrivilegeSeparation, the unmount doesn't even get called, if I have it on it gets called but with wrong uid, so it can't unmount the drive because it was mounted as root in the auth part of pam.d. (it tells me mount disagrees with fstab, or if I put the mount command into a local ~/.pam_mount.conf, it tells me I'm not root, which I know, but I still think I'm great... ;)


Any thoughts or help is highly appreciated.

Gregi
Back to top
View user's profile Send private message
yem
n00b
n00b


Joined: 05 Nov 2002
Posts: 63
Location: Aotearoa

PostPosted: Wed Aug 24, 2005 9:36 pm    Post subject: Reply with quote

BTW: I just did a catchup emerge world and pam_mount broke. Turns out cryptsetup links against libdevmapper.so.1.00 exactly and it had been updated to 1.01. If you get an error about libdevmapper.so.x.xx not found (with debug turned on in /etc/security/pam_mount.conf) then try emerging cryptsetup again so that it will re-link with the current version of the lib.
Back to top
View user's profile Send private message
svf
n00b
n00b


Joined: 01 Feb 2005
Posts: 50

PostPosted: Thu Oct 06, 2005 10:33 pm    Post subject: Reply with quote

heya...

nice howto.. im going to try that tomorrow morning..

but two questions..

is there any other way to do this(mount cryptet home on login) because according to the webpage pam_mount is discontinued :( maybe there some other neat way with the new baselayout ;)

and second.. are there any other howtos how i can secure some of my /var/spool files? (tmpfs and pgp on shutdown? and risking data loss on crash?)
any other ideas?

nico
_________________
uchafu!
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Fri Oct 07, 2005 7:44 am    Post subject: Reply with quote

svf wrote:
is there any other way to do this(mount cryptet home on login) because according to the webpage pam_mount is discontinued :( maybe there some other neat way with the new baselayout ;)
Unfortunately I don't think there's another way that doesn't require a second passphrase. If you want to enter your passphrase only once it must be passed by PAM to the mount command. I don't know of any other pam_mount-like program. It's a pity that it's discontinued. But then again, it works just fine. The only I thing I may try sometime is to hack LUKS-support into it. (But only if it doesn't require too much C code.)

svf wrote:
and second.. are there any other howtos how i can secure some of my /var/spool files? (tmpfs and pgp on shutdown? and risking data loss on crash?)
any other ideas?
My setup is as follows: large enough swap, mount a 2GiB maximum tmpfs-filesystem as /tmp. Since tmpfs is handled by the VM, it always resides in RAM or swap. Just encrypt your swap and everything's fine.

/var/tmp is more problematic since these files should be persistent across reboots. Unfortunately the only solution I see is to make a system-wide encrypted partition for /var/tmp. But then you'll have to enter its passphrase at each startup.
Back to top
View user's profile Send private message
svf
n00b
n00b


Joined: 01 Feb 2005
Posts: 50

PostPosted: Fri Oct 07, 2005 6:56 pm    Post subject: Reply with quote

hi

everythings working fine - thanks again

so the weakest point in the chain is my user password... i think i do have a really strong password but.. how is it stored? whats the algorithm used for /etc/shadow
(blowfish? des?) somebody knows about that?
_________________
uchafu!
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Fri Oct 07, 2005 7:36 pm    Post subject: Reply with quote

svf wrote:
so the weakest point in the chain is my user password...
Normally yes. But don't forget about the unencrypted parts of your system...
svf wrote:
i think i do have a really strong password but.. how is it stored? whats the algorithm used for /etc/shadow (blowfish? des?) somebody knows about that?
IIRC it's salted MD5. MD5 may not be the strongest hash around, but brute forcing it would still be quite a feat.
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1759
Location: PB, Germany

PostPosted: Mon Oct 31, 2005 1:07 pm    Post subject: Reply with quote

Is there a way to do your setup also with the new baselayout and /etc/conf.d/cryptfs ? Encrypting the swap partition that way was terribly easy.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Sun Nov 06, 2005 6:41 pm    Post subject: Reply with quote

paoleela wrote:
Is there a way to do your setup also with the new baselayout and /etc/conf.d/cryptfs ?

I don't think so. AFAIK conf.d/cryptfs requires the entry of a (system-level?) passphrase at boot time. To transparently mount a partition when the user logs in you'll have to use pam_mount.
Back to top
View user's profile Send private message
hippysurfer
n00b
n00b


Joined: 14 Nov 2003
Posts: 51

PostPosted: Thu Nov 10, 2005 12:28 pm    Post subject: problem unmounting on logout Reply with quote

I have followed the HOWTO (many thanks to its author) but I have a problem with the encrypted filesystem not being unmounted on logout. I am logging in using 'su' so I have setup /etc/pam.d/su to use pam_mount and the mounting on login works fine. But when I logout I get the following log:

Code:

pam_mount: received order to close things
pam_mount: real and effective user ID are 405 and 405.
pam_mount: user is guest
pam_mount: command: /usr/sbin/pmvarrun [-u] [guest] [-d] [-o] [-1]
pam_mount: could not open count file /var/run/pam_mount/guest
pam_mount: pmvarrun says login count is 0
pam_mount: going to unmount
pam_mount: information for mount:
pam_mount: --------
pam_mount: (defined by globalconf)
pam_mount: user:          guest
pam_mount: server:
pam_mount: volume:        /home/.guest.img
pam_mount: mountpoint:    /home/.guest
pam_mount: options:       loop,cipher=aes
pam_mount: fs_key_cipher: aes-256-ecb
pam_mount: fs_key_path:   /home/.guest.key
pam_mount: use_fstab:   0
pam_mount: --------
pam_mount: command: /usr/sbin/lsof [/home/.guest]
pam_mount: lsof output (should be empty)...
pam_mount: waiting for lsof
pam_mount: command: /usr/bin/umount.crypt [/home/.guest]
pam_mount: umount errors (should be empty):
pam_mount: pam_mount: error setting uid to 0

pam_mount: mlockall failed: Cannot allocate memory

pam_mount: WARNING!!! Possibly insecure memory. Are you root?

pam_mount: Command failed: Invalid argument

pam_mount: umount: /home/.guest is not in the fstab (and you are not root)

pam_mount: umount.crypt: error unmounting /home/.guest

pam_mount: waiting for umount
pam_mount: unmount of /home/.guest.img failed
pam_mount: pam_mount execution complete


For some reason pam_mount can't setuid to root so the unount fails.

I can su to root and run umount.crypt /home/.guest and it works fine.

hmm

Regards

Richard
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5  Next
Page 2 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum