Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Automatically mount dm-crypt encrypted home with pam_mount
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
thomash
n00b
n00b


Joined: 25 Oct 2003
Posts: 14

PostPosted: Sat Nov 12, 2005 10:20 pm    Post subject: Serious problem when trying to mount Reply with quote

When logging in, the same way I allwasy do, pam_mount gives me:


pam_mount: reading options_allow...
pam_mount: reading options_require...
pam_mount: back from global readconfig
pam_mount: per-user configurations not allowed by pam_mount.conf
pam_mount: real and effective user ID are 0 and 0.
pam_mount: checking sanity of volume record (/dev/sda4)
pam_mount: about to perform mount operations
pam_mount: information for mount:
pam_mount: --------
pam_mount: (defined by globalconf)
pam_mount: user: bleh
pam_mount: server:
pam_mount: volume: /dev/sda4
pam_mount: mountpoint: /home/bleh
pam_mount: options: cipher=aes
pam_mount: fs_key_cipher: aes-256-ecb
pam_mount: fs_key_path: /home/bleh.key
pam_mount: use_fstab: 0
pam_mount: --------
pam_mount: checking to see if /dev/mapper/_dev_sda4 is already mounted at /home/bleh
pam_mount: checking for encrypted filesystem key configuration
pam_mount: decrypting FS key using system auth. token and aes-256-ecb
pam_mount: about to start building mount command
pam_mount: command: /bin/mount [-t] [crypt] [-o] [cipher=aes] [/dev/sda4] [/home/bleh]
pam_mount: mount errors (should be empty):
pam_mount: mount: wrong fs type, bad option, bad superblock on /dev/mapper/_dev_sda4,

pam_mount: missing codepage or other error

pam_mount: In some cases useful info is found in syslog - try

pam_mount: dmesg | tail or so

pam_mount:

pam_mount: mount.crypt: error mounting _dev_sda4

pam_mount: waiting for mount
pam_mount: mount of /dev/sda4 failed
pam_mount: clean system authtok (0)
pam_mount: command: /usr/sbin/pmvarrun [-u] [bleh] [-d] [-o] [1]
pam_mount: pmvarrun says login count is 1
pam_mount: done opening session

dmesg | tail gives:
EXT2-fs error (device dm-1): ext2_check_descriptors: Block bitmap for group 0 not in group (block 1702113070)!
EXT2-fs: group descriptors corrupted!
EXT2-fs error (device dm-1): ext2_check_descriptors: Block bitmap for group 0 not in group (block 1702113070)!
EXT2-fs: group descriptors corrupted!


I don't even know where to start solving this problem.
All I know is that I'd REALLY like to recover some of my documents on this partition =)

Does anyone have any idea whats causing this, and how it can be solved?
Back to top
View user's profile Send private message
thomash
n00b
n00b


Joined: 25 Oct 2003
Posts: 14

PostPosted: Tue Nov 15, 2005 8:35 pm    Post subject: pam_mount fails. Reply with quote

As an update to my post above I can add that my /dev/mapper/bleh is gone.

I unmerged both pam and pam_mount, to start the guide from the beginning again.
But /etc/pam.d/login is not created when emerging the newest versions of pam and pam_mount.

I'm lost :(
Back to top
View user's profile Send private message
thomash
n00b
n00b


Joined: 25 Oct 2003
Posts: 14

PostPosted: Fri Nov 18, 2005 2:47 am    Post subject: dm-crypt Reply with quote

Hello again. pam had nothing to do with this problem.

It turned out to be some problem with the filesystem as the error message said, and I solved it the following way:

openssl aes-256-ecb -d -in /home/bleh.key
cryptsetup --verbose --verify-passphrase create sda4 /dev/sda4 (use the output from the openssl command as password)
e2fsck /dev/mapper/sda4

I didn't really understand what dm-crypt and cryptsetup did. Now it's more clear.
Back to top
View user's profile Send private message
dkey
n00b
n00b


Joined: 11 May 2005
Posts: 25

PostPosted: Sun Nov 27, 2005 9:08 pm    Post subject: Reply with quote

hi!

great howto! but, what about live cds? when I have physical access to the computer, I can boot a live cd and get the keyfile, or?
Back to top
View user's profile Send private message
yem
n00b
n00b


Joined: 05 Nov 2002
Posts: 63
Location: Aotearoa

PostPosted: Tue Dec 06, 2005 1:24 am    Post subject: Reply with quote

Has anyone else found that a recent update causes GDM to now ask for the password twice? Here is my /etc/pam.d/gdm:
Code:
#%PAM-1.0
auth       optional             pam_env.so
auth       include              system-auth
auth       required             pam_nologin.so
auth       optional     /lib/security/pam_mount.so use_first_pass
account    include              system-auth
password   include              system-auth
session    include              system-auth
session    optional     /lib/security/pam_mount.so

It appears pam_mount is not getting the password token that should be provided by the previous modules (despite the presence of use_first_pass), so it asks for the password a second time itself.

Quote:
Dec 6 21:37:00 duck gdm[10198]: pam_mount: error trying to retrieve authtok from auth code


/etc/pam.d/system-auth is the normal gentoo default:
Code:
#%PAM-1.0

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so
Back to top
View user's profile Send private message
searcher
Apprentice
Apprentice


Joined: 13 Mar 2003
Posts: 175
Location: NL

PostPosted: Mon Dec 19, 2005 11:01 pm    Post subject: Reply with quote

I get the same error. I didn't change anything from the default, and tried console only. The error forces me to type the same password twice. Some google-ing turned up this page on a RedHat mailing list. Seems they made a design decision that broke pam-mount. Looking on the bright side, you can have two different passwords, one for login and one for encryption :-)

If someone knows a fix for this (besides hacking on the pam-modules code) i'd be happy to try.

*edit*
Nevermind, i just added both the lines needed at the bottom of /etc/pam.d/login and it worked just fine. No weird errors or anything. Kinda strange that it wouldn't work with the line higher up in the file.
_________________
You are unique ... just like everyone else.
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Fri Dec 23, 2005 12:50 pm    Post subject: Reply with quote

dkey wrote:
great howto! but, what about live cds? when I have physical access to the computer, I can boot a live cd and get the keyfile, or?

You're right that the keyfile can be retrieved, but that's why it's encrypted with your (hashed) passphrase! You could also let pam_mount use your login password as dm-crypt passphrase. But in this case you could only change your login password if you also reencrypt the entire partition. That's why this master key is necessary. To sum it up, your login password is always the weakest link.
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Fri Dec 23, 2005 12:58 pm    Post subject: Reply with quote

I've also noticed some changes in Gentoo's PAM setup. Unfortunately I can't remember exactly what I had to change in order to get it to work again. Anyway here are my current pam.d/login and pam.d/kde files:
Code:
# /etc/pam.d/login
#%PAM-1.0

auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
auth       optional     /lib/security/pam_mount.so use_first_pass

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_mount.so


Code:
# /etc/pam.d/kde
#%PAM-1.0

auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     pam_nologin.so
auth       optional     /lib/security/pam_mount.so use_first_pass

account    include      system-auth

password   include      system-auth

session    include      system-auth
session    optional     /lib/security/pam_mount.so
Back to top
View user's profile Send private message
searcher
Apprentice
Apprentice


Joined: 13 Mar 2003
Posts: 175
Location: NL

PostPosted: Mon Dec 26, 2005 12:54 am    Post subject: Reply with quote

By adding the following line to /etc/pam.d/common_auth:
Code:
auth    optional        pam_mount.so use_first_pass

and to /etc/pam.d/common_session:
Code:
session optional        pam_mount.so

you can enable the pam_mount login for any way a user can login (kdm, gdm, login etc). Taken from the Debian Grimoire. It's also possible to use a simple @include command, look to the referenced link for more info. I also noticed that the image or partition doesn't get unmounted if there are any programs with open files on that image/partition. Applications such as gpg-agents and gam_server stay in the background, even when logging off, preventing the image/partition from being unmounted.
_________________
You are unique ... just like everyone else.
Back to top
View user's profile Send private message
Guschtel
n00b
n00b


Joined: 29 Dec 2005
Posts: 5

PostPosted: Thu Dec 29, 2005 11:33 pm    Post subject: Config option to remove crypto-device Reply with quote

Maybe i just didn't read it, but one has to add the following to the pam_mount config so that the crypto device gets removed:

cryptumount /usr/bin/umount.crypt %(MNTPT)

and thanks for the "tutorial"!
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1759
Location: PB, Germany

PostPosted: Fri Feb 03, 2006 4:29 pm    Post subject: Reply with quote

Hello.
Did you already try with LUKS? The comments in my pam_mount.conf point to your howto here and say:
Code:
# Note that pam_mount is LUKS (http://luks.endorphin.org) aware. To
# use luks, you need to have cryptsetup-luks (get it at
# http://luks.endorphin.org/dm-cryp) installed. A config line would be
#volume user1 crypt - /dev/yourpartition /yourmountpoint - - -
# and cryptsetup will be told to read cypher/keysize/etc. from the luks-header.
According to EncryptedDeviceUsingLUKS I tried with # cryptsetup --verbose --verify-passphrase luksFormat /dev/hda2. As I understand the passphrase now should be my keyfile? I don't know how to link to the file.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770


Last edited by Massimo B. on Sun Feb 05, 2006 1:43 am; edited 1 time in total
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1759
Location: PB, Germany

PostPosted: Sun Feb 05, 2006 12:18 am    Post subject: Reply with quote

You said:
Quote:
..an old version of your encrypted master key could still be recovered after you've used passwdehd
but of course every passwdehd an old version is store in key.old. Shouldn't the old encrypted key file be deleted afterwards?
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1759
Location: PB, Germany

PostPosted: Sun Feb 05, 2006 12:56 am    Post subject: Reply with quote

tuxophil wrote:
Yes, I should have added some lines about that problem. In fact there are still some processes left when you leave KDE, but only for a few ms. Adding a one second sleep to umount.crypt solves this problem. This should be more elegant.
Where should I add this sleep 1? I noticed that I can umount myself after logout from kde is finished.
Usually I transport my laptop by logging out and putting to sleep. Then I'd like to have my home umounted AND encrypted.
I tried in /etc/security/pam_mount.conf something like..
Code:
cryptumount 'sleep 5 && /usr/bin/umount.crypt %(MNTPT)'
but the logs still claim
Code:
pam_mount: command: /usr/bin/umount.crypt [/home]

_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1759
Location: PB, Germany

PostPosted: Sun Feb 05, 2006 12:11 pm    Post subject: Re: Config option to remove crypto-device Reply with quote

Guschtel wrote:
cryptumount /usr/bin/umount.crypt %(MNTPT)
I don't think so, get the message pam_mount: Unknown Config-Option: cryptumount'. umount.crypt is used anyway according to the debug text.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Back to top
View user's profile Send private message
inode77
Veteran
Veteran


Joined: 20 Jan 2004
Posts: 1303
Location: Heart of Europe

PostPosted: Wed Feb 08, 2006 1:56 am    Post subject: Reply with quote

Have successfully done it using console login but not xdm.
Here's the error after xdm is killed almost instantly after login:
Code:
X Window System Version 6.8.2
Release Date: 9 February 2005
X Protocol Version 11, Revision 0, Release 6.8.2
Build Operating System: Linux 2.6.15-gentoo i686 [ELF]
Current Operating System: Linux stingray 2.6.15-gentoo-r4 #1 PREEMPT Tue Feb 7 23:54:29 CET 2006 i686
Build Date: 20 January 2006
        Before reporting problems, check http://wiki.X.Org
        to make sure that you have the latest version.
Module Loader present
Markers: (--) probed, (**) from config file, (==) default setting,
        (++) from command line, (!!) notice, (II) informational,
        (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Wed Feb  8 01:07:16 2006
(==) Using config file: "/etc/X11/xorg.conf"
Using vt 7
pam_mount: pam_sm_open_session args: use_first_pass
pam_mount: saving authtok for session code
xdm error (pid 9397): Unknown session exit code 2816 from process 9405

And here is my "/etc/pam.d/xdm":
Code:
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so
auth       optional    /lib/security/pam_mount.so use_first_pass
session    optional     /lib/security/pam_mount.so

Does somebody have a hint on how to solve this problem?
Back to top
View user's profile Send private message
Guschtel
n00b
n00b


Joined: 29 Dec 2005
Posts: 5

PostPosted: Tue Feb 28, 2006 6:45 pm    Post subject: Problems getting the device unmounted? Use fuser Reply with quote

Hi,

i found that sometimes there are some processes left, that are working on the device and therefore the device does not get unmounted an encrypted which is very bad (imho).

Therefore i modified the umount.crypt script and inserted
# Change here
FUSER=/usr/bin/fuser

and then
# ask cryptsetup about the underlying device
REALDEVICE=`$CRYPTSETUP status $DMDEVICE | sed -n '/device/s/[ ]*device:[ ]*//p'`

# Change here
# kill all User processes on the device
$FUSER -km $1

$UMOUNT "$1"

Did anyone of you also experience this problem? Should i maybe file a "bug report" to get this included?

Guschtel


Last edited by Guschtel on Tue Feb 28, 2006 6:54 pm; edited 1 time in total
Back to top
View user's profile Send private message
Guschtel
n00b
n00b


Joined: 29 Dec 2005
Posts: 5

PostPosted: Tue Feb 28, 2006 6:53 pm    Post subject: Re: Config option to remove crypto-device Reply with quote

paoleela wrote:
Guschtel wrote:
cryptumount /usr/bin/umount.crypt %(MNTPT)
I don't think so, get the message pam_mount: Unknown Config-Option: cryptumount'. umount.crypt is used anyway according to the debug text.


Yes, your right.
Sorry for that - i don't know why it didn't work that day - must have been something else.
Back to top
View user's profile Send private message
R. Bosch
Apprentice
Apprentice


Joined: 07 Jun 2004
Posts: 184
Location: NL

PostPosted: Sat Mar 04, 2006 4:11 pm    Post subject: Reply with quote

Could you post a new version of the pam_mount package on your link? The pam_mount version is now at 0.12.0. Also the homepage has been changed to this.
_________________
Greetings / Met vriendelijke groet,

R. Bosch
Back to top
View user's profile Send private message
batistuta
Veteran
Veteran


Joined: 29 Jul 2005
Posts: 1384
Location: Aachen

PostPosted: Wed Apr 05, 2006 7:50 am    Post subject: Reply with quote

What about sharing your encrypted files with other users? This is possible in Windows XP, but they have a week link, which is, that the administrator can access the encrypted files. That is totally nuts! :evil:

I find this particularly useful, for example with my music database. I want to encrypt my /share/music partition, but I want this to be accessible by a set of users, or at least by a group. Admins (i.e. booting from a liveCD) should not.

In the ideal case, this should be done like with acls, except that the management should be done exclusively by the user. That is booting from a liveCD should not give access to the files. It looks like every user should have a key to access the partition. This sounds possible. But then, when a user is removed from the access list, they should revoke him the key. This sounds impossible to me...

Is there anything currently being done in this direction? :roll:
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1759
Location: PB, Germany

PostPosted: Wed Apr 05, 2006 8:01 am    Post subject: Reply with quote

You can provide more than one key by using Luks while the administrator is able to add and delete keys. I don't know of a possibility to see only parts of the filesystem with the one key while the other can see all of it.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Back to top
View user's profile Send private message
svpe
n00b
n00b


Joined: 17 Apr 2006
Posts: 1

PostPosted: Mon Apr 17, 2006 6:29 pm    Post subject: Reply with quote

Thanks for the great guide!

If you don't want to modify each /etc/pam.d/whatever file you can also try to modify only your /etc/pam.d/system-auth file which gets included in almost every application configuration file (kde,gdm,login,...)
You only need to make sure that the "auth optional..." line for the pam_mount module isn't inserted after an auth sufficant line and you need to add use_first_pass to all other module lines that need a password (like pam_unix).
Back to top
View user's profile Send private message
skeimer
Tux's lil' helper
Tux's lil' helper


Joined: 25 Dec 2002
Posts: 99

PostPosted: Sun Jun 18, 2006 5:46 pm    Post subject: Reply with quote

hi,

the latest pam_mount (0.13.0-r1) has forced cryptsetup-luks to be installed.

If I run cryptsetup (luks), I get:
Code:

echo $KEY | cryptsetup -h sha256 create secure_disk /dev/hda7
Command failed: Invalid argument


I have no idea what the argument error should be... I've tried some other options, but nothing works.

Modules are loaded, cryptsetup-luks is of version 1.0.1-r1


Has anyone experience with this problem?
Back to top
View user's profile Send private message
bartek
Tux's lil' helper
Tux's lil' helper


Joined: 16 Mar 2004
Posts: 83
Location: Poland, Pysznica

PostPosted: Mon Jun 19, 2006 1:03 am    Post subject: Reply with quote

It's problem with cryptsetup-luks is no compatible with cryptsetup :]
Back to top
View user's profile Send private message
skeimer
Tux's lil' helper
Tux's lil' helper


Joined: 25 Dec 2002
Posts: 99

PostPosted: Mon Jun 19, 2006 8:30 am    Post subject: Reply with quote

bartek wrote:
It's problem with cryptsetup-luks is no compatible with cryptsetup :]

sure, it's not compatible, but I tried to initially setup the partition, though it should work...

The syntax is the same for both flavours of cryptsetup, does the luks version eventually need a prior step to setup?
Back to top
View user's profile Send private message
vobla
n00b
n00b


Joined: 25 Mar 2004
Posts: 20

PostPosted: Mon Jun 26, 2006 8:56 am    Post subject: Reply with quote

hi,

i've been using pam_mount for some time and got everything worked until an update broke it.
i have whole partition encrypted and pam_mount mounted it for me during login. now it fails with this:

Code:

Jun 26 11:45:27 xxx login(pam_unix)[2989]: session opened for user xxx by (uid=0)
Jun 26 11:45:27 xxx login[2989]: pam_mount: reading options_allow...
Jun 26 11:45:27 xxx login[2989]: pam_mount: reading options_require...
Jun 26 11:45:27 xxx login[2989]: pam_mount: back from global readconfig
Jun 26 11:45:27 xxx login[2989]: pam_mount: per-user configurations not allowed by pam_mount.conf
Jun 26 11:45:27 xxx login[2989]: pam_mount: real and effective user ID are 0 and 0.
Jun 26 11:45:27 xxx login[2989]: pam_mount: checking sanity of volume record (/dev/sda5)
Jun 26 11:45:27 xxx login[2989]: pam_mount: about to perform mount operations
Jun 26 11:45:27 xxx login[2989]: pam_mount: information for mount:
Jun 26 11:45:27 xxx login[2989]: pam_mount: --------
Jun 26 11:45:27 xxx login[2989]: pam_mount: (defined by globalconf)
Jun 26 11:45:27 xxx login[2989]: pam_mount: user:          xxx
Jun 26 11:45:27 xxx login[2989]: pam_mount: server:
Jun 26 11:45:27 xxx login[2989]: pam_mount: volume:        /dev/sda5
Jun 26 11:45:27 xxx login[2989]: pam_mount: mountpoint:    /home/xxx
Jun 26 11:45:27 xxx login[2989]: pam_mount: options:       cipher=aes
Jun 26 11:45:27 xxx login[2989]: pam_mount: fs_key_cipher: aes-256-ecb
Jun 26 11:45:27 xxx login[2989]: pam_mount: fs_key_path:   /home/xxx/xxx.key
Jun 26 11:45:27 xxx login[2989]: pam_mount: use_fstab:   0
Jun 26 11:45:27 xxx login[2989]: pam_mount: --------
Jun 26 11:45:27 xxx login[2989]: pam_mount: checking to see if /dev/mapper/_dev_sda5 is already mounted at /home/xxx
Jun 26 11:45:27 xxx login[2989]: pam_mount: checking for encrypted filesystem key configuration
Jun 26 11:45:27 xxx login[2989]: pam_mount: decrypting FS key using system auth. token and aes-256-ecb
Jun 26 11:45:27 xxx login[2989]: pam_mount: error getting cipher "aes-256-ecb"
Jun 26 11:45:27 xxx login[2989]: pam_mount: mount of /dev/sda5 failed
Jun 26 11:45:27 xxx login[2989]: pam_mount: clean system authtok (0)
Jun 26 11:45:27 xxx login[2989]: pam_mount: command: /usr/sbin/pmvarrun [-u] [xxx] [-d] [-o] [1]
Jun 26 11:45:27 xxx login[2989]: pam_mount: pmvarrun says login count is 2
Jun 26 11:45:27 xxx login[2989]: pam_mount: done opening session


i've got following versions installed:
cryptsetup-0.1-r2
device-mapper-1.02.02
pam_mount-0.9.25

Anyone?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5  Next
Page 3 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum