View previous topic :: View next topic |
Author |
Message |
thomash n00b
Joined: 25 Oct 2003 Posts: 14
|
Posted: Sat Nov 12, 2005 10:20 pm Post subject: Serious problem when trying to mount |
|
|
When logging in, the same way I allwasy do, pam_mount gives me:
pam_mount: reading options_allow...
pam_mount: reading options_require...
pam_mount: back from global readconfig
pam_mount: per-user configurations not allowed by pam_mount.conf
pam_mount: real and effective user ID are 0 and 0.
pam_mount: checking sanity of volume record (/dev/sda4)
pam_mount: about to perform mount operations
pam_mount: information for mount:
pam_mount: --------
pam_mount: (defined by globalconf)
pam_mount: user: bleh
pam_mount: server:
pam_mount: volume: /dev/sda4
pam_mount: mountpoint: /home/bleh
pam_mount: options: cipher=aes
pam_mount: fs_key_cipher: aes-256-ecb
pam_mount: fs_key_path: /home/bleh.key
pam_mount: use_fstab: 0
pam_mount: --------
pam_mount: checking to see if /dev/mapper/_dev_sda4 is already mounted at /home/bleh
pam_mount: checking for encrypted filesystem key configuration
pam_mount: decrypting FS key using system auth. token and aes-256-ecb
pam_mount: about to start building mount command
pam_mount: command: /bin/mount [-t] [crypt] [-o] [cipher=aes] [/dev/sda4] [/home/bleh]
pam_mount: mount errors (should be empty):
pam_mount: mount: wrong fs type, bad option, bad superblock on /dev/mapper/_dev_sda4,
pam_mount: missing codepage or other error
pam_mount: In some cases useful info is found in syslog - try
pam_mount: dmesg | tail or so
pam_mount:
pam_mount: mount.crypt: error mounting _dev_sda4
pam_mount: waiting for mount
pam_mount: mount of /dev/sda4 failed
pam_mount: clean system authtok (0)
pam_mount: command: /usr/sbin/pmvarrun [-u] [bleh] [-d] [-o] [1]
pam_mount: pmvarrun says login count is 1
pam_mount: done opening session
dmesg | tail gives:
EXT2-fs error (device dm-1): ext2_check_descriptors: Block bitmap for group 0 not in group (block 1702113070)!
EXT2-fs: group descriptors corrupted!
EXT2-fs error (device dm-1): ext2_check_descriptors: Block bitmap for group 0 not in group (block 1702113070)!
EXT2-fs: group descriptors corrupted!
I don't even know where to start solving this problem.
All I know is that I'd REALLY like to recover some of my documents on this partition =)
Does anyone have any idea whats causing this, and how it can be solved? |
|
Back to top |
|
|
thomash n00b
Joined: 25 Oct 2003 Posts: 14
|
Posted: Tue Nov 15, 2005 8:35 pm Post subject: pam_mount fails. |
|
|
As an update to my post above I can add that my /dev/mapper/bleh is gone.
I unmerged both pam and pam_mount, to start the guide from the beginning again.
But /etc/pam.d/login is not created when emerging the newest versions of pam and pam_mount.
I'm lost |
|
Back to top |
|
|
thomash n00b
Joined: 25 Oct 2003 Posts: 14
|
Posted: Fri Nov 18, 2005 2:47 am Post subject: dm-crypt |
|
|
Hello again. pam had nothing to do with this problem.
It turned out to be some problem with the filesystem as the error message said, and I solved it the following way:
openssl aes-256-ecb -d -in /home/bleh.key
cryptsetup --verbose --verify-passphrase create sda4 /dev/sda4 (use the output from the openssl command as password)
e2fsck /dev/mapper/sda4
I didn't really understand what dm-crypt and cryptsetup did. Now it's more clear. |
|
Back to top |
|
|
dkey n00b
Joined: 11 May 2005 Posts: 25
|
Posted: Sun Nov 27, 2005 9:08 pm Post subject: |
|
|
hi!
great howto! but, what about live cds? when I have physical access to the computer, I can boot a live cd and get the keyfile, or? |
|
Back to top |
|
|
yem n00b
Joined: 05 Nov 2002 Posts: 63 Location: Aotearoa
|
Posted: Tue Dec 06, 2005 1:24 am Post subject: |
|
|
Has anyone else found that a recent update causes GDM to now ask for the password twice? Here is my /etc/pam.d/gdm: Code: | #%PAM-1.0
auth optional pam_env.so
auth include system-auth
auth required pam_nologin.so
auth optional /lib/security/pam_mount.so use_first_pass
account include system-auth
password include system-auth
session include system-auth
session optional /lib/security/pam_mount.so |
It appears pam_mount is not getting the password token that should be provided by the previous modules (despite the presence of use_first_pass), so it asks for the password a second time itself.
Quote: | Dec 6 21:37:00 duck gdm[10198]: pam_mount: error trying to retrieve authtok from auth code |
/etc/pam.d/system-auth is the normal gentoo default: Code: | #%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so |
|
|
Back to top |
|
|
searcher Apprentice
Joined: 13 Mar 2003 Posts: 175 Location: NL
|
Posted: Mon Dec 19, 2005 11:01 pm Post subject: |
|
|
I get the same error. I didn't change anything from the default, and tried console only. The error forces me to type the same password twice. Some google-ing turned up this page on a RedHat mailing list. Seems they made a design decision that broke pam-mount. Looking on the bright side, you can have two different passwords, one for login and one for encryption
If someone knows a fix for this (besides hacking on the pam-modules code) i'd be happy to try.
*edit*
Nevermind, i just added both the lines needed at the bottom of /etc/pam.d/login and it worked just fine. No weird errors or anything. Kinda strange that it wouldn't work with the line higher up in the file. _________________ You are unique ... just like everyone else. |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Fri Dec 23, 2005 12:50 pm Post subject: |
|
|
dkey wrote: | great howto! but, what about live cds? when I have physical access to the computer, I can boot a live cd and get the keyfile, or? |
You're right that the keyfile can be retrieved, but that's why it's encrypted with your (hashed) passphrase! You could also let pam_mount use your login password as dm-crypt passphrase. But in this case you could only change your login password if you also reencrypt the entire partition. That's why this master key is necessary. To sum it up, your login password is always the weakest link. |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Fri Dec 23, 2005 12:58 pm Post subject: |
|
|
I've also noticed some changes in Gentoo's PAM setup. Unfortunately I can't remember exactly what I had to change in order to get it to work again. Anyway here are my current pam.d/login and pam.d/kde files:
Code: | # /etc/pam.d/login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
auth optional /lib/security/pam_mount.so use_first_pass
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_mount.so |
Code: | # /etc/pam.d/kde
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
auth required pam_nologin.so
auth optional /lib/security/pam_mount.so use_first_pass
account include system-auth
password include system-auth
session include system-auth
session optional /lib/security/pam_mount.so |
|
|
Back to top |
|
|
searcher Apprentice
Joined: 13 Mar 2003 Posts: 175 Location: NL
|
Posted: Mon Dec 26, 2005 12:54 am Post subject: |
|
|
By adding the following line to /etc/pam.d/common_auth:
Code: | auth optional pam_mount.so use_first_pass |
and to /etc/pam.d/common_session:
Code: | session optional pam_mount.so |
you can enable the pam_mount login for any way a user can login (kdm, gdm, login etc). Taken from the Debian Grimoire. It's also possible to use a simple @include command, look to the referenced link for more info. I also noticed that the image or partition doesn't get unmounted if there are any programs with open files on that image/partition. Applications such as gpg-agents and gam_server stay in the background, even when logging off, preventing the image/partition from being unmounted. _________________ You are unique ... just like everyone else. |
|
Back to top |
|
|
Guschtel n00b
Joined: 29 Dec 2005 Posts: 5
|
Posted: Thu Dec 29, 2005 11:33 pm Post subject: Config option to remove crypto-device |
|
|
Maybe i just didn't read it, but one has to add the following to the pam_mount config so that the crypto device gets removed:
cryptumount /usr/bin/umount.crypt %(MNTPT)
and thanks for the "tutorial"! |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1771 Location: PB, Germany
|
Posted: Fri Feb 03, 2006 4:29 pm Post subject: |
|
|
Hello.
Did you already try with LUKS? The comments in my pam_mount.conf point to your howto here and say: Code: | # Note that pam_mount is LUKS (http://luks.endorphin.org) aware. To
# use luks, you need to have cryptsetup-luks (get it at
# http://luks.endorphin.org/dm-cryp) installed. A config line would be
#volume user1 crypt - /dev/yourpartition /yourmountpoint - - -
# and cryptsetup will be told to read cypher/keysize/etc. from the luks-header. | According to EncryptedDeviceUsingLUKS I tried with # cryptsetup --verbose --verify-passphrase luksFormat /dev/hda2. As I understand the passphrase now should be my keyfile? I don't know how to link to the file. _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Last edited by Massimo B. on Sun Feb 05, 2006 1:43 am; edited 1 time in total |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1771 Location: PB, Germany
|
Posted: Sun Feb 05, 2006 12:18 am Post subject: |
|
|
You said: Quote: | ..an old version of your encrypted master key could still be recovered after you've used passwdehd | but of course every passwdehd an old version is store in key.old. Shouldn't the old encrypted key file be deleted afterwards? _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1771 Location: PB, Germany
|
Posted: Sun Feb 05, 2006 12:56 am Post subject: |
|
|
tuxophil wrote: | Yes, I should have added some lines about that problem. In fact there are still some processes left when you leave KDE, but only for a few ms. Adding a one second sleep to umount.crypt solves this problem. This should be more elegant. | Where should I add this sleep 1? I noticed that I can umount myself after logout from kde is finished.
Usually I transport my laptop by logging out and putting to sleep. Then I'd like to have my home umounted AND encrypted.
I tried in /etc/security/pam_mount.conf something like.. Code: | cryptumount 'sleep 5 && /usr/bin/umount.crypt %(MNTPT)' | but the logs still claim Code: | pam_mount: command: /usr/bin/umount.crypt [/home] |
_________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1771 Location: PB, Germany
|
Posted: Sun Feb 05, 2006 12:11 pm Post subject: Re: Config option to remove crypto-device |
|
|
Guschtel wrote: | cryptumount /usr/bin/umount.crypt %(MNTPT) | I don't think so, get the message pam_mount: Unknown Config-Option: cryptumount'. umount.crypt is used anyway according to the debug text. _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
inode77 Veteran
Joined: 20 Jan 2004 Posts: 1303 Location: Heart of Europe
|
Posted: Wed Feb 08, 2006 1:56 am Post subject: |
|
|
Have successfully done it using console login but not xdm.
Here's the error after xdm is killed almost instantly after login:
Code: | X Window System Version 6.8.2
Release Date: 9 February 2005
X Protocol Version 11, Revision 0, Release 6.8.2
Build Operating System: Linux 2.6.15-gentoo i686 [ELF]
Current Operating System: Linux stingray 2.6.15-gentoo-r4 #1 PREEMPT Tue Feb 7 23:54:29 CET 2006 i686
Build Date: 20 January 2006
Before reporting problems, check http://wiki.X.Org
to make sure that you have the latest version.
Module Loader present
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Wed Feb 8 01:07:16 2006
(==) Using config file: "/etc/X11/xorg.conf"
Using vt 7
pam_mount: pam_sm_open_session args: use_first_pass
pam_mount: saving authtok for session code
xdm error (pid 9397): Unknown session exit code 2816 from process 9405
|
And here is my "/etc/pam.d/xdm": Code: | auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
auth optional /lib/security/pam_mount.so use_first_pass
session optional /lib/security/pam_mount.so
|
Does somebody have a hint on how to solve this problem? |
|
Back to top |
|
|
Guschtel n00b
Joined: 29 Dec 2005 Posts: 5
|
Posted: Tue Feb 28, 2006 6:45 pm Post subject: Problems getting the device unmounted? Use fuser |
|
|
Hi,
i found that sometimes there are some processes left, that are working on the device and therefore the device does not get unmounted an encrypted which is very bad (imho).
Therefore i modified the umount.crypt script and inserted
# Change here
FUSER=/usr/bin/fuser
and then
# ask cryptsetup about the underlying device
REALDEVICE=`$CRYPTSETUP status $DMDEVICE | sed -n '/device/s/[ ]*device:[ ]*//p'`
# Change here
# kill all User processes on the device
$FUSER -km $1
$UMOUNT "$1"
Did anyone of you also experience this problem? Should i maybe file a "bug report" to get this included?
Guschtel
Last edited by Guschtel on Tue Feb 28, 2006 6:54 pm; edited 1 time in total |
|
Back to top |
|
|
Guschtel n00b
Joined: 29 Dec 2005 Posts: 5
|
Posted: Tue Feb 28, 2006 6:53 pm Post subject: Re: Config option to remove crypto-device |
|
|
paoleela wrote: | Guschtel wrote: | cryptumount /usr/bin/umount.crypt %(MNTPT) | I don't think so, get the message pam_mount: Unknown Config-Option: cryptumount'. umount.crypt is used anyway according to the debug text. |
Yes, your right.
Sorry for that - i don't know why it didn't work that day - must have been something else. |
|
Back to top |
|
|
R. Bosch Apprentice
Joined: 07 Jun 2004 Posts: 184 Location: NL
|
Posted: Sat Mar 04, 2006 4:11 pm Post subject: |
|
|
Could you post a new version of the pam_mount package on your link? The pam_mount version is now at 0.12.0. Also the homepage has been changed to this. _________________ Greetings / Met vriendelijke groet,
R. Bosch |
|
Back to top |
|
|
batistuta Veteran
Joined: 29 Jul 2005 Posts: 1384 Location: Aachen
|
Posted: Wed Apr 05, 2006 7:50 am Post subject: |
|
|
What about sharing your encrypted files with other users? This is possible in Windows XP, but they have a week link, which is, that the administrator can access the encrypted files. That is totally nuts!
I find this particularly useful, for example with my music database. I want to encrypt my /share/music partition, but I want this to be accessible by a set of users, or at least by a group. Admins (i.e. booting from a liveCD) should not.
In the ideal case, this should be done like with acls, except that the management should be done exclusively by the user. That is booting from a liveCD should not give access to the files. It looks like every user should have a key to access the partition. This sounds possible. But then, when a user is removed from the access list, they should revoke him the key. This sounds impossible to me...
Is there anything currently being done in this direction? |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1771 Location: PB, Germany
|
Posted: Wed Apr 05, 2006 8:01 am Post subject: |
|
|
You can provide more than one key by using Luks while the administrator is able to add and delete keys. I don't know of a possibility to see only parts of the filesystem with the one key while the other can see all of it. _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
svpe n00b
Joined: 17 Apr 2006 Posts: 1
|
Posted: Mon Apr 17, 2006 6:29 pm Post subject: |
|
|
Thanks for the great guide!
If you don't want to modify each /etc/pam.d/whatever file you can also try to modify only your /etc/pam.d/system-auth file which gets included in almost every application configuration file (kde,gdm,login,...)
You only need to make sure that the "auth optional..." line for the pam_mount module isn't inserted after an auth sufficant line and you need to add use_first_pass to all other module lines that need a password (like pam_unix). |
|
Back to top |
|
|
skeimer Tux's lil' helper
Joined: 25 Dec 2002 Posts: 99
|
Posted: Sun Jun 18, 2006 5:46 pm Post subject: |
|
|
hi,
the latest pam_mount (0.13.0-r1) has forced cryptsetup-luks to be installed.
If I run cryptsetup (luks), I get:
Code: |
echo $KEY | cryptsetup -h sha256 create secure_disk /dev/hda7
Command failed: Invalid argument
|
I have no idea what the argument error should be... I've tried some other options, but nothing works.
Modules are loaded, cryptsetup-luks is of version 1.0.1-r1
Has anyone experience with this problem? |
|
Back to top |
|
|
bartek Tux's lil' helper
Joined: 16 Mar 2004 Posts: 83 Location: Poland, Pysznica
|
Posted: Mon Jun 19, 2006 1:03 am Post subject: |
|
|
It's problem with cryptsetup-luks is no compatible with cryptsetup :] |
|
Back to top |
|
|
skeimer Tux's lil' helper
Joined: 25 Dec 2002 Posts: 99
|
Posted: Mon Jun 19, 2006 8:30 am Post subject: |
|
|
bartek wrote: | It's problem with cryptsetup-luks is no compatible with cryptsetup :] |
sure, it's not compatible, but I tried to initially setup the partition, though it should work...
The syntax is the same for both flavours of cryptsetup, does the luks version eventually need a prior step to setup? |
|
Back to top |
|
|
vobla n00b
Joined: 25 Mar 2004 Posts: 20
|
Posted: Mon Jun 26, 2006 8:56 am Post subject: |
|
|
hi,
i've been using pam_mount for some time and got everything worked until an update broke it.
i have whole partition encrypted and pam_mount mounted it for me during login. now it fails with this:
Code: |
Jun 26 11:45:27 xxx login(pam_unix)[2989]: session opened for user xxx by (uid=0)
Jun 26 11:45:27 xxx login[2989]: pam_mount: reading options_allow...
Jun 26 11:45:27 xxx login[2989]: pam_mount: reading options_require...
Jun 26 11:45:27 xxx login[2989]: pam_mount: back from global readconfig
Jun 26 11:45:27 xxx login[2989]: pam_mount: per-user configurations not allowed by pam_mount.conf
Jun 26 11:45:27 xxx login[2989]: pam_mount: real and effective user ID are 0 and 0.
Jun 26 11:45:27 xxx login[2989]: pam_mount: checking sanity of volume record (/dev/sda5)
Jun 26 11:45:27 xxx login[2989]: pam_mount: about to perform mount operations
Jun 26 11:45:27 xxx login[2989]: pam_mount: information for mount:
Jun 26 11:45:27 xxx login[2989]: pam_mount: --------
Jun 26 11:45:27 xxx login[2989]: pam_mount: (defined by globalconf)
Jun 26 11:45:27 xxx login[2989]: pam_mount: user: xxx
Jun 26 11:45:27 xxx login[2989]: pam_mount: server:
Jun 26 11:45:27 xxx login[2989]: pam_mount: volume: /dev/sda5
Jun 26 11:45:27 xxx login[2989]: pam_mount: mountpoint: /home/xxx
Jun 26 11:45:27 xxx login[2989]: pam_mount: options: cipher=aes
Jun 26 11:45:27 xxx login[2989]: pam_mount: fs_key_cipher: aes-256-ecb
Jun 26 11:45:27 xxx login[2989]: pam_mount: fs_key_path: /home/xxx/xxx.key
Jun 26 11:45:27 xxx login[2989]: pam_mount: use_fstab: 0
Jun 26 11:45:27 xxx login[2989]: pam_mount: --------
Jun 26 11:45:27 xxx login[2989]: pam_mount: checking to see if /dev/mapper/_dev_sda5 is already mounted at /home/xxx
Jun 26 11:45:27 xxx login[2989]: pam_mount: checking for encrypted filesystem key configuration
Jun 26 11:45:27 xxx login[2989]: pam_mount: decrypting FS key using system auth. token and aes-256-ecb
Jun 26 11:45:27 xxx login[2989]: pam_mount: error getting cipher "aes-256-ecb"
Jun 26 11:45:27 xxx login[2989]: pam_mount: mount of /dev/sda5 failed
Jun 26 11:45:27 xxx login[2989]: pam_mount: clean system authtok (0)
Jun 26 11:45:27 xxx login[2989]: pam_mount: command: /usr/sbin/pmvarrun [-u] [xxx] [-d] [-o] [1]
Jun 26 11:45:27 xxx login[2989]: pam_mount: pmvarrun says login count is 2
Jun 26 11:45:27 xxx login[2989]: pam_mount: done opening session
|
i've got following versions installed:
cryptsetup-0.1-r2
device-mapper-1.02.02
pam_mount-0.9.25
Anyone? |
|
Back to top |
|
|
|