View previous topic :: View next topic |
Author |
Message |
meatz n00b
Joined: 25 Apr 2004 Posts: 2 Location: Germany
|
Posted: Wed Jun 28, 2006 2:24 pm Post subject: |
|
|
hello,
thanks for this great tutorial, it worked fine for me.
but i still have a little problem.
im using a fingerprint sensor with pam_bioapi to login.
so i don't have to type in any password.
is there any possibility to combine that? because first using the fingerprint sensor and after that typing the password is not that cool
thanks in advance
meatz |
|
Back to top |
|
|
benkelly76 n00b
Joined: 28 Jul 2006 Posts: 1
|
Posted: Fri Jul 28, 2006 7:10 pm Post subject: |
|
|
I was getting this error message:
Quote: |
pam_mount: error trying to retrieve authtok from auth code
|
I ended up solving this by modifying my /etc/pam.d/system-auth file to look like this:
Code: |
auth required pam_env.so
auth required pam_unix.so likeauth nullok
auth sufficient /usr/lib/security/pam_mount.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional /usr/lib/security/pam_mount.so
|
The error was occurring because pam_mount.so must run after pam_unix.so in order to pick up the authtoken, but the sufficient control word terminated execution at pam_unix.so itself. In order to maintain the fall through setup of the files I changed pam_unix.so to required and placed the pam_mount.so module after it with the sufficient control.
Also, I can report that pam_mount 0.15.0 works with cryptsetup-luks. |
|
Back to top |
|
|
postmodern n00b
Joined: 13 Apr 2005 Posts: 9
|
Posted: Fri Jul 28, 2006 11:41 pm Post subject: segfaults from su/xscreensaver |
|
|
Successfully running pam_mount-0.13.0, but I've noticed I receive segfaults from su/xscreensaver when an incorrect password is given. Having one's screen locked with xscreensaver then suddenly segfaulting away really defeats the purpose of locking one's screen. I'm also using the provided /etc/pam.d/system-auth and /etc/pam.d/login. Any suggestions? |
|
Back to top |
|
|
skunk l33t
Joined: 28 May 2003 Posts: 646 Location: granada, spain
|
Posted: Thu Sep 14, 2006 4:10 pm Post subject: |
|
|
hi all...
i had to replace sys-fs/cryptsetup-0.1-r3 with sys-fs/cryptsetup-luks-1.0.3-r2 because of dependencies, but now mounting my home partitition fails:
Code: | pam_mount: reading options_allow...
pam_mount: reading options_require...
pam_mount: back from global readconfig
pam_mount: per-user configurations not allowed by pam_mount.conf
pam_mount: real and effective user ID are 0 and 0.
pam_mount: checking sanity of volume record (/dev/hda4)
pam_mount: about to perform mount operations
pam_mount: information for mount:
pam_mount: ----------------------
pam_mount: (defined by globalconf)
pam_mount: user: skunk
pam_mount: server:
pam_mount: volume: /dev/hda4
pam_mount: mountpoint: /home
pam_mount: options: noatime,cipher=aes
pam_mount: fs_key_cipher: aes-256-ecb
pam_mount: fs_key_path: /etc/home.key
pam_mount: use_fstab: 0
pam_mount: ----------------------
pam_mount: realpath of volume "/home" is "/home"
pam_mount: checking to see if /dev/mapper/_dev_hda4 is already mounted at /home
pam_mount: checking for encrypted filesystem key configuration
pam_mount: decrypting FS key using system auth. token and aes-256-ecb
pam_mount: about to start building mount command
pam_mount: command: /bin/mount [-t] [crypt] [-onoatime,cipher=aes] [/dev/hda4] [/home]
pam_mount: mount errors (should be empty):
pam_mount: pam_mount: setting uid to 0
pam_mount: pam_mount: real user/group IDs are 0/100, effective is 0/100
pam_mount: mount: you must specify the filesystem type
pam_mount: mount.crypt: error mounting _dev_hda4
pam_mount: waiting for mount
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/hda3 20000088 10172784 9827304 51% /
udev 258044 224 257820 1% /dev
none 258044 0 258044 0% /dev/shm
/dev/hdb 8208008 8208008 0 100% /media/hdb
pam_mount: mount of /dev/hda4 failed
pam_mount: clean system authtok (0)
pam_mount: command: /usr/sbin/pmvarrun [-u] [skunk] [-d] [-o] [1]
pam_mount: setting uid to 0
pam_mount: real user/group IDs are 0/100, effective is 0/100
pmvarrun: parsed count value 0
pam_mount: pmvarrun says login count is 1
pam_mount: done opening session
No directory, logging in with HOME=/ |
sys-apps/pam_mount-0.13.0 is installed and i've this line in my /etc/security/pam_mount.conf:
Code: | volume skunk crypt - /dev/hda4 /home noatime,cipher=aes aes-256-ecb /etc/home.key |
note that after failing to mount there is no device file in /dev/mapper/ (which was _dev_hda4 with cryptsetup).
going back to cryptsetup it works again, but i always have portage wanting to install cryptsetup-luks on every update...
thank you! |
|
Back to top |
|
|
skunk l33t
Joined: 28 May 2003 Posts: 646 Location: granada, spain
|
Posted: Sun Sep 17, 2006 3:58 pm Post subject: |
|
|
nobody? |
|
Back to top |
|
|
anoland Tux's lil' helper
Joined: 27 May 2003 Posts: 86
|
Posted: Tue Oct 10, 2006 11:56 pm Post subject: |
|
|
I had the same thing happen to me a while ago. I had to find out what was depending on the new package and get rid of it. It was a while ago, so I don't remember what it was I removed. |
|
Back to top |
|
|
skunk l33t
Joined: 28 May 2003 Posts: 646 Location: granada, spain
|
Posted: Wed Oct 11, 2006 12:49 pm Post subject: |
|
|
what's in your /etc/security/pam_mount.conf?
mine: Code: | volume skunk crypt - /dev/hda4 /home noatime,cipher=aes aes-256-ecb /etc/home.key |
|
|
Back to top |
|
|
anoland Tux's lil' helper
Joined: 27 May 2003 Posts: 86
|
Posted: Thu Oct 12, 2006 12:50 pm Post subject: |
|
|
It is commented out
Code: | #volume anoland crypt - /dev/hda5 /home notail,noatime,nodiratime,cipher=aes aes-256-ecb /home.key
|
because this happened a long time ago....
Code: | hades ~ # emerge -s pam_mount
Searching...
[ Results for search key : pam_mount ]
[ Applications found : 1 ]
* sys-libs/pam_mount
Latest version available: 0.9.25
Latest version installed: [ Not Installed ]
Size of files: 428 kB
Homepage: http://www.flyn.org/projects/pam_mount/index.html
Description: A PAM module that can mount volumes for a user session e.g. encrypted home directories
License: GPL-2
hades ~ # emerge -pv pam_mount
These are the packages that would be merged, in order:
Calculating dependencies... done!
[blocks B ] sys-fs/cryptsetup-luks (is blocking sys-fs/cryptsetup-0.1-r3)
[ebuild N ] sys-fs/cryptsetup-0.1-r3 243 kB
[ebuild N ] sys-libs/pam_mount-0.9.25 USE="crypt" 428 kB [1]
Total size of downloads: 671 kB
Portage overlays:
[1] /usr/local/portage
hades ~ #
|
Until LUKS starts to cooperate with pam_mount, I'll just put in my password on boot up. |
|
Back to top |
|
|
skunk l33t
Joined: 28 May 2003 Posts: 646 Location: granada, spain
|
Posted: Thu Oct 12, 2006 1:03 pm Post subject: |
|
|
so, if i understand correctly, there is no way to make luks working with pam_mount?
doesn't either exist another way to mount my /home partition at login without having to do it manually? |
|
Back to top |
|
|
anoland Tux's lil' helper
Joined: 27 May 2003 Posts: 86
|
Posted: Thu Oct 12, 2006 1:25 pm Post subject: |
|
|
Well,
The latest pam_mount on sourceforge is .18 and the latest in portage is .9.25. Looks like the ebuild needs an update. Maybe the latest pam_mount will work better. But that still doesn't get rid of the block between cryptsetup and cryptsetup-luks. |
|
Back to top |
|
|
feld Guru
Joined: 29 Aug 2004 Posts: 593 Location: WI, USA
|
Posted: Mon Oct 30, 2006 3:05 am Post subject: |
|
|
did anyone ever confirm whether or not this can be safely used with journaled filesystems? _________________ < bmg505> I think the first line in reiserfsck is
if (random(65535)< 65500) { hose(partition); for (i=0;i<100000000;i++) print_crap(); } |
|
Back to top |
|
|
anoland Tux's lil' helper
Joined: 27 May 2003 Posts: 86
|
Posted: Mon Oct 30, 2006 1:02 pm Post subject: |
|
|
I use it with ReiserFS without any problems. |
|
Back to top |
|
|
feld Guru
Joined: 29 Aug 2004 Posts: 593 Location: WI, USA
|
Posted: Mon Oct 30, 2006 2:51 pm Post subject: |
|
|
anoland wrote: | I use it with ReiserFS without any problems. |
cool. i'll move mine to ext3 then. _________________ < bmg505> I think the first line in reiserfsck is
if (random(65535)< 65500) { hose(partition); for (i=0;i<100000000;i++) print_crap(); } |
|
Back to top |
|
|
are Apprentice
Joined: 03 Jan 2006 Posts: 188
|
Posted: Tue Oct 31, 2006 9:51 am Post subject: |
|
|
skunk wrote: | so, if i understand correctly, there is no way to make luks working with pam_mount?
doesn't either exist another way to mount my /home partition at login without having to do it manually? |
Code: |
volume are crypt - /dev/hdb2 /home/are - - -
|
i use pam_mount 1.17 together with cryptsetup-luks and without problems. after i typed my[/code] password into gdm, it mounts my encrypted home partition and it unmount it (often), when i log out.
what exactly is your problem?
best regards!
are |
|
Back to top |
|
|
skunk l33t
Joined: 28 May 2003 Posts: 646 Location: granada, spain
|
Posted: Tue Oct 31, 2006 4:15 pm Post subject: |
|
|
are, you don't specify where's the key file in your pam_mount.conf, how is it possible that the partition is mounted without asking for the key? is your login password itself the key for decrypting the partition? this is not my case, i have the key encrypted into /etc/home.key and my login password is the key for just accessing to that file...
my problem is that the device node /dev/mapper/_dev_hda4 doesn't been created with luks causing the mount error... |
|
Back to top |
|
|
are Apprentice
Joined: 03 Jan 2006 Posts: 188
|
Posted: Tue Oct 31, 2006 4:41 pm Post subject: |
|
|
skunk wrote: | are, you don't specify where's the key file in your pam_mount.conf, how is it possible that the partition is mounted without asking for the key? is your login password itself the key for decrypting the partition? this is not my case, i have the key encrypted into /etc/home.key and my login password is the key for just accessing to that file...
my problem is that the device node /dev/mapper/_dev_hda4 doesn't been created with luks causing the mount error... |
I'm no expert, but I've thought, that is the way, luks works. it stores everything inside the partition. no special key-file is used, but the passphrase is collected from pam directly. |
|
Back to top |
|
|
are Apprentice
Joined: 03 Jan 2006 Posts: 188
|
Posted: Tue Oct 31, 2006 4:48 pm Post subject: |
|
|
skunk wrote: | this is not my case, i have the key encrypted into /etc/home.key and my login password is the key for just accessing to that file.... |
sorry, my fingers type more quick than my eyes read your question. indeed my password logs me in and decrypts the volume. on the other side, i don't understand, why you seperate the keyfile from your password? if it's for legacy, then there are good news: luks can store multiple passphrases. add your login-password to luks, and then the partition opens after login too. |
|
Back to top |
|
|
anoland Tux's lil' helper
Joined: 27 May 2003 Posts: 86
|
Posted: Wed Nov 01, 2006 3:51 am Post subject: |
|
|
for those that are still following this thread...
There appears to be a good amount of activitiy on pam_mount.
https://bugs.gentoo.org/show_bug.cgi?id=24213
I'll keep my fingers crossed that it makes it mainstream soon. |
|
Back to top |
|
|
feld Guru
Joined: 29 Aug 2004 Posts: 593 Location: WI, USA
|
Posted: Wed Nov 01, 2006 4:25 pm Post subject: Re: Problems getting the device unmounted? Use fuser |
|
|
Guschtel wrote: | Hi,
i found that sometimes there are some processes left, that are working on the device and therefore the device does not get unmounted an encrypted which is very bad (imho).
Therefore i modified the umount.crypt script and inserted
# Change here
FUSER=/usr/bin/fuser
and then
# ask cryptsetup about the underlying device
REALDEVICE=`$CRYPTSETUP status $DMDEVICE | sed -n '/device/s/[ ]*device:[ ]*//p'`
# Change here
# kill all User processes on the device
$FUSER -km $1
$UMOUNT "$1"
Did anyone of you also experience this problem? Should i maybe file a "bug report" to get this included?
Guschtel |
bringing this to light for those that are wondering why logoff doesn't umount... this DOES indeed solve it. _________________ < bmg505> I think the first line in reiserfsck is
if (random(65535)< 65500) { hose(partition); for (i=0;i<100000000;i++) print_crap(); } |
|
Back to top |
|
|
yem n00b
Joined: 05 Nov 2002 Posts: 63 Location: Aotearoa
|
Posted: Tue Nov 14, 2006 3:39 am Post subject: Switch to |
|
|
are wrote: | skunk wrote: | so, if i understand correctly, there is no way to make luks working with pam_mount?
doesn't either exist another way to mount my /home partition at login without having to do it manually? |
Code: | volume are crypt - /dev/hdb2 /home/are - - - |
i use pam_mount 1.17 together with cryptsetup-luks and without problems. after i typed my[/code] password into gdm, it mounts my encrypted home partition and it unmount it (often), when i log out.
what exactly is your problem? |
I was happily using pam_mount 0.9.25 and cryptsetup until portage made me switch to cryptsetup-luks for some reason. Now pam_mount cannot mount my /home. A console login attempt as me (zach) goes like this:
Code: | Nov 15 03:16:04 duck login[10061]: pam_mount(readconfig.c:197) reading options_allow...
Nov 15 03:16:04 duck login[10061]: pam_mount(readconfig.c:180) reading options_require...
Nov 15 03:16:04 duck login[10061]: pam_mount(pam_mount.c:439) back from global readconfig
Nov 15 03:16:04 duck login[10061]: pam_mount(pam_mount.c:441) per-user configurations not allowed by pam_mount.conf
Nov 15 03:16:04 duck login[10061]: pam_mount(pam_mount.c:459) pam_sm_open_session: real uid/gid=0:0, effective uid/gid=0:0
Nov 15 03:16:04 duck login[10061]: pam_mount(readconfig.c:418) checking sanity of volume record (/home/zach.encrypted)
Nov 15 03:16:04 duck login[10061]: pam_mount(pam_mount.c:474) about to perform mount operations
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:368) information for mount:
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:369) ----------------------
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:370) (defined by globalconf)
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:373) user: zach
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:374) server:
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:375) volume: /home/zach.encrypted
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:376) mountpoint: /home/zach
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:377) options: loop,cipher=aes
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:378) fs_key_cipher: aes-256-ecb
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:379) fs_key_path: /home/zach.key.encrypted
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:380) use_fstab: 0
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:381) ----------------------
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:177) realpath of volume "/home/zach" is "/home/zach"
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:182) checking to see if /dev/mapper/_home_zach.encrypted is already mounted at /home/zach
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:799) checking for encrypted filesystem key configuration
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:803) decrypting FS key using system auth. token and aes-256-ecb
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:819) about to start building mount command
Nov 15 03:16:04 duck login[10061]: pam_mount(misc.c:262) command: /bin/mount [-t] [crypt] [-o loop,cipher=aes] [/home/zach.encrypted] [/home/zach]
Nov 15 03:16:04 duck login[10291]: pam_mount(misc.c:335) set_myuid(pre): real uid/gid=0:0, effective uid/gid=0:0
Nov 15 03:16:04 duck login[10291]: pam_mount(misc.c:370) set_myuid(post): real uid/gid=0:0, effective uid/gid=0:0
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:851) mount errors (should be empty):
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:100) pam_mount(misc.c:335) set_myuid(pre): real uid/gid=0:0, effective uid/gid=0:0
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:100) pam_mount(misc.c:370) set_myuid(post): real uid/gid=0:0, effective uid/gid=0:0
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:100) mount: you must specify the filesystem type
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:100) mount.crypt: error mounting _home_zach.encrypted
Nov 15 03:16:04 duck login[10061]: pam_mount(mount.c:854) waiting for mount
Nov 15 03:16:04 duck login[10061]: pam_mount(pam_mount.c:478) mount of /home/zach.encrypted failed
Nov 15 03:16:04 duck login[10061]: pam_mount(pam_mount.c:123) clean system authtok (0)
Nov 15 03:16:04 duck login[10061]: pam_mount(misc.c:262) command: /usr/sbin/pmvarrun [-u] [zach] [-d] [-o] [1]
Nov 15 03:16:04 duck login[10315]: pam_mount(misc.c:335) set_myuid(pre): real uid/gid=0:0, effective uid/gid=0:0
Nov 15 03:16:04 duck login[10315]: pam_mount(misc.c:370) set_myuid(post): real uid/gid=0:0, effective uid/gid=0:0
Nov 15 03:16:04 duck login[10061]: pam_mount(pam_mount.c:360) pmvarrun says login count is 1
Nov 15 03:16:04 duck login[10061]: pam_mount(pam_mount.c:491) done opening session |
/etc/security/pam_mount.conf is unchanged:
Code: | debug 1
mkmountpoint 1
fsckloop /dev/loop7
options_allow nosuid,nodev,loop,encryption
options_require nosuid,nodev
..
volume zach crypt - /home/zach.encrypted /home/zach loop,cipher=aes aes-256-ecb /home/zach.key.encrypted |
Currently installed:
sys-libs/pam_mount-0.17-r1 from the bugzilla ticket
sys-fs/cryptsetup-luks-1.0.3-r2
Kernel 2.6.17.3 with suspend2 2.2.7 (it's a notebook)
Any tips for those migrating from cryptsetup to cryptsetup-luks? I want my /home back. It's got my stuff |
|
Back to top |
|
|
skunk l33t
Joined: 28 May 2003 Posts: 646 Location: granada, spain
|
Posted: Tue Nov 14, 2006 4:17 am Post subject: |
|
|
i had to backup my home and recreate a luks partition from scratch |
|
Back to top |
|
|
yem n00b
Joined: 05 Nov 2002 Posts: 63 Location: Aotearoa
|
Posted: Tue Nov 14, 2006 4:47 am Post subject: |
|
|
LUKS seems like a great idea. However, I'd really like to be able to mount my existing device so I have the opportunity to make a backup. Currently my data is unreachable.
Here it is step by step:
Code: | duck ~ # losetup /dev/loop0 /home/zach.encrypted
duck ~ # losetup /dev/loop0
/dev/loop0: [0304]:1354592 (/home/zach.encrypted)
duck ~ # /bin/cryptsetup isLuks /dev/loop0
/dev/loop0 is not a LUKS partition
duck ~ # KEY=`openssl aes-256-ecb -d -in /home/zach.key.encrypted`
enter aes-256-ecb decryption password:
duck ~ # echo "$KEY" | /bin/cryptsetup -c aes -h ripemd160 -s 256 create _home_zach.encrypted /dev/loop0
duck ~ # mount -o ro -t ext3 /dev/mapper/_home_zach.encrypted /home/zach
mount: wrong fs type, bad option, bad superblock on /dev/mapper/_home_zach.encrypted,
missing codepage or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
duck ~ # dmesg | tail
[4294740.159000] mtrr: 0xe0000000,0x8000000 overlaps existing 0xe0000000,0x2000000
[4294740.159000] mtrr: 0xe0000000,0x8000000 overlaps existing 0xe0000000,0x2000000
[4294740.159000] agpgart: Found an AGP 2.0 compliant device at 0000:00:00.0.
[4294740.159000] agpgart: Putting AGP V2 device at 0000:00:00.0 into 1x mode
[4294740.159000] agpgart: Putting AGP V2 device at 0000:01:00.0 into 1x mode
[4294740.201000] [drm] Setting GART location based on old memory map
[4294740.201000] [drm] writeback test succeeded in 2 usecs
[4296950.936000] e1000: eth0: e1000_watchdog_task: NIC Link is Up 100 Mbps Full Duplex
[4299744.508000] VFS: Can't find ext3 filesystem on dev dm-0.
[4301226.635000] VFS: Can't find ext3 filesystem on dev dm-0. |
Clearly something is going wrong at the decryption stage - either decrypting the key, or decrypting the block device. I suspect the latter as the content of $KEY looks exactly as you would expect - no funky high ASCII bytes which would indicate an incorrect decryption.
So why is cryptsetup failing at the crypto? I understood cryptsetup-luks is supposed to be backward compatible - they just added the luks* commands. |
|
Back to top |
|
|
are Apprentice
Joined: 03 Jan 2006 Posts: 188
|
Posted: Tue Nov 14, 2006 6:08 am Post subject: |
|
|
the old cryptsetup and new crypsetupLuks aren't compatible! you can't decrypt a partition with cryptsetupLuks, that is encrypted with old cryptsetup!
but you can remove cryptsetupLuks with emerge -C and reinstall cryptsetup then.
regards
are |
|
Back to top |
|
|
yem n00b
Joined: 05 Nov 2002 Posts: 63 Location: Aotearoa
|
Posted: Tue Nov 14, 2006 6:26 am Post subject: |
|
|
Yeah, I'm just figuring that out Pretty weak really - cryptsetup-luks should either fix the incompatibility or document it. It takes the same args and is clearly supposed to be compatible so I do hope they fix it at some point.. |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1776 Location: PB, Germany
|
Posted: Sat Nov 25, 2006 9:47 pm Post subject: |
|
|
When will pam_mount come to the official portage tree?
I was still running fine pam_mount-0.12 without luks. But now I switched to pam_mount-0.17-r1 and try to convert to luks. _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
|