Automatically mount dm-crypt encrypted home with pam_mount

[thomash]

When logging in, the same way I allwasy do, pam_mount gives me:


pam_mount: reading options_allow...
pam_mount: reading options_require...
pam_mount: back from global readconfig
pam_mount: per-user configurations not allowed by pam_mount.conf
pam_mount: real and effective user ID are 0 and 0.
pam_mount: checking sanity of volume record (/dev/sda4)
pam_mount: about to perform mount operations
pam_mount: information for mount:
pam_mount: --------
pam_mount: (defined by globalconf)
pam_mount: user: bleh
pam_mount: server:
pam_mount: volume: /dev/sda4
pam_mount: mountpoint: /home/bleh
pam_mount: options: cipher=aes
pam_mount: fs_key_cipher: aes-256-ecb
pam_mount: fs_key_path: /home/bleh.key
pam_mount: use_fstab: 0
pam_mount: --------
pam_mount: checking to see if /dev/mapper/_dev_sda4 is already mounted at /home/bleh
pam_mount: checking for encrypted filesystem key configuration
pam_mount: decrypting FS key using system auth. token and aes-256-ecb
pam_mount: about to start building mount command
pam_mount: command: /bin/mount [-t] [crypt] [-o] [cipher=aes] [/dev/sda4] [/home/bleh]
pam_mount: mount errors (should be empty):
pam_mount: mount: wrong fs type, bad option, bad superblock on /dev/mapper/_dev_sda4,

pam_mount: missing codepage or other error

pam_mount: In some cases useful info is found in syslog - try

pam_mount: dmesg | tail or so

pam_mount:

pam_mount: mount.crypt: error mounting _dev_sda4

pam_mount: waiting for mount
pam_mount: mount of /dev/sda4 failed
pam_mount: clean system authtok (0)
pam_mount: command: /usr/sbin/pmvarrun [-u] [bleh] [-d] [-o] [1]
pam_mount: pmvarrun says login count is 1
pam_mount: done opening session

dmesg | tail gives:
EXT2-fs error (device dm-1): ext2_check_descriptors: Block bitmap for group 0 not in group (block 1702113070)!
EXT2-fs: group descriptors corrupted!
EXT2-fs error (device dm-1): ext2_check_descriptors: Block bitmap for group 0 not in group (block 1702113070)!
EXT2-fs: group descriptors corrupted!


I don't even know where to start solving this problem.
All I know is that I'd REALLY like to recover some of my documents on this partition =)

Does anyone have any idea whats causing this, and how it can be solved?

[thomash]

As an update to my post above I can add that my /dev/mapper/bleh is gone.

I unmerged both pam and pam_mount, to start the guide from the beginning again.
But /etc/pam.d/login is not created when emerging the newest versions of pam and pam_mount.

I'm lost

[thomash]

Hello again. pam had nothing to do with this problem.

It turned out to be some problem with the filesystem as the error message said, and I solved it the following way:

openssl aes-256-ecb -d -in /home/bleh.key
cryptsetup --verbose --verify-passphrase create sda4 /dev/sda4 (use the output from the openssl command as password)
e2fsck /dev/mapper/sda4

I didn't really understand what dm-crypt and cryptsetup did. Now it's more clear.

[dkey]

hi!

great howto! but, what about live cds? when I have physical access to the computer, I can boot a live cd and get the keyfile, or?

[yem]

Has anyone else found that a recent update causes GDM to now ask for the password twice? Here is my /etc/pam.d/gdm:

Code: Select all

#%PAM-1.0
auth       optional             pam_env.so
auth       include              system-auth
auth       required             pam_nologin.so
auth       optional     /lib/security/pam_mount.so use_first_pass
account    include              system-auth
password   include              system-auth
session    include              system-auth
session    optional     /lib/security/pam_mount.so

It appears pam_mount is not getting the password token that should be provided by the previous modules (despite the presence of use_first_pass), so it asks for the password a second time itself.

Dec 6 21:37:00 duck gdm[10198]: pam_mount: error trying to retrieve authtok from auth code

/etc/pam.d/system-auth is the normal gentoo default:

Code: Select all

#%PAM-1.0

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so

[searcher]

I get the same error. I didn't change anything from the default, and tried console only. The error forces me to type the same password twice. Some google-ing turned up this page on a RedHat mailing list. Seems they made a design decision that broke pam-mount. Looking on the bright side, you can have two different passwords, one for login and one for encryption

If someone knows a fix for this (besides hacking on the pam-modules code) i'd be happy to try.

*edit*
Nevermind, i just added both the lines needed at the bottom of /etc/pam.d/login and it worked just fine. No weird errors or anything. Kinda strange that it wouldn't work with the line higher up in the file.

[tuxophil]

great howto! but, what about live cds? when I have physical access to the computer, I can boot a live cd and get the keyfile, or?

You're right that the keyfile can be retrieved, but that's why it's encrypted with your (hashed) passphrase! You could also let pam_mount use your login password as dm-crypt passphrase. But in this case you could only change your login password if you also reencrypt the entire partition. That's why this master key is necessary. To sum it up, your login password is always the weakest link.

[tuxophil]

I've also noticed some changes in Gentoo's PAM setup. Unfortunately I can't remember exactly what I had to change in order to get it to work again. Anyway here are my current pam.d/login and pam.d/kde files:

Code: Select all

# /etc/pam.d/login
#%PAM-1.0

auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
auth       optional     /lib/security/pam_mount.so use_first_pass

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_mount.so

Code: Select all

# /etc/pam.d/kde
#%PAM-1.0

auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     pam_nologin.so
auth       optional     /lib/security/pam_mount.so use_first_pass

account    include      system-auth

password   include      system-auth

session    include      system-auth
session    optional     /lib/security/pam_mount.so

[searcher]

By adding the following line to /etc/pam.d/common_auth:

Code: Select all

auth    optional        pam_mount.so use_first_pass

and to /etc/pam.d/common_session:

Code: Select all

session optional        pam_mount.so

you can enable the pam_mount login for any way a user can login (kdm, gdm, login etc). Taken from the Debian Grimoire. It's also possible to use a simple @include command, look to the referenced link for more info. I also noticed that the image or partition doesn't get unmounted if there are any programs with open files on that image/partition. Applications such as gpg-agents and gam_server stay in the background, even when logging off, preventing the image/partition from being unmounted.

[Guschtel]

Maybe i just didn't read it, but one has to add the following to the pam_mount config so that the crypto device gets removed:

cryptumount /usr/bin/umount.crypt %(MNTPT)

and thanks for the "tutorial"!

[Massimo B.]

Hello.
Did you already try with LUKS? The comments in my pam_mount.conf point to your howto here and say:

Code: Select all

# Note that pam_mount is LUKS (http://luks.endorphin.org) aware. To
# use luks, you need to have cryptsetup-luks (get it at
# http://luks.endorphin.org/dm-cryp) installed. A config line would be
#volume user1 crypt - /dev/yourpartition /yourmountpoint - - -
# and cryptsetup will be told to read cypher/keysize/etc. from the luks-header.

According to EncryptedDeviceUsingLUKS I tried with # cryptsetup --verbose --verify-passphrase luksFormat /dev/hda2. As I understand the passphrase now should be my keyfile? I don't know how to link to the file.

[Massimo B.]

You said:

..an old version of your encrypted master key could still be recovered after you've used passwdehd

but of course every passwdehd an old version is store in key.old. Shouldn't the old encrypted key file be deleted afterwards?

[Massimo B.]

Yes, I should have added some lines about that problem. In fact there are still some processes left when you leave KDE, but only for a few ms. Adding a one second sleep to umount.crypt solves this problem. This should be more elegant.

Where should I add this sleep 1? I noticed that I can umount myself after logout from kde is finished.
Usually I transport my laptop by logging out and putting to sleep. Then I'd like to have my home umounted AND encrypted.
I tried in /etc/security/pam_mount.conf something like..

Code: Select all

cryptumount 'sleep 5 && /usr/bin/umount.crypt %(MNTPT)'

but the logs still claim

Code: Select all

pam_mount: command: /usr/bin/umount.crypt [/home]

[Massimo B.]

cryptumount /usr/bin/umount.crypt %(MNTPT)

I don't think so, get the message pam_mount: Unknown Config-Option: cryptumount'. umount.crypt is used anyway according to the debug text.

[inode77]

Have successfully done it using console login but not xdm.
Here's the error after xdm is killed almost instantly after login:

Code: Select all

X Window System Version 6.8.2
Release Date: 9 February 2005
X Protocol Version 11, Revision 0, Release 6.8.2
Build Operating System: Linux 2.6.15-gentoo i686 [ELF] 
Current Operating System: Linux stingray 2.6.15-gentoo-r4 #1 PREEMPT Tue Feb 7 23:54:29 CET 2006 i686
Build Date: 20 January 2006
        Before reporting problems, check http://wiki.X.Org
        to make sure that you have the latest version.
Module Loader present
Markers: (--) probed, (**) from config file, (==) default setting,
        (++) from command line, (!!) notice, (II) informational,
        (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Wed Feb  8 01:07:16 2006
(==) Using config file: "/etc/X11/xorg.conf"
Using vt 7
pam_mount: pam_sm_open_session args: use_first_pass
pam_mount: saving authtok for session code
xdm error (pid 9397): Unknown session exit code 2816 from process 9405

And here is my "/etc/pam.d/xdm":

Code: Select all

auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so
auth       optional    /lib/security/pam_mount.so use_first_pass
session    optional     /lib/security/pam_mount.so

Does somebody have a hint on how to solve this problem?

[Guschtel]

Hi,

i found that sometimes there are some processes left, that are working on the device and therefore the device does not get unmounted an encrypted which is very bad (imho).

Therefore i modified the umount.crypt script and inserted
# Change here
FUSER=/usr/bin/fuser

and then
# ask cryptsetup about the underlying device
REALDEVICE=`$CRYPTSETUP status $DMDEVICE | sed -n '/device/s/[ ]*device:[ ]*//p'`

# Change here
# kill all User processes on the device
$FUSER -km $1

$UMOUNT "$1"

Did anyone of you also experience this problem? Should i maybe file a "bug report" to get this included?

Guschtel

[Guschtel]

cryptumount /usr/bin/umount.crypt %(MNTPT)

I don't think so, get the message pam_mount: Unknown Config-Option: cryptumount'. umount.crypt is used anyway according to the debug text.

Yes, your right.
Sorry for that - i don't know why it didn't work that day - must have been something else.

[R. Bosch]

Could you post a new version of the pam_mount package on your link? The pam_mount version is now at 0.12.0. Also the homepage has been changed to this.

[batistuta]

What about sharing your encrypted files with other users? This is possible in Windows XP, but they have a week link, which is, that the administrator can access the encrypted files. That is totally nuts!

I find this particularly useful, for example with my music database. I want to encrypt my /share/music partition, but I want this to be accessible by a set of users, or at least by a group. Admins (i.e. booting from a liveCD) should not.

In the ideal case, this should be done like with acls, except that the management should be done exclusively by the user. That is booting from a liveCD should not give access to the files. It looks like every user should have a key to access the partition. This sounds possible. But then, when a user is removed from the access list, they should revoke him the key. This sounds impossible to me...

Is there anything currently being done in this direction?

[Massimo B.]

You can provide more than one key by using Luks while the administrator is able to add and delete keys. I don't know of a possibility to see only parts of the filesystem with the one key while the other can see all of it.

[svpe]

Thanks for the great guide!

If you don't want to modify each /etc/pam.d/whatever file you can also try to modify only your /etc/pam.d/system-auth file which gets included in almost every application configuration file (kde,gdm,login,...)
You only need to make sure that the "auth optional..." line for the pam_mount module isn't inserted after an auth sufficant line and you need to add use_first_pass to all other module lines that need a password (like pam_unix).

[skeimer]

hi,

the latest pam_mount (0.13.0-r1) has forced cryptsetup-luks to be installed.

If I run cryptsetup (luks), I get:

Code: Select all

echo $KEY | cryptsetup -h sha256 create secure_disk /dev/hda7
Command failed: Invalid argument

I have no idea what the argument error should be... I've tried some other options, but nothing works.

Modules are loaded, cryptsetup-luks is of version 1.0.1-r1


Has anyone experience with this problem?

[bartek]

It's problem with cryptsetup-luks is no compatible with cryptsetup :]

[skeimer]

It's problem with cryptsetup-luks is no compatible with cryptsetup :]

sure, it's not compatible, but I tried to initially setup the partition, though it should work...

The syntax is the same for both flavours of cryptsetup, does the luks version eventually need a prior step to setup?

[vobla]

hi,

i've been using pam_mount for some time and got everything worked until an update broke it.
i have whole partition encrypted and pam_mount mounted it for me during login. now it fails with this:

Code: Select all

Jun 26 11:45:27 xxx login(pam_unix)[2989]: session opened for user xxx by (uid=0)
Jun 26 11:45:27 xxx login[2989]: pam_mount: reading options_allow...
Jun 26 11:45:27 xxx login[2989]: pam_mount: reading options_require...
Jun 26 11:45:27 xxx login[2989]: pam_mount: back from global readconfig
Jun 26 11:45:27 xxx login[2989]: pam_mount: per-user configurations not allowed by pam_mount.conf
Jun 26 11:45:27 xxx login[2989]: pam_mount: real and effective user ID are 0 and 0.
Jun 26 11:45:27 xxx login[2989]: pam_mount: checking sanity of volume record (/dev/sda5)
Jun 26 11:45:27 xxx login[2989]: pam_mount: about to perform mount operations
Jun 26 11:45:27 xxx login[2989]: pam_mount: information for mount:
Jun 26 11:45:27 xxx login[2989]: pam_mount: --------
Jun 26 11:45:27 xxx login[2989]: pam_mount: (defined by globalconf)
Jun 26 11:45:27 xxx login[2989]: pam_mount: user:          xxx
Jun 26 11:45:27 xxx login[2989]: pam_mount: server:
Jun 26 11:45:27 xxx login[2989]: pam_mount: volume:        /dev/sda5
Jun 26 11:45:27 xxx login[2989]: pam_mount: mountpoint:    /home/xxx
Jun 26 11:45:27 xxx login[2989]: pam_mount: options:       cipher=aes
Jun 26 11:45:27 xxx login[2989]: pam_mount: fs_key_cipher: aes-256-ecb
Jun 26 11:45:27 xxx login[2989]: pam_mount: fs_key_path:   /home/xxx/xxx.key
Jun 26 11:45:27 xxx login[2989]: pam_mount: use_fstab:   0
Jun 26 11:45:27 xxx login[2989]: pam_mount: --------
Jun 26 11:45:27 xxx login[2989]: pam_mount: checking to see if /dev/mapper/_dev_sda5 is already mounted at /home/xxx
Jun 26 11:45:27 xxx login[2989]: pam_mount: checking for encrypted filesystem key configuration
Jun 26 11:45:27 xxx login[2989]: pam_mount: decrypting FS key using system auth. token and aes-256-ecb
Jun 26 11:45:27 xxx login[2989]: pam_mount: error getting cipher "aes-256-ecb"
Jun 26 11:45:27 xxx login[2989]: pam_mount: mount of /dev/sda5 failed
Jun 26 11:45:27 xxx login[2989]: pam_mount: clean system authtok (0)
Jun 26 11:45:27 xxx login[2989]: pam_mount: command: /usr/sbin/pmvarrun [-u] [xxx] [-d] [-o] [1]
Jun 26 11:45:27 xxx login[2989]: pam_mount: pmvarrun says login count is 2
Jun 26 11:45:27 xxx login[2989]: pam_mount: done opening session

i've got following versions installed:
cryptsetup-0.1-r2
device-mapper-1.02.02
pam_mount-0.9.25

Anyone?