You are not logged in.
Hi,
First off, I'm relatively new with Arch. I'm trying to set up a basic server to ship off to a colo. One of the requirements is I need user's $HOME to be encrypted. Easy stuff, nothing earth-shattering. Electing to go with Arch over Debian for this project. Not sure if I'm at fault with some system misconfiguration, but I've got a weird scenario plaguing me. User's encrypted $HOME is NOT automatically unmounting. From what I've been able to figure out, sshd is spawning a second process each time a user remotes in, and is left running when they logout. This has the consequence of keeping $HOME from unmounting. Anyways, on with the pertinent info:
I've replicated the problem on bare iron as well as a VM using:
Fresh install (base & base-devel)
vim-minimal
ecryptfs-utils
lsof
rsync
openssh
Let's create a user:
useradd -m -G wheel -s /bin/bash kmyst
passwd kmystUser can log in, ps axf reports just what you'd expect:
<snip>
316 ? Ss 0:00 /usr/bin/sshd -D
934 ? Ss 0:00 \_ sshd: root@pts/0
939 pts/0 Ss+ 0:00 | \_ -bash
966 ? Ss 0:00 \_ sshd: kmyst [priv]
971 ? S 0:00 \_ sshd: kmyst@pts/1
972 pts/1 Ss 0:00 \_ -bash
978 pts/1 R+ 0:00 \_ ps axf
936 ? Ss 0:00 /usr/lib/systemd/systemd --user
937 ? S 0:00 \_ (sd-pam)
968 ? Ss 0:00 /usr/lib/systemd/systemd --user
969 ? S 0:00 \_ (sd-pam)
</snip>Log the user out. Nobody but root on the system now. Let's enable encryption for $HOME.
Edit /etc/pam.d/system-auth to the following:
#%PAM-1.0
auth required pam_unix.so try_first_pass nullok
auth required pam_ecryptfs.so unwrap
auth optional pam_permit.so
auth required pam_env.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password optional pam_ecryptfs.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ecryptfs.so
session optional pam_permit.soLet's load the kernel module.
modprobe ecryptfsNow, so far so good. Let's encrypt $HOME
[root@arch ~]# ecryptfs-migrate-home -u kmyst
INFO: Checking disk space, this may take a few moments. Please be patient.
INFO: Checking for open files in /home/kmyst
Enter your login passphrase [kmyst]:
************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************
Done configuring.
chown: cannot access '/dev/shm/.ecryptfs-kmyst': No such file or directory
INFO: Encrypted home has been set up, encrypting files now...this may take a while.
sending incremental file list
./
.bash_history
32 100% 0.00kB/s 0:00:00 (xfr#1, to-chk=3/5)
.bash_logout
21 100% 10.25kB/s 0:00:00 (xfr#2, to-chk=2/5)
.bash_profile
57 100% 9.28kB/s 0:00:00 (xfr#3, to-chk=1/5)
.bashrc
141 100% 17.21kB/s 0:00:00 (xfr#4, to-chk=0/5)
Could not unlink the key(s) from your keying. Please use `keyctl unlink` if you wish to remove the key(s). Proceeding with umount.
========================================================================
Some Important Notes!
1. The file encryption appears to have completed successfully, however,
kmyst MUST LOGIN IMMEDIATELY, _BEFORE_THE_NEXT_REBOOT_,
TO COMPLETE THE MIGRATION!!!
2. If kmyst can log in and read and write their files, then the migration is complete,
and you should remove /home/kmyst.GBFU4ZTt.
Otherwise, restore /home/kmyst.GBFU4ZTt back to /home/kmyst.
3. kmyst should also run 'ecryptfs-unwrap-passphrase' and record
their randomly generated mount passphrase as soon as possible.
4. To ensure the integrity of all encrypted data on this system, you
should also encrypt swap space with 'ecryptfs-setup-swap'.
========================================================================
[root@arch ~]#Looks successful. User can login, encrypted $HOME is mounted, everything appears OK. Run ps axf again and our output is:
<snip>
316 ? Ss 0:00 /usr/bin/sshd -D
934 ? Ss 0:00 \_ sshd: root@pts/0
939 pts/0 Ss 0:00 | \_ -bash
1113 pts/0 R+ 0:00 | \_ ps axf
1098 ? Ss 0:00 \_ sshd: kmyst [priv]
1108 ? S 0:00 \_ sshd: kmyst@pts/1
1109 pts/1 Ss+ 0:00 \_ -bash
936 ? Ss 0:00 /usr/lib/systemd/systemd --user
937 ? S 0:00 \_ (sd-pam)
1101 ? S 0:00 sshd: kmyst [priv]
1104 ? Ss 0:00 /usr/lib/systemd/systemd --user
1106 ? S 0:00 \_ (sd-pam)
</snip>Note the extra 1101 ? S 0:00 sshd: kmyst [priv] in the above ps output!!!
Log the user out, mount reports the user's $HOME is still mounted....
<snip>
/home/.ecryptfs/kmyst/.Private on /home/kmyst type ecryptfs (rw,nosuid,nodev,relatime,ecryptfs_fnek_sig=465cb6dfc870bb66,ecryptfs_sig=d1ad4a4f8accaeb1,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)
</snip>Yet another ps axf output:
<snip>
316 ? Ss 0:00 /usr/bin/sshd -D
934 ? Ss 0:00 \_ sshd: root@pts/0
939 pts/0 Ss 0:00 \_ -bash
1127 pts/0 R+ 0:00 \_ ps axf
936 ? Ss 0:00 /usr/lib/systemd/systemd --user
937 ? S 0:00 \_ (sd-pam)
1101 ? S 0:00 sshd: kmyst [priv]
</snip>Note the 1101 ? S 0:00 sshd: kmyst [priv] in the above ps output!!!
OK here's where it gets weird. If I kill the PID 1101, ssh in again, logout, the $HOME is unmounted as I would expect. For some "reason" I can't figure out (yet) this extra sshd process is being spawned, keeping the automatic unmount from working. BUT any subsequent ssh in by the user triggers the problem again. Kill whatever PID sshd spawned for a second process and logout and $HOME is unmounted. Rinse, repeat.
Just to be sure.
Directory listing of .ecryptfs:
[kmyst@arch ~]$ ls -la .ecryptfs/
total 20
drwx------ 2 kmyst kmyst 4096 Feb 25 04:32 .
drwxr-xr-x 4 kmyst kmyst 4096 Feb 25 04:32 ..
-rw------- 1 kmyst kmyst 12 Feb 25 04:32 Private.mnt
-rw------- 1 kmyst kmyst 34 Feb 25 04:32 Private.sig
-rw-r--r-- 1 kmyst kmyst 0 Feb 25 04:32 auto-mount
-rw-r--r-- 1 kmyst kmyst 0 Feb 25 04:32 auto-umount
-r-------- 1 kmyst kmyst 48 Feb 25 04:32 wrapped-passphrase
[kmyst@arch ~]$ I've even tried to use fuser:
[root@arch ~]# fuser -v /home/kmyst
USER PID ACCESS COMMAND
/home/kmyst: root kernel mount /home/kmyst
[root@arch ~]# I've been installing, reinstalling, debugging, going over configs, grew tired of that and set up a VM to test with and got the same results, etc. for a few evenings. I'm at a loss and think I've hit a dead end. I'm about to the point where either I've hit some not-seen-or-reported-before scenario, or I'm totally misconfiguring the thing repeatedly. Or, my googlefu is failing me...either way I'm stuck and need some guidance.
Any suggestions? ![]()
Thanks,
kmyst
References:
https://wiki.archlinux.org/index.php/Beginners%27_guide
https://wiki.archlinux.org/index.php/Installation_guide
https://wiki.archlinux.org/index.php/ECryptfs
https://wiki.archlinux.org/index.php?ti … did=291214
https://bbs.archlinux.org/viewtopic.php?id=98227
https://bbs.archlinux.org/viewtopic.php?id=174796
Offline