You are not logged in.

#1 2018-11-21 18:36:57

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 486

[SOLVED] pam_mount fails for LUKS2 encrypted partition

I'm setting up a new system with an encrypted partition. I'm using the same method I've used on an another system using pam_mount to automatically decrypt the partition upon login (Wiki: https://wiki.archlinux.org/index.php/Pam_mount). Using the same configs, I get the following error:

Nov 21 07:40:05 myhost sddm-helper[3474]: [PAM] Starting...
Nov 21 07:40:05 myhost sddm-helper[3474]: [PAM] Authenticating...
Nov 21 07:40:05 myhost sddm-helper[3474]: (pam_mount.c:365): pam_mount 2.16: entering auth stage
Nov 21 07:40:05 myhost sddm-helper[3474]: [PAM] Preparing to converse...
Nov 21 07:40:05 myhost sddm[530]: (pam_mount.c:365): pam_mount 2.16: entering auth stage
Nov 21 07:40:05 myhost sddm-helper[3474]: [PAM] Conversation with 1 messages
Nov 21 07:40:05 myhost sddm-helper[3474]: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate
Nov 21 07:40:05 myhost sddm-helper[3474]: [PAM] returning.
Nov 21 07:40:05 myhost sddm[530]: Authenticated successfully
Nov 21 07:40:05 myhost sddm-greeter[3467]: Message received from daemon: LoginSucceeded
Nov 21 07:40:05 myhost sddm-helper[3474]: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred
Nov 21 07:40:05 myhost sddm-helper[3474]: (pam_mount.c:568): pam_mount 2.16: entering session stage
Nov 21 07:40:05 myhost kernel: audit: type=1006 audit(1542811205.043:59): pid=3474 uid=0 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=5 res=1
Nov 21 07:40:05 myhost sddm[530]: (pam_mount.c:568): pam_mount 2.16: entering session stage
Nov 21 07:40:05 myhost sddm[530]: (mount.c:263): Mount info: globalconf, user=twelveeighty <volume fstype="auto" server="(null)" path="/dev/mapper/VolGroup00-lvoldata" mount>
Nov 21 07:40:05 myhost sddm-helper[3474]: (mount.c:263): Mount info: globalconf, user=twelveeighty <volume fstype="auto" server="(null)" path="/dev/mapper/VolGroup00-lvoldat>
Nov 21 07:40:05 myhost sddm-helper[3474]: (mount.c:660): Password will be sent to helper as-is.
Nov 21 07:40:05 myhost sddm[530]: (mount.c:660): Password will be sent to helper as-is.
Nov 21 07:40:05 myhost sddm[530]: command: 'mount' '-ofsck,noatime' '-tauto' '/dev/mapper/VolGroup00-lvoldata' '/data'
Nov 21 07:40:05 myhost sddm-helper[3474]: command: 'mount' '-ofsck,noatime' '-tauto' '/dev/mapper/VolGroup00-lvoldata' '/data'
Nov 21 07:40:05 myhost sddm-helper[3474]: (mount.c:68): Messages from underlying mount program:
Nov 21 07:40:05 myhost sddm[530]: (mount.c:68): Messages from underlying mount program:
Nov 21 07:40:05 myhost sddm[530]: (mount.c:72): /sbin/mount.crypto_LUKS: No dmcrypt cipher specified (use -o cipher=xxx)
Nov 21 07:40:05 myhost sddm-helper[3474]: (mount.c:72): /sbin/mount.crypto_LUKS: No dmcrypt cipher specified (use -o cipher=xxx)
# cat /etc/security/pam_mount.conf.xml
[...]
<volume user="twelveeighty" fstype="auto" path="/dev/mapper/VolGroup00-lvoldata" mountpoint="/data" options="fsck,noatime" />
[...]

I've tried several things, especially since the error says "No dmcrypt cipher specified (use -o cipher=xxx)", I tried adding the cipher attribute in the configs, to no avail. Pretty much the only difference between the working system and this one is that the new system is using luks2 instead of luks:

System with luks2 (pam_mount fails on this one):
# cryptsetup luksDump /dev/mapper/VolGroup00-lvoldata
LUKS header information
Version:        2
Epoch:          3
Metadata area:  12288 bytes
[...]
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 4194304 [bytes]
        length: (whole device)
        cipher: aes-xts-plain64
        sector: 512 [bytes]

Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        PBKDF:      argon2i
System with luks (pam_mount works):
# cryptsetup luksDump /dev/mapper/VolGroup00-lvoldata
LUKS header information for /dev/mapper/VolGroup00-lvoldata

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha1
Payload offset: 4096
MK bits:        512
[...]
UUID:           80b74838-3da1-4f3f-a594-f42225029b60

Key Slot 0: ENABLED
        Iterations:             566371

The password key for the partition is the same as my login password. Decrypting and mounting manually works fine:

# cryptsetup open /dev/mapper/VolGroup00-lvoldata cryptdata
<enter password>
# mount -t ext4 /dev/mapper/cryptdata /data

The reason I'm suspecting luks2 isn't supported in pam_mount 2.16 because the upstream pam_mount code has a commit in the master branch with the following comments:

Commit [d4434c]
Authored by: Ingo Franzki 2018-10-29
crypto: Add support for LUKS2

Cryptsetup version 2.0 added support for LUKS2.
This patch adds support for mounting LUKS2 volumes with
pam_mount.

But I think this commit isn't in the 2.16 release, which is the latest upstream release.

Does somebody else have a luks2 decryption working with pam_mount? If what I'm seeing is correct, I can edit the pam_mount Wiki page to warn people against using luks2 if one wants to use pam_mount. I could also try to build a -git package and see if that works, but let me know if I'm on the wrong track here.

Last edited by twelveeighty (2018-11-22 03:23:46)

Offline

#2 2018-11-21 23:02:35

loqs
Member
Registered: 2014-03-06
Posts: 7,743

Re: [SOLVED] pam_mount fails for LUKS2 encrypted partition

git clone https://git.code.sf.net/p/pam-mount/pam-mount pam-mount-pam-mount
cd pam-mount-pam-mount
git tag --contains d4434c05e7c0cf05d87089404cfa2deedc60811a
git tag 
v0.10
v0.11
v0.12
v0.12.2
v0.13
v0.15
v0.16
v0.17
v0.18
v0.19
v0.2
v0.20
v0.21
v0.26
v0.27
v0.28
v0.29
v0.3.2
v0.3.2-flyn
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.31
v0.32
v0.33
v0.35
v0.35.1
v0.37
v0.38
v0.39
v0.4.0
v0.4.1
v0.4.2-test1
v0.40
v0.41
v0.43
v0.44
v0.45
v0.47
v0.48
v0.49
v0.5.0
v0.5.1
v0.5.11
v0.5.12
v0.5.13
v0.5.14
v0.5.15
v0.5.16
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.9.0
v0.9.1
v0.9.10
v0.9.11
v0.9.12
v0.9.13
v0.9.14
v0.9.15
v0.9.16
v0.9.17
v0.9.18
v0.9.19
v0.9.2
v0.9.20
v0.9.21
v0.9.22
v0.9.23
v0.9.24
v0.9.25
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
v1.0
v1.1
v1.10
v1.15
v1.16
v1.17
v1.18
v1.19
v1.2
v1.20
v1.21
v1.22
v1.24
v1.25
v1.26
v1.27
v1.3
v1.30
v1.31
v1.33
v1.34
v1.35
v1.36
v1.4
v1.5
v1.6
v1.7
v1.8
v1.9
v2.0
v2.1
v2.10
v2.11
v2.12
v2.13
v2.14
v2.15
v2.16
v2.2
v2.3
v2.4
v2.5
v2.6
v2.7
v2.8
v2.9
$ git show d4434c05e7c0cf05d87089404cfa2deedc60811a
commit d4434c05e7c0cf05d87089404cfa2deedc60811a
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date:   Mon Oct 29 16:47:40 2018 +0100

    crypto: Add support for LUKS2
    
    Cryptsetup version 2.0 added support for LUKS2.
    This patch adds support for mounting LUKS2 volumes with
    pam_mount.
    
    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

diff --git a/src/crypto-dmc.c b/src/crypto-dmc.c
index d0ab6ca..abd0358 100644
--- a/src/crypto-dmc.c
+++ b/src/crypto-dmc.c
@@ -21,6 +21,12 @@
 #include "libcryptmount.h"
 #include "pam_mount.h"
 
+#ifndef CRYPT_LUKS
+       #define CRYPT_LUKS      NULL /* Passing NULL to crypt_load will
+                                       default to LUKS(1) on older
+                                       libcryptsetup versions. */
+#endif
+
 /**
  * dmc_is_luks - check if @path points to a LUKS volume (cf. normal dm-crypt)
  * @path:      path to the crypto container
@@ -48,7 +54,7 @@ EXPORT_SYMBOL int ehd_is_luks(const char *path, bool blkdev)
 
        ret = crypt_init(&cd, device);
        if (ret == 0) {
-               ret = crypt_load(cd, CRYPT_LUKS1, NULL);
+               ret = crypt_load(cd, CRYPT_LUKS, NULL);
                if (ret == -EINVAL)
                        ret = false;
                else if (ret == 0)
@@ -106,7 +112,7 @@ static bool dmc_run(const struct ehd_mount_request *req,
 #endif
        }
 
-       ret = crypt_load(cd, CRYPT_LUKS1, NULL);
+       ret = crypt_load(cd, CRYPT_LUKS, NULL);
        if (ret == 0) {
                ret = crypt_activate_by_passphrase(cd, mt->crypto_name,
                      CRYPT_ANY_SLOT, req->key_data, req->key_size, flags);

Without that commit pam_mount sets the crypt-type parameter for crypt_load to CRYPT_LUKS1 so only matches LUKS 1 volumes instead of null which will match all supported types.

Offline

#3 2018-11-21 23:30:18

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 486

Re: [SOLVED] pam_mount fails for LUKS2 encrypted partition

Thanks for confirming my suspicion, @loqs!

To prove it, I created a PKGBUILD for pam_mount-git that pulls the current HEAD on master. It did pull in that change:

-               ret = crypt_load(cd, CRYPT_LUKS1, NULL);
+               ret = crypt_load(cd, CRYPT_LUKS, NULL);

Running my custom pam_mount-git instead of the [community] version works for me now with this luks2 partition: it unlocks automatically when logging in.

I'm guessing the best thing is for me to submit a change to the Wiki with the warning for luks2 and I can post the working git PKGBUILD to AUR if there's interest. Patching the current 2.16 version wouldn't be the "Arch Way", I think, we should just wait for upstream for a new release on the [community] version.

Offline

#4 2018-11-22 03:23:12

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 486

Re: [SOLVED] pam_mount fails for LUKS2 encrypted partition

For those interested, I uploaded pam_mount-git to the AUR: https://aur.archlinux.org/packages/pam_mount-git/.

Offline

#5 2018-12-02 16:59:13

Abaddon
Member
From: Poland
Registered: 2004-05-03
Posts: 239

Re: [SOLVED] pam_mount fails for LUKS2 encrypted partition

Thank you for sharing. I faced the same problem yesterday. With pam_mount-git LUKS2 works fine.


Gnome - The weakest link!
Linux, *not* GNU/Linux!

Offline

Board footer

Powered by FluxBB