You are not logged in.

#1 2013-12-26 16:57:06

tom101
Member
Registered: 2013-12-26
Posts: 4

[SOLVED] Encrypted $HOME and pam_mount: pmvarrun session count wrong

This is my fourth arch install, but the first time I have ever tried data encryption.

Here is my setup:
I have an encrypted $HOME using ecryptfs, using pam_mount to automatically mount on login. I put this configuration together using a combination of information from the following sources:
https://wiki.archlinux.org/index.php/ECryptfs
http://sysphere.org/~anrxc/j/articles/e … index.html
https://wiki.archlinux.org/index.php/Pam_mount
http://www.everbot.com/encrypt-home-fol … rch-linux/

The issue is that the $HOME folder is not unmounted at logout.
I enabled debugging in pam_mount to see the logs, and found that the folder is not being unmounted because pam_mount believes I still have another login session. pam_mount uses a program called pmvarrun to keep track of this. For some reason, pmvarrun is being called to record the login twice, but only once to record the logout. Specifically, when I log in, both login and systemd call pam_mount to record the login. But when I log out, only login calls pam_mount to record the logout. Thus, each time I log in and out, the total number of login sessions counted in /var/run/pam_mount/tom increases by one.

A few other notes:
First, I can manually run pmvarrun after I log in to correct the count. If I do this, the encrypted $HOME is unmounted successfully on logout. So, a clear workaround would be to create a login script to do this. However, I am assuming that the root cause is actually something I have misconfigured, and I'd prefer to actually get that resolved than to just cover it up.

Secondly, I did find a link where someone reported this as a bug in pam_mount, but absolutely no one responded. I'm hoping that means it really is a configuration issue rather than an actual bug.
https://groups.google.com/forum/#!topic … VeX7fcK68o

Finally, here are the relevant files, as best I can tell.

portion of journal

Dec 25 18:42:51 cpu391 login[562]: pam_ecryptfs: Passphrase file wrapped
Dec 25 18:42:52 cpu391 login[561]: (rdconf1.c:744): path to luserconf set to /home/tom/.pam_mount.conf.xml
Dec 25 18:42:52 cpu391 login[561]: (pam_mount.c:365): pam_mount 2.14: entering auth stage
Dec 25 18:42:52 cpu391 login[561]: (rdconf1.c:744): path to luserconf set to /home/tom/.pam_mount.conf.xml
Dec 25 18:42:52 cpu391 login[561]: (pam_mount.c:568): pam_mount 2.14: entering session stage
Dec 25 18:42:52 cpu391 login[561]: (pam_mount.c:616): going to readconfig /home/tom/.pam_mount.conf.xml
Dec 25 18:42:52 cpu391 login[561]: (rdconf2.c:127): checking sanity of luserconf volume record (/home/.ecryptfs/tom/.Private/)
Dec 25 18:42:52 cpu391 login[561]: (mount.c:263): Mount info: luserconf, user=tom <volume fstype="ecryptfs" server="(null)" path="/home/.ecryptfs/tom/.Private/" mountpoint="/home/tom" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" options="nosuid,nodev" /> fstab=0 ssh=0
Dec 25 18:42:52 cpu391 login[561]: (mount.c:660): Password will be sent to helper as-is.
Dec 25 18:42:52 cpu391 login[561]: command: 'mount' '-i' '/home/.ecryptfs/tom/.Private/'
Dec 25 18:42:52 cpu391 login[564]: (spawn.c:136): setting uid to user tom
Dec 25 18:42:52 cpu391 kernel: Key type trusted registered
Dec 25 18:42:52 cpu391 kernel: sha256_ssse3: Using AVX optimized SHA-256 implementation
Dec 25 18:42:52 cpu391 kernel: Key type encrypted registered
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 15 19 0:3 / /proc rw,nosuid,nodev,noexec,relatime shared:5 - proc proc rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 16 19 0:14 / /sys rw,nosuid,nodev,noexec,relatime shared:6 - sysfs sys rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 17 19 0:5 / /dev rw,nosuid,relatime shared:2 - devtmpfs dev rw,size=4034640k,nr_inodes=1008660,mode=755
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 18 19 0:15 / /run rw,nosuid,nodev,relatime shared:11 - tmpfs run rw,mode=755
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 19 1 8:1 / / rw,relatime shared:1 - ext4 /dev/sda1 rw,data=ordered
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 20 16 0:16 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:7 - securityfs securityfs rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 21 17 0:17 / /dev/shm rw,nosuid,nodev shared:3 - tmpfs tmpfs rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 22 17 0:11 / /dev/pts rw,nosuid,noexec,relatime shared:4 - devpts devpts rw,gid=5,mode=620,ptmxmode=000
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 23 16 0:18 / /sys/fs/cgroup rw,nosuid,nodev,noexec shared:8 - tmpfs tmpfs rw,mode=755
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 24 23 0:19 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:9 - cgroup cgroup rw,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 25 16 0:20 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:10 - pstore pstore rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 26 23 0:21 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:12 - cgroup cgroup rw,cpuset
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 27 23 0:22 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:13 - cgroup cgroup rw,cpuacct,cpu
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 28 23 0:23 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:14 - cgroup cgroup rw,memory
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 29 23 0:24 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:15 - cgroup cgroup rw,devices
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 30 23 0:25 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:16 - cgroup cgroup rw,freezer
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 31 23 0:26 / /sys/fs/cgroup/net_cls rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,net_cls
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 32 23 0:27 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:18 - cgroup cgroup rw,blkio
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 33 15 0:28 / /proc/sys/fs/binfmt_misc rw,relatime shared:19 - autofs systemd-1 rw,fd=25,pgrp=1,timeout=300,minproto=5,maxproto=5,direct
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 34 16 0:7 / /sys/kernel/debug rw,relatime shared:20 - debugfs debugfs rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 35 17 0:13 / /dev/mqueue rw,relatime shared:21 - mqueue mqueue rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 36 16 0:29 / /sys/kernel/config rw,relatime shared:22 - configfs configfs rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 37 17 0:30 / /dev/hugepages rw,relatime shared:23 - hugetlbfs hugetlbfs rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 38 19 0:31 / /tmp rw shared:24 - tmpfs tmpfs rw
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 39 19 8:17 / /mnt/sdb1 rw,relatime shared:25 - vfat /dev/sdb1 rw,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro
Dec 25 18:42:52 cpu391 login[561]: (mount.c:554): 40 19 0:32 / /home/tom rw,nosuid,nodev,relatime shared:26 - ecryptfs /home/.ecryptfs/tom/.Private rw,ecryptfs_sig=c4dd9e0d4d88b5f5,ecryptfs_fnek_sig=99cb6f562f0bb2e0,ecryptfs_cipher=twofish,ecryptfs_key_bytes=32,ecryptfs_passthrough,ecryptfs_unlink_sigs
Dec 25 18:42:52 cpu391 login[561]: command: 'pmvarrun' '-u' 'tom' '-o' '1'
Dec 25 18:42:52 cpu391 login[561]: (pam_mount.c:441): pmvarrun says login count is 1
Dec 25 18:42:52 cpu391 login[561]: (pam_mount.c:660): done opening session (ret=0)
Dec 25 18:42:52 cpu391 login[561]: pam_unix(login:session): session opened for user tom by LOGIN(uid=0)
Dec 25 18:42:52 cpu391 systemd[1]: Starting user-1000.slice.
Dec 25 18:42:52 cpu391 systemd[1]: Created slice user-1000.slice.
Dec 25 18:42:52 cpu391 systemd[1]: Starting User Manager for 1000...
Dec 25 18:42:52 cpu391 systemd[1]: Starting Session 5 of user tom.
Dec 25 18:42:52 cpu391 systemd-logind[193]: New session 5 of user tom.
Dec 25 18:42:52 cpu391 systemd[1]: Started Session 5 of user tom.
Dec 25 18:42:52 cpu391 login[561]: LOGIN ON tty3 BY tom
Dec 25 18:42:52 cpu391 systemd[635]: (rdconf1.c:744): path to luserconf set to /home/tom/.pam_mount.conf.xml
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:568): pam_mount 2.14: entering session stage
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:629): no volumes to mount
Dec 25 18:42:52 cpu391 systemd[635]: command: 'pmvarrun' '-u' 'tom' '-o' '1'
Dec 25 18:42:52 cpu391 systemd[635]: (rdconf1.c:744): path to luserconf set to /home/tom/.pam_mount.conf.xml
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:568): pam_mount 2.14: entering session stage
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:629): no volumes to mount
Dec 25 18:42:52 cpu391 systemd[635]: command: 'pmvarrun' '-u' 'tom' '-o' '1'
Dec 25 18:42:52 cpu391 systemd[635]: (pmvarrun.c:254): parsed count value 1
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:441): pmvarrun says login count is 2
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:660): done opening session (ret=0)
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:441): pmvarrun says login count is 2
Dec 25 18:42:52 cpu391 systemd[635]: (pam_mount.c:660): done opening session (ret=0)
Dec 25 18:42:52 cpu391 systemd[635]: pam_unix(systemd-user:session): session opened for user tom by (uid=0)
Dec 25 18:42:52 cpu391 systemd[635]: Failed to open private bus connection: Failed to connect to socket /run/user/1000/dbus/user_bus_socket: No such file or directory
Dec 25 18:42:52 cpu391 systemd[635]: Mounted /sys/kernel/config.
Dec 25 18:42:52 cpu391 systemd[635]: Stopped target Sound Card.
Dec 25 18:42:52 cpu391 systemd[635]: Starting Default.
Dec 25 18:42:52 cpu391 systemd[635]: Reached target Default.
Dec 25 18:42:52 cpu391 systemd[635]: Startup finished in 5ms.
Dec 25 18:42:52 cpu391 systemd[1]: Started User Manager for 1000.
Dec 25 18:44:01 cpu391 login[561]: (pam_mount.c:706): received order to close things
Dec 25 18:44:01 cpu391 login[561]: command: 'pmvarrun' '-u' 'tom' '-o' '-1'
Dec 25 18:44:01 cpu391 login[561]: (pam_mount.c:441): pmvarrun says login count is 1
Dec 25 18:44:01 cpu391 login[561]: (pam_mount.c:735): tom seems to have other remaining open sessions
Dec 25 18:44:01 cpu391 login[561]: (pam_mount.c:743): pam_mount execution complete
Dec 25 18:44:01 cpu391 login[561]: pam_unix(login:session): session closed for user tom
Dec 25 18:44:01 cpu391 login[561]: (pam_mount.c:116): Clean global config (0)
Dec 25 18:44:01 cpu391 login[561]: (pam_mount.c:133): clean system authtok=0x16bc630 (0)
Dec 25 18:44:01 cpu391 systemd[1]: getty@tty3.service holdoff time over, scheduling restart.
Dec 25 18:44:01 cpu391 systemd[1]: Stopping Getty on tty3...
Dec 25 18:44:01 cpu391 systemd[1]: Starting Getty on tty3...
Dec 25 18:44:01 cpu391 systemd[1]: Started Getty on tty3.
Dec 25 18:44:01 cpu391 systemd-logind[193]: Removed session 5.
Dec 25 18:44:01 cpu391 systemd[1]: Stopping User Manager for 1000...
Dec 25 18:44:01 cpu391 systemd[639]: (pam_mount.c:116): Clean global config (1073741824)
Dec 25 18:44:01 cpu391 systemd[635]: (pam_mount.c:116): Clean global config (1073741824)
Dec 25 18:44:01 cpu391 systemd[635]: Stopping Default.
Dec 25 18:44:01 cpu391 systemd[635]: Stopped target Default.
Dec 25 18:44:01 cpu391 systemd[635]: Starting Shutdown.
Dec 25 18:44:01 cpu391 systemd[635]: Reached target Shutdown.
Dec 25 18:44:01 cpu391 systemd[635]: Starting Exit the Session...
Dec 25 18:44:01 cpu391 systemd[1]: Stopped User Manager for 1000.
Dec 25 18:44:01 cpu391 systemd[1]: Stopping user-1000.slice.
Dec 25 18:44:01 cpu391 systemd[1]: Removed slice user-1000.slice.

/etc/pam.d/system-auth

#%PAM-1.0

auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_mount.so
auth      optional  pam_ecryptfs.so unwrap
auth      optional  pam_permit.so
auth      required  pam_env.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  optional  pam_ecryptfs.so 
password  optional  pam_mount.so
password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   optional  pam_mount.so
session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_ecryptfs.so unwrap
session   optional  pam_permit.so

/etc/security/pam_mount.conf.xml

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
	See pam_mount.conf(5) for a description.
-->

<pam_mount>

		<!-- debug should come before everything else,
		since this file is still processed in a single pass
		from top-to-bottom -->

<debug enable="1" />

		<!-- Volume definitions -->


		<!-- pam_mount parameters: General tunables -->

<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="0" term="0" kill="0" />


		<!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />

<luserconf name=".pam_mount.conf.xml" />
<lclmount>mount -i %(VOLUME) "%(before=\"-o\" OPTIONS)"</lclmount>
<umount>umount %(MNTPT)</umount>

</pam_mount>

/home/tom/.pam_mount.conf.xml

<pam_mount>
	<volume noroot="1" fstype="ecryptfs" path="/home/.ecryptfs/tom/.Private/" mountpoint="/home/tom/" options="nosuid,nodev"/>
</pam_mount>

I can provide other files if needed. I appreciate any insights or suggestions for things I can test.

Thanks,
Tom

Last edited by tom101 (2013-12-28 16:13:53)

Offline

#2 2013-12-28 16:25:24

tom101
Member
Registered: 2013-12-26
Posts: 4

Re: [SOLVED] Encrypted $HOME and pam_mount: pmvarrun session count wrong

I think I figured it out. It is indeed a configuration issue.
I found a post on the internet where someone suggested putting the items I had added to /etc/pam.d/system-auth in /etc/pam.d/system-login instead. I also read the documentation for PAM linux (http://linux-pam.org/), as previously I had only been reading the documentation for pam_mount. Then, by looking at all of the files in /etc/pam.d/ I figured out what was going on.

I turns out system-auth is just used by too many other services. In particular, I believe it was the use by the systemd-user service that was causing an issue in this case.

The catch was that system-login is also used by systemd-user, so even that probably wouldn't have fixed the problem.

What I ended up doing was creating a new file that contained only the pam_mount and pam_ecryptfs lines I had added to system-auth previously. Then I modified system-local-login and system-remote-login to include that new file.

I'll also need to make some modifications to the appropriate file for the graphical login manager when I set that up.

Marked thread solved in case this helps anyone else in the future.

Tom

Last edited by tom101 (2013-12-28 16:27:21)

Offline

#3 2013-12-28 18:56:31

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: [SOLVED] Encrypted $HOME and pam_mount: pmvarrun session count wrong

I am glad to see you have solved your problem (on your own!) and then even figured out how to properly mark your thread as [Solved]!  Also, that is an amazing first post, filled with detail, output, and all kinds of goodness.  Well done sir!

Offline

#4 2015-05-25 19:30:30

setone
Member
Registered: 2012-08-31
Posts: 9

Re: [SOLVED] Encrypted $HOME and pam_mount: pmvarrun session count wrong

I just spent an afternoon fighting with pam_mount for the simple case of auto-mounting a remote cifs share when I login. I got it working but with errors such as the one you mentioned, i.e. not umounting on logout. Then I found your post and your solution completely solves the problem. Thanks tom101!

Offline

#5 2015-05-25 20:03:13

WorMzy
Administrator
From: Scotland
Registered: 2010-06-16
Posts: 12,464
Website

Re: [SOLVED] Encrypted $HOME and pam_mount: pmvarrun session count wrong

Glad you resolved your issue, setone, but please don't bump old threads, especially when they're solved.

https://wiki.archlinux.org/index.php/Fo … bumping.22

Closing.


Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

Board footer

Powered by FluxBB