You are not logged in.

#1 2015-02-25 05:43:25

kmyst
Member
Registered: 2015-02-25
Posts: 1

eCryptfs and SSH automatic unmounting issue

Hi,

First off, I'm relatively new with Arch. I'm trying to set up a basic server to ship off to a colo. One of the requirements is I need user's $HOME to be encrypted. Easy stuff, nothing earth-shattering. Electing to go with Arch over Debian for this project. Not sure if I'm at fault with some system misconfiguration, but I've got a weird scenario plaguing me. User's encrypted $HOME is NOT automatically unmounting. From what I've been able to figure out, sshd is spawning a second process each time a user remotes in, and is left running when they logout. This has the consequence of keeping $HOME from unmounting. Anyways, on with the pertinent info:

I've replicated the problem on bare iron as well as a VM using:

  • Fresh install (base & base-devel)

  • vim-minimal

  • ecryptfs-utils

  • lsof

  • rsync

  • openssh

Let's create a user:

useradd -m -G wheel -s /bin/bash kmyst
passwd kmyst

User can log in, ps axf reports just what you'd expect:

<snip>
  316 ?        Ss     0:00 /usr/bin/sshd -D
  934 ?        Ss     0:00  \_ sshd: root@pts/0
  939 pts/0    Ss+    0:00  |   \_ -bash
  966 ?        Ss     0:00  \_ sshd: kmyst [priv]
  971 ?        S      0:00      \_ sshd: kmyst@pts/1
  972 pts/1    Ss     0:00          \_ -bash
  978 pts/1    R+     0:00              \_ ps axf
  936 ?        Ss     0:00 /usr/lib/systemd/systemd --user
  937 ?        S      0:00  \_ (sd-pam)
  968 ?        Ss     0:00 /usr/lib/systemd/systemd --user
  969 ?        S      0:00  \_ (sd-pam)
</snip>

Log the user out. Nobody but root on the system now. Let's enable encryption for $HOME.

Edit /etc/pam.d/system-auth to the following:

#%PAM-1.0

auth      required  pam_unix.so     try_first_pass nullok
auth	  required  pam_ecryptfs.so unwrap
auth      optional  pam_permit.so
auth      required  pam_env.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  optional  pam_ecryptfs.so
password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session	  optional  pam_ecryptfs.so
session   optional  pam_permit.so

Let's load the kernel module.

modprobe ecryptfs

Now, so far so good. Let's encrypt $HOME

[root@arch ~]# ecryptfs-migrate-home -u kmyst
INFO:  Checking disk space, this may take a few moments.  Please be patient.
INFO:  Checking for open files in /home/kmyst
Enter your login passphrase [kmyst]: 

************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************


Done configuring.

chown: cannot access '/dev/shm/.ecryptfs-kmyst': No such file or directory
INFO:  Encrypted home has been set up, encrypting files now...this may take a while.
sending incremental file list
./
.bash_history
             32 100%    0.00kB/s    0:00:00 (xfr#1, to-chk=3/5)
.bash_logout
             21 100%   10.25kB/s    0:00:00 (xfr#2, to-chk=2/5)
.bash_profile
             57 100%    9.28kB/s    0:00:00 (xfr#3, to-chk=1/5)
.bashrc
            141 100%   17.21kB/s    0:00:00 (xfr#4, to-chk=0/5)
Could not unlink the key(s) from your keying. Please use `keyctl unlink` if you wish to remove the key(s). Proceeding with umount.

========================================================================
Some Important Notes!

 1. The file encryption appears to have completed successfully, however,
    kmyst MUST LOGIN IMMEDIATELY, _BEFORE_THE_NEXT_REBOOT_,
    TO COMPLETE THE MIGRATION!!!

 2. If kmyst can log in and read and write their files, then the migration is complete,
    and you should remove /home/kmyst.GBFU4ZTt.
    Otherwise, restore /home/kmyst.GBFU4ZTt back to /home/kmyst.

 3. kmyst should also run 'ecryptfs-unwrap-passphrase' and record
    their randomly generated mount passphrase as soon as possible.

 4. To ensure the integrity of all encrypted data on this system, you
    should also encrypt swap space with 'ecryptfs-setup-swap'.
========================================================================

[root@arch ~]#

Looks successful. User can login, encrypted $HOME is mounted, everything appears OK. Run ps axf again and our output is:

<snip>
  316 ?        Ss     0:00 /usr/bin/sshd -D
  934 ?        Ss     0:00  \_ sshd: root@pts/0
  939 pts/0    Ss     0:00  |   \_ -bash
 1113 pts/0    R+     0:00  |       \_ ps axf
 1098 ?        Ss     0:00  \_ sshd: kmyst [priv]
 1108 ?        S      0:00      \_ sshd: kmyst@pts/1
 1109 pts/1    Ss+    0:00          \_ -bash
  936 ?        Ss     0:00 /usr/lib/systemd/systemd --user
  937 ?        S      0:00  \_ (sd-pam)
 1101 ?        S      0:00 sshd: kmyst [priv]
 1104 ?        Ss     0:00 /usr/lib/systemd/systemd --user
 1106 ?        S      0:00  \_ (sd-pam)
</snip>

Note the extra 1101 ?        S      0:00 sshd: kmyst [priv] in the above ps output!!!

Log the user out, mount reports the user's $HOME is still mounted....

<snip>
/home/.ecryptfs/kmyst/.Private on /home/kmyst type ecryptfs (rw,nosuid,nodev,relatime,ecryptfs_fnek_sig=465cb6dfc870bb66,ecryptfs_sig=d1ad4a4f8accaeb1,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs)
</snip>

Yet another ps axf output:

<snip>
  316 ?        Ss     0:00 /usr/bin/sshd -D
  934 ?        Ss     0:00  \_ sshd: root@pts/0
  939 pts/0    Ss     0:00      \_ -bash
 1127 pts/0    R+     0:00          \_ ps axf
  936 ?        Ss     0:00 /usr/lib/systemd/systemd --user
  937 ?        S      0:00  \_ (sd-pam)
 1101 ?        S      0:00 sshd: kmyst [priv]
</snip>

Note the 1101 ?        S      0:00 sshd: kmyst [priv] in the above ps output!!!

OK here's where it gets weird. If I kill the PID 1101, ssh in again, logout, the $HOME is unmounted as I would expect. For some "reason" I can't figure out (yet) this extra sshd process is being spawned, keeping the automatic unmount from working. BUT any subsequent ssh in by the user triggers the problem again. Kill whatever PID sshd spawned for a second process and logout and $HOME is unmounted. Rinse, repeat.

Just to be sure.
Directory listing of .ecryptfs:

[kmyst@arch ~]$ ls -la .ecryptfs/
total 20
drwx------ 2 kmyst kmyst 4096 Feb 25 04:32 .
drwxr-xr-x 4 kmyst kmyst 4096 Feb 25 04:32 ..
-rw------- 1 kmyst kmyst   12 Feb 25 04:32 Private.mnt
-rw------- 1 kmyst kmyst   34 Feb 25 04:32 Private.sig
-rw-r--r-- 1 kmyst kmyst    0 Feb 25 04:32 auto-mount
-rw-r--r-- 1 kmyst kmyst    0 Feb 25 04:32 auto-umount
-r-------- 1 kmyst kmyst   48 Feb 25 04:32 wrapped-passphrase
[kmyst@arch ~]$ 

I've even tried to use fuser:

[root@arch ~]# fuser -v /home/kmyst
                              USER        PID ACCESS COMMAND
/home/kmyst:         root     kernel mount /home/kmyst
[root@arch ~]# 

I've been installing, reinstalling, debugging, going over configs, grew tired of that and set up a VM to test with and got the same results, etc. for a few evenings. I'm at a loss and think I've hit a dead end. I'm about to the point where either I've hit some not-seen-or-reported-before scenario, or I'm totally misconfiguring the thing repeatedly. Or, my googlefu is failing me...either way I'm stuck and need some guidance.

Any suggestions? smile

Thanks,
kmyst


References:
https://wiki.archlinux.org/index.php/Beginners%27_guide
https://wiki.archlinux.org/index.php/Installation_guide
https://wiki.archlinux.org/index.php/ECryptfs
https://wiki.archlinux.org/index.php?ti … did=291214
https://bbs.archlinux.org/viewtopic.php?id=98227
https://bbs.archlinux.org/viewtopic.php?id=174796

Offline

Board footer

Powered by FluxBB