You are not logged in.
I've been trying to get a LUKS encrypted home directory that unencrypts on login but I keep getting:
pam_exec(login:auth): /usr/bin/cryptsetup failed: exit code2
I've created the LUKS disk using:
cryptsetup -y luksFormat --type luks2 /dev/sda3
My /etc/pam.d/system-login line that I added is:
auth optional pam_exec.so expose_authtok quiet /usr/bin/cryptsetup open /dev/sda3 /home/USER
Error code 2 usually means no permission (wrong password) but I've changed both the LUKS disk password and root password to 'a' in attempts to eliminate that factor and it still gives me this exit code 2. Does anyone have any ideas on what's going wrong or any log files I can look to guide me on solving this?
Last edited by fullinator (2018-07-03 17:07:33)
Offline
After investigating this further I figured out that cryptsetup is not reading the password from stdin(3) which is where expose_authtok provides the password. PAM Documentation
I looked around cryptsetups man page a bit and found that the -d - option should have done the trick for getting cryptsetup to read the password in. I modified my pam file to have:
auth optional pam_exec.so expose_authtok quiet /usr/bin/cryptsetup open -d - /dev/sda3 /home/USER
That did not resolve the exit 2 issue. I needed to confirm that cryptsetup was not reading the password and that it wasn't some other issue happening. I decided to run a script using pam_exec and read the password in myself:
In /etc/pam.d/system-login:
auth optional pam_exec.so expose_authtok /usr/local/bin/luks_unlock
In /usr/local/bin/luks_unlock:
#!/bin/bash
read password
yes "$password" | cryptsetup open /dev/sda3 /home/USER
exit $?
At this point the luks partition was correctly unlocked and mountable from its /dev/mapper/USER location. This confirms that cryptsetup is not reading the password correctly from stdin(3). I scanned over cryptsetups man page again but couldn't find any other options that would help me get cryptsetup do what I want. If anyone knows of the option to get cryptsetup to read the password in please let me know!
At this point, do we change the documentation located here to reflect the issues that I found?
It should be noted that I am not using any display manager. This is a very minimal Arch install with no GUI at all.
Offline
Thanks! This helped me a lot. I confirm that the above solution works.
This is by the way my /etc/fstab line (which will of course differ for your usecase):
/dev/mapper/home-dan-encr /home/dan btrfs rw,noatime,nodiratime,ssd,space_cache,nofail,subvol=/,compress=lzo,subvolid=5 0 2
I wasn't able to make it work with that on-demand mount as is in here: https://wiki.archlinux.org/index.php/Dm … g_at_login
Last edited by Kotrfa (2018-08-11 20:10:58)
Offline