You are not logged in.

Pages: 1

#1 2018-07-01 18:38:38

fullinator
Member
Registered: 2018-07-01
Posts: 3

[solved] pam LUKS partition auto mount on login returning exit code 2

I've been trying to get a LUKS encrypted home directory that unencrypts on login but I keep getting:

pam_exec(login:auth): /usr/bin/cryptsetup failed: exit code2

I've created the LUKS disk using:

cryptsetup -y luksFormat --type luks2 /dev/sda3

My /etc/pam.d/system-login line that I added is:

auth    optional    pam_exec.so expose_authtok quiet /usr/bin/cryptsetup open /dev/sda3 /home/USER

Error code 2 usually means no permission (wrong password) but I've changed both the LUKS disk password and root password to 'a' in attempts to eliminate that factor and it still gives me this exit code 2. Does anyone have any ideas on what's going wrong or any log files I can look to guide me on solving this?

Last edited by fullinator (2018-07-03 17:07:33)

Offline

#2 2018-07-03 17:06:28

fullinator
Member
Registered: 2018-07-01
Posts: 3

Re: [solved] pam LUKS partition auto mount on login returning exit code 2

After investigating this further I figured out that cryptsetup is not reading the password from stdin(3) which is where expose_authtok provides the password. PAM Documentation

I looked around cryptsetups man page a bit and found that the -d - option should have done the trick for getting cryptsetup to read the password in. I modified my pam file to have:

auth    optional    pam_exec.so expose_authtok quiet /usr/bin/cryptsetup open -d - /dev/sda3 /home/USER

That did not resolve the exit 2 issue. I needed to confirm that cryptsetup was not reading the password and that it wasn't some other issue happening. I decided to run a script using pam_exec and read the password in myself:
In /etc/pam.d/system-login:

auth    optional    pam_exec.so expose_authtok /usr/local/bin/luks_unlock

In /usr/local/bin/luks_unlock:

#!/bin/bash
read password
yes "$password" | cryptsetup open /dev/sda3 /home/USER
exit $?

At this point the luks partition was correctly unlocked and mountable from its /dev/mapper/USER location. This confirms that cryptsetup is not reading the password correctly from stdin(3). I scanned over cryptsetups man page again but couldn't find any other options that would help me get cryptsetup do what I want. If anyone knows of the option to get cryptsetup to read the password in please let me know!

At this point, do we change the documentation located here to reflect the issues that I found?

It should be noted that I am not using any display manager. This is a very minimal Arch install with no GUI at all.

Offline

#3 2018-08-11 20:09:02

Kotrfa
Member
Registered: 2012-10-25
Posts: 213

Re: [solved] pam LUKS partition auto mount on login returning exit code 2

Thanks! This helped me a lot. I confirm that the above solution works.

This is by the way my /etc/fstab line (which will of course differ for your usecase):

/dev/mapper/home-dan-encr /home/dan btrfs	rw,noatime,nodiratime,ssd,space_cache,nofail,subvol=/,compress=lzo,subvolid=5	0 2

I wasn't able to make it work with that on-demand mount as is in here: https://wiki.archlinux.org/index.php/Dm … g_at_login

Last edited by Kotrfa (2018-08-11 20:10:58)

Offline

Pages: 1

Board footer

Powered by FluxBB