You are not logged in.

#1 2018-11-21 18:36:57

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 1,096

[SOLVED] pam_mount fails for LUKS2 encrypted partition

EDIT: Update Jan 2021: version 2.18 in [community] supports luks2

I'm setting up a new system with an encrypted partition. I'm using the same method I've used on an another system using pam_mount to automatically decrypt the partition upon login (Wiki: https://wiki.archlinux.org/index.php/Pam_mount). Using the same configs, I get the following error:

Nov 21 07:40:05 myhost sddm-helper[3474]: [PAM] Starting...
Nov 21 07:40:05 myhost sddm-helper[3474]: [PAM] Authenticating...
Nov 21 07:40:05 myhost sddm-helper[3474]: (pam_mount.c:365): pam_mount 2.16: entering auth stage
Nov 21 07:40:05 myhost sddm-helper[3474]: [PAM] Preparing to converse...
Nov 21 07:40:05 myhost sddm[530]: (pam_mount.c:365): pam_mount 2.16: entering auth stage
Nov 21 07:40:05 myhost sddm-helper[3474]: [PAM] Conversation with 1 messages
Nov 21 07:40:05 myhost sddm-helper[3474]: pam_kwallet5(sddm:auth): (null): pam_sm_authenticate
Nov 21 07:40:05 myhost sddm-helper[3474]: [PAM] returning.
Nov 21 07:40:05 myhost sddm[530]: Authenticated successfully
Nov 21 07:40:05 myhost sddm-greeter[3467]: Message received from daemon: LoginSucceeded
Nov 21 07:40:05 myhost sddm-helper[3474]: pam_kwallet5(sddm:setcred): pam_kwallet5: pam_sm_setcred
Nov 21 07:40:05 myhost sddm-helper[3474]: (pam_mount.c:568): pam_mount 2.16: entering session stage
Nov 21 07:40:05 myhost kernel: audit: type=1006 audit(1542811205.043:59): pid=3474 uid=0 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=5 res=1
Nov 21 07:40:05 myhost sddm[530]: (pam_mount.c:568): pam_mount 2.16: entering session stage
Nov 21 07:40:05 myhost sddm[530]: (mount.c:263): Mount info: globalconf, user=twelveeighty <volume fstype="auto" server="(null)" path="/dev/mapper/VolGroup00-lvoldata" mount>
Nov 21 07:40:05 myhost sddm-helper[3474]: (mount.c:263): Mount info: globalconf, user=twelveeighty <volume fstype="auto" server="(null)" path="/dev/mapper/VolGroup00-lvoldat>
Nov 21 07:40:05 myhost sddm-helper[3474]: (mount.c:660): Password will be sent to helper as-is.
Nov 21 07:40:05 myhost sddm[530]: (mount.c:660): Password will be sent to helper as-is.
Nov 21 07:40:05 myhost sddm[530]: command: 'mount' '-ofsck,noatime' '-tauto' '/dev/mapper/VolGroup00-lvoldata' '/data'
Nov 21 07:40:05 myhost sddm-helper[3474]: command: 'mount' '-ofsck,noatime' '-tauto' '/dev/mapper/VolGroup00-lvoldata' '/data'
Nov 21 07:40:05 myhost sddm-helper[3474]: (mount.c:68): Messages from underlying mount program:
Nov 21 07:40:05 myhost sddm[530]: (mount.c:68): Messages from underlying mount program:
Nov 21 07:40:05 myhost sddm[530]: (mount.c:72): /sbin/mount.crypto_LUKS: No dmcrypt cipher specified (use -o cipher=xxx)
Nov 21 07:40:05 myhost sddm-helper[3474]: (mount.c:72): /sbin/mount.crypto_LUKS: No dmcrypt cipher specified (use -o cipher=xxx)
# cat /etc/security/pam_mount.conf.xml
[...]
<volume user="twelveeighty" fstype="auto" path="/dev/mapper/VolGroup00-lvoldata" mountpoint="/data" options="fsck,noatime" />
[...]

I've tried several things, especially since the error says "No dmcrypt cipher specified (use -o cipher=xxx)", I tried adding the cipher attribute in the configs, to no avail. Pretty much the only difference between the working system and this one is that the new system is using luks2 instead of luks:

System with luks2 (pam_mount fails on this one):
# cryptsetup luksDump /dev/mapper/VolGroup00-lvoldata
LUKS header information
Version:        2
Epoch:          3
Metadata area:  12288 bytes
[...]
Label:          (no label)
Subsystem:      (no subsystem)
Flags:          (no flags)

Data segments:
  0: crypt
        offset: 4194304 [bytes]
        length: (whole device)
        cipher: aes-xts-plain64
        sector: 512 [bytes]

Keyslots:
  0: luks2
        Key:        512 bits
        Priority:   normal
        Cipher:     aes-xts-plain64
        PBKDF:      argon2i
System with luks (pam_mount works):
# cryptsetup luksDump /dev/mapper/VolGroup00-lvoldata
LUKS header information for /dev/mapper/VolGroup00-lvoldata

Version:        1
Cipher name:    aes
Cipher mode:    xts-plain64
Hash spec:      sha1
Payload offset: 4096
MK bits:        512
[...]
UUID:           80b74838-3da1-4f3f-a594-f42225029b60

Key Slot 0: ENABLED
        Iterations:             566371

The password key for the partition is the same as my login password. Decrypting and mounting manually works fine:

# cryptsetup open /dev/mapper/VolGroup00-lvoldata cryptdata
<enter password>
# mount -t ext4 /dev/mapper/cryptdata /data

The reason I'm suspecting luks2 isn't supported in pam_mount 2.16 because the upstream pam_mount code has a commit in the master branch with the following comments:

Commit [d4434c]
Authored by: Ingo Franzki 2018-10-29
crypto: Add support for LUKS2

Cryptsetup version 2.0 added support for LUKS2.
This patch adds support for mounting LUKS2 volumes with
pam_mount.

But I think this commit isn't in the 2.16 release, which is the latest upstream release.

Does somebody else have a luks2 decryption working with pam_mount? If what I'm seeing is correct, I can edit the pam_mount Wiki page to warn people against using luks2 if one wants to use pam_mount. I could also try to build a -git package and see if that works, but let me know if I'm on the wrong track here.

Last edited by twelveeighty (2021-01-10 16:40:27)

Offline

#2 2018-11-21 23:02:35

loqs
Member
Registered: 2014-03-06
Posts: 17,196

Re: [SOLVED] pam_mount fails for LUKS2 encrypted partition

git clone https://git.code.sf.net/p/pam-mount/pam-mount pam-mount-pam-mount
cd pam-mount-pam-mount
git tag --contains d4434c05e7c0cf05d87089404cfa2deedc60811a
git tag 
v0.10
v0.11
v0.12
v0.12.2
v0.13
v0.15
v0.16
v0.17
v0.18
v0.19
v0.2
v0.20
v0.21
v0.26
v0.27
v0.28
v0.29
v0.3.2
v0.3.2-flyn
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.31
v0.32
v0.33
v0.35
v0.35.1
v0.37
v0.38
v0.39
v0.4.0
v0.4.1
v0.4.2-test1
v0.40
v0.41
v0.43
v0.44
v0.45
v0.47
v0.48
v0.49
v0.5.0
v0.5.1
v0.5.11
v0.5.12
v0.5.13
v0.5.14
v0.5.15
v0.5.16
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.9.0
v0.9.1
v0.9.10
v0.9.11
v0.9.12
v0.9.13
v0.9.14
v0.9.15
v0.9.16
v0.9.17
v0.9.18
v0.9.19
v0.9.2
v0.9.20
v0.9.21
v0.9.22
v0.9.23
v0.9.24
v0.9.25
v0.9.3
v0.9.4
v0.9.5
v0.9.6
v0.9.7
v0.9.8
v0.9.9
v1.0
v1.1
v1.10
v1.15
v1.16
v1.17
v1.18
v1.19
v1.2
v1.20
v1.21
v1.22
v1.24
v1.25
v1.26
v1.27
v1.3
v1.30
v1.31
v1.33
v1.34
v1.35
v1.36
v1.4
v1.5
v1.6
v1.7
v1.8
v1.9
v2.0
v2.1
v2.10
v2.11
v2.12
v2.13
v2.14
v2.15
v2.16
v2.2
v2.3
v2.4
v2.5
v2.6
v2.7
v2.8
v2.9
$ git show d4434c05e7c0cf05d87089404cfa2deedc60811a
commit d4434c05e7c0cf05d87089404cfa2deedc60811a
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date:   Mon Oct 29 16:47:40 2018 +0100

    crypto: Add support for LUKS2
    
    Cryptsetup version 2.0 added support for LUKS2.
    This patch adds support for mounting LUKS2 volumes with
    pam_mount.
    
    Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

diff --git a/src/crypto-dmc.c b/src/crypto-dmc.c
index d0ab6ca..abd0358 100644
--- a/src/crypto-dmc.c
+++ b/src/crypto-dmc.c
@@ -21,6 +21,12 @@
 #include "libcryptmount.h"
 #include "pam_mount.h"
 
+#ifndef CRYPT_LUKS
+       #define CRYPT_LUKS      NULL /* Passing NULL to crypt_load will
+                                       default to LUKS(1) on older
+                                       libcryptsetup versions. */
+#endif
+
 /**
  * dmc_is_luks - check if @path points to a LUKS volume (cf. normal dm-crypt)
  * @path:      path to the crypto container
@@ -48,7 +54,7 @@ EXPORT_SYMBOL int ehd_is_luks(const char *path, bool blkdev)
 
        ret = crypt_init(&cd, device);
        if (ret == 0) {
-               ret = crypt_load(cd, CRYPT_LUKS1, NULL);
+               ret = crypt_load(cd, CRYPT_LUKS, NULL);
                if (ret == -EINVAL)
                        ret = false;
                else if (ret == 0)
@@ -106,7 +112,7 @@ static bool dmc_run(const struct ehd_mount_request *req,
 #endif
        }
 
-       ret = crypt_load(cd, CRYPT_LUKS1, NULL);
+       ret = crypt_load(cd, CRYPT_LUKS, NULL);
        if (ret == 0) {
                ret = crypt_activate_by_passphrase(cd, mt->crypto_name,
                      CRYPT_ANY_SLOT, req->key_data, req->key_size, flags);

Without that commit pam_mount sets the crypt-type parameter for crypt_load to CRYPT_LUKS1 so only matches LUKS 1 volumes instead of null which will match all supported types.

Offline

#3 2018-11-21 23:30:18

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 1,096

Re: [SOLVED] pam_mount fails for LUKS2 encrypted partition

Thanks for confirming my suspicion, @loqs!

To prove it, I created a PKGBUILD for pam_mount-git that pulls the current HEAD on master. It did pull in that change:

-               ret = crypt_load(cd, CRYPT_LUKS1, NULL);
+               ret = crypt_load(cd, CRYPT_LUKS, NULL);

Running my custom pam_mount-git instead of the [community] version works for me now with this luks2 partition: it unlocks automatically when logging in.

I'm guessing the best thing is for me to submit a change to the Wiki with the warning for luks2 and I can post the working git PKGBUILD to AUR if there's interest. Patching the current 2.16 version wouldn't be the "Arch Way", I think, we should just wait for upstream for a new release on the [community] version.

Offline

#4 2018-11-22 03:23:12

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 1,096

Re: [SOLVED] pam_mount fails for LUKS2 encrypted partition

For those interested, I uploaded pam_mount-git to the AUR: https://aur.archlinux.org/packages/pam_mount-git/.

Offline

#5 2018-12-02 16:59:13

Abaddon
Member
From: Poland
Registered: 2004-05-03
Posts: 249

Re: [SOLVED] pam_mount fails for LUKS2 encrypted partition

Thank you for sharing. I faced the same problem yesterday. With pam_mount-git LUKS2 works fine.


Gnome - The weakest link!
Linux, *not* GNU/Linux!

Offline

#6 2019-07-25 20:59:47

promike
Member
Registered: 2019-05-19
Posts: 8

Re: [SOLVED] pam_mount fails for LUKS2 encrypted partition

I was wondering if this is a normal behavior or I misconfigured something again:

pam_mount password:
(mount.c:68): Messages from underlying mount program:
(mount.c:72): Device _dev_sda1 aready exists.
(mount.c:72): crypt_activate_by_passphrase: File exists.
(mount.c:72): Device _dev_sda1 is still in use.
(pam_mount.c:522): mount of /dev/disk/by-uuid/9444db94-b9fc-4741-be96-aa90eb085a72 failed

Last edited by promike (2019-07-26 13:10:44)

Offline

#7 2019-07-25 21:16:39

twelveeighty
Member
From: Alberta, Canada
Registered: 2011-09-04
Posts: 1,096

Re: [SOLVED] pam_mount fails for LUKS2 encrypted partition

@promlike: it looks like you trying to decrypt the same device twice.

Offline

#8 2019-07-26 13:42:30

promike
Member
Registered: 2019-05-19
Posts: 8

Re: [SOLVED] pam_mount fails for LUKS2 encrypted partition

I strongly suspect that there is something wrong with pam_mount.
I followed the instructions and my configuration files look like these:

/etc/pam.d/system-login

#%PAM-1.0

auth       required   pam_tally2.so        onerr=succeed file=/var/log/tallylog
auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       optional   pam_mount.so
auth       include    system-auth

account    required   pam_tally2.so
account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   optional   pam_mount.so
password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session [success=1 default=ignore]  pam_succeed_if.so  service = systemd-user quiet
session    optional   pam_mount.so
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session   optional   pam_systemd.so
session    required   pam_env.so
/etc/security/pam_mount.conf.xml

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
	See pam_mount.conf(5) for a description.
-->

<pam_mount>

		<!-- debug should come before everything else,
		since this file is still processed in a single pass
		from top-to-bottom -->

<debug enable="0" />

		<!-- Volume definitions -->


		<!-- pam_mount parameters: General tunables -->

<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />


		<!-- pam_mount parameters: Volume-related -->
<volume user="promike" fstype="auto" path="/dev/disk/by-uuid/9444db94-b9fc-4741-be96-aa90eb085a72" mountpoint="/home" options="fsck,noatime" />
<mkmountpoint enable="1" remove="true" />


</pam_mount>

If I remove the <volume .../> part, I will no longer see the 'device/file exists' messages.
Even though I can log in but my encrypted partition won't get either unlocked or mounted.

My crypttab is basically empty:

/etc/crypttab

# crypttab: mappings for encrypted partitions
#
# Each mapped device will be created in /dev/mapper, so your /etc/fstab
# should use the /dev/mapper/<name> paths for encrypted devices.
#
# The Arch specific syntax has been deprecated, see crypttab(5) for the
# new supported syntax.
#
# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

# <name>       <device>                                     <password>              <options>
# home         UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37    /etc/mypassword1
# data1        /dev/sda3                                    /etc/mypassword2
# data2        /dev/sda5                                    /etc/cryptfs.key
# swap         /dev/sdx4                                    /dev/urandom            swap,cipher=aes-cbc-essiv:sha256,size=256
# vol          /dev/sdb7                                    none

If I log in from another tty, I'll see the error messages twice.

Offline

Board footer

Powered by FluxBB