Open yerlaser opened 3 years ago
yerlaser
commented
3 years ago Small additition: I found out that pam_fscrypt.so should be installed to /usr/lib64/security instead of of /usr/lib/security as all other similar modules are there. The problem still remains, though, and auto unlock doesn't work.
Do developer test the software on Fedora at all?
ebiggers
commented
3 years ago I haven't tested fscrypt on Fedora.
PAM configuration differs between distributions, so issues like this are expected to some extent.
If you can put together a working configuration on Fedora, we'd be glad to add it to the documentation. You can also request that your distro packages fscrypt as an official package, in which case the packager would likely take care of the PAM configuration.
luzeal
commented
3 years ago Hello,
First thing first, thanks for the wonderful project ! I am currently using it to encrypt virtual machines images at rest, and it is working great !
Alas, as OP, PAM configuration seems to be a bit tricky on Fedora. I am also trying to make auto unlock work on Fedora 34, and intend to eventually request a port or port it to Fedora myself.
Everything related to fscrypt that I have tested
Allow fscrypt to check your login passphrase (as least when it comes to the login protector). As expected, adding an fscrypt file to etc/pam.d/fscrypt allows fscrypt to use the login protector.
[root@test]# cat /etc/pam.d/fscrypt
auth required pam_unix.sopam_fscrypt.so module to be located in /usr/lib64/securitypam.d conf files, common-password, common-auth and common-session, Fedora seems to rely on only one file password-auth or system-auth, which seem to include everything provided by the three Ubuntu conf files. password-auth or system-auth is almost identical. According to this forum tread, password-auth uses modules which can be used in remote configuration. We will use this one but it should be ok to use system-auth too.
[root@test]# cat /etc/pam.d/password-auth
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
auth optional pam_fscrypt.so debug
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so
password optional pam_fscrypt.so debug
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_unix.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session optional pam_fscrypt.so drop_caches lock_policies debugContent of /etc/fscrypt.conf
cat /etc/fscrypt.conf
{
"source": "custom_passphrase",
"hash_costs": {
"time": "26",
"memory": "131072",
"parallelism": "2"
},
"options": {
"padding": "32",
"contents": "AES_256_XTS",
"filenames": "AES_256_CTS",
"policy_version": "2"
},
"use_fs_keyring_for_v1_policies": false
}According to the logs bellow, it seems that fscrypt AUTHTOK cannot access the unix password.
[root@test ~]# journalctl -b | grep fscrypt
Jul 07 09:54:22 vdmed kernel: Key type ._fscrypt registered
Jul 07 09:54:22 vdmed kernel: Key type .fscrypt registered
Jul 07 09:54:22 vdmed kernel: Key type fscrypt-provisioning registered
Jul 07 09:54:24 vdmed pam_fscrypt[600]: OpenSession(map[debug:true]) starting
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Session count for UID=42 updated to 1
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[42]
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Setting euid=42 egid=42 groups=[42]
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Current privs (real, effective): uid=(0,42) gid=(0,42) groups=[42]
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Reading config from "/etc/fscrypt.conf"
Jul 07 09:54:24 vdmed pam_fscrypt[600]: creating context for user "gdm"
Jul 07 09:54:24 vdmed pam_fscrypt[600]: found ext4 filesystem "/" (/dev/vda3)
Jul 07 09:54:24 vdmed pam_fscrypt[600]: listing descriptors in "/.fscrypt/protectors"
Jul 07 09:54:24 vdmed pam_fscrypt[600]: found 2 descriptor(s)
Jul 07 09:54:24 vdmed pam_fscrypt[600]: could not read metadata from "/.fscrypt/protectors/41cbb2c50c977db8": open /.fscrypt/protectors/41cbb2c50c977db8: permission denied
Jul 07 09:54:24 vdmed pam_fscrypt[600]: could not read metadata from "/.fscrypt/protectors/a6943dd52cec7cc4": open /.fscrypt/protectors/a6943dd52cec7cc4: permission denied
Jul 07 09:54:24 vdmed pam_fscrypt[600]: no protector to unlock: no PAM protector for UID=42 on "/"
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Setting euid=0 egid=0 groups=[42]
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[42]
Jul 07 09:54:24 vdmed audit[600]: USER_START pid=600 uid=0 auid=42 ses=1 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_fscrypt acct="gdm" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 07 09:54:24 vdmed pam_fscrypt[600]: OpenSession(map[debug:true]) succeeded
Jul 07 09:54:24 vdmed pam_fscrypt[575]: OpenSession(map[debug:true]) starting
Jul 07 09:54:24 vdmed pam_fscrypt[575]: OpenSession(map[debug:true]) failed: open /run/fscrypt/42.count: permission denied
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: OpenSession(map[debug:true]) starting
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Session count for UID=1000 updated to 1
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[1000]
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Setting euid=1000 egid=1000 groups=[1000]
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Current privs (real, effective): uid=(0,1000) gid=(0,1000) groups=[1000]
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Reading config from "/etc/fscrypt.conf"
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: creating context for user "test"
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: found ext4 filesystem "/" (/dev/vda3)
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: listing descriptors in "/.fscrypt/protectors"
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: found 2 descriptor(s)
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: could not read metadata from "/.fscrypt/protectors/41cbb2c50c977db8": open /.fscrypt/protectors/41cbb2c50c977db8: permission denied
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: could not read metadata from "/.fscrypt/protectors/a6943dd52cec7cc4": open /.fscrypt/protectors/a6943dd52cec7cc4: permission denied
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: no protector to unlock: no PAM protector for UID=1000 on "/"
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Setting euid=0 egid=0 groups=[1000]
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[1000]
Jul 07 09:54:32 vdmed audit[1083]: USER_START pid=1083 uid=0 auid=1000 ses=3 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_fscrypt acct="test" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: OpenSession(map[debug:true]) succeeded
Jul 07 09:54:36 vdmed pam_fscrypt[575]: CloseSession(map[debug:true]) starting
Jul 07 09:54:36 vdmed pam_fscrypt[575]: count is 0 and we are not locking
Jul 07 09:54:36 vdmed pam_fscrypt[575]: CloseSession(map[debug:true]) failed: open /run/fscrypt/42.count: permission denied
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: OpenSession(map[debug:true]) starting
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Session count for UID=0 updated to 1
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Current privs (real, effective): uid=(1000,0) gid=(1000,1000) groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Setting euid=0 egid=0 groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Current privs (real, effective): uid=(1000,0) gid=(1000,0) groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Reading config from "/etc/fscrypt.conf"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: creating context for user "root"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: found ext4 filesystem "/" (/dev/vda3)
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: listing descriptors in "/.fscrypt/protectors"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: found 2 descriptor(s)
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/protectors/41cbb2c50c977db8"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/protectors/a6943dd52cec7cc4"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Getting protector a6943dd52cec7cc4 from option
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/protectors/a6943dd52cec7cc4"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: listing descriptors in "/.fscrypt/policies"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: found 3 descriptor(s)
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/policies/5a646c836b29ab1cd7a570119e314804"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: got data for 5a646c836b29ab1cd7a570119e314804 from "/"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/policies/1e3a25c695b1e4b9fde46f5ee44c9f4a"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: got data for 1e3a25c695b1e4b9fde46f5ee44c9f4a from "/"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/policies/032e9d66c10fcf915991a6c0d411d41d"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: got data for 032e9d66c10fcf915991a6c0d411d41d from "/"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/fs/bpf/.fscrypt: operation not permitted
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/fs/bpf/.fscrypt/policies: operation not permitted
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/fs/bpf/.fscrypt/protectors: operation not permitted
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: unlocking 1 policies protected with AUTHTOK
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Setting euid=0 egid=1000 groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Current privs (real, effective): uid=(1000,0) gid=(1000,1000) groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: OpenSession(map[debug:true]) failed: unlocking protector a6943dd52cec7cc4: AUTHTOK data missing: No module specific data is presentThe problem seems to be how can we apply /usr/local/share/pam-configs/fscrypt to Fedora. For Ubuntu or Debian, there is a tool to do pam-auth-update. By knowing what exactly is happening during this step, it might help us to make pam_fscrypt.so works on Fedora. (Or perhaps more accurately, make Fedora works with pam_fscrypt.so)
Any idea how it could be solved ?
luzeal
commented
3 years ago yerlaser
commented
3 years ago Hi, Unfortunately, I gave up after several attempts and had to switch back to Ubuntu because unlocking manually after each restart was too annoying.
Looking at the Ubuntu configs, I found out that the session file looks like this:
session optional pam_fscrypt.so drop_caches lock_policies
So, there are two additional parameters: drop_caches and lock_policies
I don't know if that matters, but, if you have a chance, can you check that?
ebiggers
commented
3 years ago So, there are two additional parameters: drop_caches and lock_policies I don't know if that matters, but, if you have a chance, can you check that?
The drop_caches and lock_policies options only affect locking (not unlocking), and they aren't needed with the latest version of fscrypt (they are now no-ops). So they aren't relevant here, as the issue here is with unlocking.
yerlaser
commented
3 years ago OK, thanks, you saved me a hassle of installing Fedora to check just that. But, sadly, we are at the dead end currently until someone with deeper PAM knowledge comes by.
yerlaser
commented
3 years ago Hi @luzeal,
Did you try to run authselect or authconfig (https://fedoraproject.org/wiki/Changes/Authselect) to update PAM configuration?
luzeal
commented
3 years ago Good news, I have been able to find a good PAM configuration for Fedora (and perhaps by extension other related distributions) !
@yerlaser : thanks for your suggestion, I dove into authselect and found out that there is a opt-in feature for ecryptfs on certain ready-made profiles such as minimal. I used that as an inspiration to get a working configuration for pam_fscrypt.so. (authselect now supersedes authconfig and allows an administrator to apply specific authentication schemes on a system).
./fscrypt where the protector resides. fscrypt and the unix password program. fscrypt from source, ready the targeted ext4 filesystem tune2fs -O encrypt /dev/vda3 pam_fscrypt.so to correct location
mv /usr/local/lib/security/pam_fscrypt.so /usr/lib64/security/pam_fscrypt.sopam.d directory to let fscrypt check the user password. echo "auth required pam_unix.so" > /etc/pam.d/fscryptauthselect create-profile fscrypt --based-on=minimalauthselect select custom/fscrypt --forcepassword-auth file to match this one (especially when it comes to the pam_fscrypt.so): cat /etc/authselect/custom/fscrypt/password-auth
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
auth optional pam_fscrypt.so debug
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password required pam_deny.so
password optional pam_fscrypt.so debug
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_fscrypt.so debug
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.sosystem-auth file to match this one:cat /etc/authselect/custom/fscrypt/system-auth
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
auth optional pam_fscrypt.so debug
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password required pam_deny.so
password optional pam_fscrypt.so debug
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
session optional pam_fscrypt.so debug
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.sopostlogin file to match this one:cat /etc/authselect/custom/fscrypt/postlogin
auth optional pam_fscrypt.so debug
auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
password optional pam_fscrypt.so debug
password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
session optional pam_lastlog.so silent noupdate showfailedauthselect apply-changes fscrypt setupEt voilà !
**A more complete walk-through will follow when I am back from holidays next week.
Clearly, pam_fscrypt.so for Fedora and related distributions ought to be implemented as a feature of an existing profile, not as an entire profile. But this will be for another day...
yerlaser
commented
3 years ago @luzeal , Man, you're a hero! Have a nice holiday!
fkaempfer
commented
1 year ago Took me a while to figure this out, but I think the easiest way to use fscrypt'ed home directories in Fedora today is using systemd-homed:
# enable systemd homed support in pam
authselect enable-feature with-systemd-homed
systemctl enable --now systemd-homed.service
# Then recreate the user
homectl create username --storage=fscrypt
That's it.
Note that if no user with uid 1000 exists, gdm will load the initial setup screen on next boot
You can disable this in /etc/gdm/custom.conf change
[daemon]
InitialSetupEnable=falseYou can use systemd-homed if you want to. Just keep in mind that it's not actually related to this project https://github.com/google/fscrypt. It uses the same kernel functionality, but not the userspace code. The userspace code of systemd-homed is separate and is written by the systemd developers. systemd-homed uses v1 encryption policies instead of v2, so you may encounter the known issues from those.
This is perhaps more a question although maybe it's better that the documentation be updated. I am trying to use fscrypt on Fedora and since there are no packages available I compiled it from sources. I managed to make it work with pass phrase protector, but login protector doesn't work. Documentation says to add pam_fscrypt.so lines to /etc/pam.d/common-auth and /etc/pam.d/common-session Both files don't exist, here's the listing of /etc/pam.d
config-util gdm-password password-auth smartcard-auth system-auth cups gdm-pin polkit-1 sshd systemd-user fingerprint-auth gdm-smartcard postlogin sssd-shadowutils vlock fscrypt liveinst ppp su vmtoolsd gdm-autologin login remote sudo xserver gdm-fingerprint other runuser sudo-i gdm-launch-environment passwd runuser-l su-l
I already tried to add the lines to gdm-password, login, passwd, password-auth, system-auth but none of them worked. Also, I don't see any errors in the logs. It's as if the lines get ignored. Any help would be appreciated.