search

kubesail / pibox-host

6 stars 0 forks source link

Changing the owner password means that the LUKS key no longer matches #43

Open damianharouff opened 3 months ago

damianharouff commented 3 months ago

When Pibox reboots, the app prompts you to enter your owner password to unlock disks, which is used here:

https://github.com/kubesail/pibox-host/blob/ce6dcd7b7f8ee23c670c70633d2a7f85ba1823e5/src/pages/api/login.js#L70

However, if you change the password of the owner in the app, the new password no longer results in the key necessary to unlock the disks.

If anyone else encounters this, the following can be used to get the hash used to encrypt the disks as long as the original owner's password is known:

import { createHash } from 'crypto'
const youroldpassword = "your old password here"
const message = createHash('sha256').update(youroldpassword).digest('hex');
console.log(message)

Playcode here: https://playcode.io/1849337

The resulting hash can be used to unlock the disks like so:

echo 21d8ccaa...bighash....afee1e2be6 | cryptsetup luksOpen /dev/sda encrypted_sda echo 21d8ccaa...bighash....afee1e2be6 | cryptsetup luksOpen /dev/sdb encrypted_sdb

and then the app seems to pick up disks as unlocked and everything functions as normal.

damianharouff commented 3 months ago

If I re-key LUKS with the following commands...

cryptsetup luksChangeKey /dev/sda -S 0
cryptsetup luksChangeKey /dev/sdb -S 0

... in-app owner unlock after reboot seems to work as expected. The issue is that re-keying after the fact requires knowing both the previous and current owner password to generate the previous and new hashes, and that each re-key command seems to take ~20 seconds to complete, so not sure if that's something that should be handled by the app during the owner password change function, at least not without some kind of un-cancelable progress indicator to the user.

Also after this action, everything I do in the app returns a 500 error code, and I'm uncertain how to see what the problem is specifically since the app or the daemon don't seem to log anywhere.

damianharouff commented 3 months ago

Ah, figured out the daemon logs to syslog. Every action in the app now responds with the following:

pr 28 11:32:45 pibox systemd[1]: pibox-host.service: Scheduled restart job, restart counter is at 1.
Apr 28 11:32:45 pibox systemd[1]: Stopped PiBox Host Server.
Apr 28 11:32:45 pibox systemd[1]: pibox-host.service: Consumed 16.799s CPU time.
Apr 28 11:32:45 pibox systemd[1]: Started PiBox Host Server.
Apr 28 11:32:45 pibox node[1360]: Starting PiBox Host
Apr 28 11:32:46 pibox node[1371]: PiBox Framebuffer listening on localhost:2019
Apr 28 11:32:46 pibox node[1360]: > Ready on http://localhost:80
Apr 28 11:32:46 pibox node[1360]: > Ready on https://localhost:443
Apr 28 11:32:47 pibox node[1360]: Error mounting logical volume: Error: Command failed: mount /dev/pibox_vg/pibox_lv /pibox
Apr 28 11:32:47 pibox node[1360]: mount: /pibox: /dev/mapper/pibox_vg-pibox_lv already mounted on /pibox.
Apr 28 11:32:47 pibox node[1360]: { setupComplete: true }
Apr 28 11:32:47 pibox node[1360]: Disk Status
Apr 28 11:32:47 pibox node[1360]:   All Encrypted: true - All Unlocked: true
Apr 28 11:32:47 pibox node[1360]:   ---
Apr 28 11:32:47 pibox node[1360]:   sda - Encrypted: true - Unlocked: true
Apr 28 11:32:47 pibox node[1360]:   sdb - Encrypted: true - Unlocked: true
Apr 28 11:32:52 pibox node[1360]: [Pre-setup update check] Currently up to date (v1.47.0)
Apr 28 11:32:54 pibox node[1360]: TypeError: Cannot read properties of null (reading 'sessions')
Apr 28 11:32:54 pibox node[1360]:     at pushSession (/opt/pibox-host/v1.47.0/.next/server/pages/api/login.js:229:36)
Apr 28 11:32:54 pibox node[1360]:     at async handler (/opt/pibox-host/v1.47.0/.next/server/pages/api/login.js:217:5)
Apr 28 11:33:06 pibox node[1360]: TypeError: Cannot read properties of null (reading 'sessions')
Apr 28 11:33:06 pibox node[1360]:     at middlewareAuth (/opt/pibox-host/v1.47.0/.next/server/chunks/685.js:553:29)
Apr 28 11:33:06 pibox node[1360]:     at async handler (/opt/pibox-host/v1.47.0/.next/server/pages/api/files/[[...slug]].js:177:10)
Apr 28 11:33:08 pibox node[1360]: TypeError: Cannot read properties of null (reading 'sessions')
Apr 28 11:33:08 pibox node[1360]:     at middlewareAuth (/opt/pibox-host/v1.47.0/.next/server/chunks/685.js:553:29)
Apr 28 11:33:08 pibox node[1360]:     at async handler (/opt/pibox-host/v1.47.0/.next/server/pages/api/whoami.js:112:10)
Apr 28 11:33:11 pibox node[1360]: TypeError: Cannot read properties of null (reading 'sessions')
Apr 28 11:33:11 pibox node[1360]:     at middlewareAuth (/opt/pibox-host/v1.47.0/.next/server/chunks/685.js:553:29)
Apr 28 11:33:11 pibox node[1360]:     at async handler (/opt/pibox-host/v1.47.0/.next/server/pages/api/files/[[...slug]].js:177:10)
Apr 28 11:33:27 pibox dhcpcd[489]: eth0: Router Advertisement from fe80::1c11:c630:6c4a:2287
Apr 28 11:34:36 pibox node[1360]: TypeError: Cannot read properties of null (reading 'sessions')
Apr 28 11:34:36 pibox node[1360]:     at middlewareAuth (/opt/pibox-host/v1.47.0/.next/server/chunks/685.js:553:29)
Apr 28 11:34:36 pibox node[1360]:     at async handler (/opt/pibox-host/v1.47.0/.next/server/pages/api/files/[[...slug]].js:177:10)
Apr 28 11:34:42 pibox node[1360]: TypeError: Cannot read properties of null (reading 'sessions')
Apr 28 11:34:42 pibox node[1360]:     at middlewareAuth (/opt/pibox-host/v1.47.0/.next/server/chunks/685.js:553:29)
Apr 28 11:34:42 pibox node[1360]:     at async handler (/opt/pibox-host/v1.47.0/.next/server/pages/api/files/[[...slug]].js:177:10)
Apr 28 11:34:43 pibox node[1360]: TypeError: Cannot read properties of null (reading 'sessions')
Apr 28 11:34:43 pibox node[1360]:     at middlewareAuth (/opt/pibox-host/v1.47.0/.next/server/chunks/685.js:553:29)
Apr 28 11:34:43 pibox node[1360]:     at async handler (/opt/pibox-host/v1.47.0/.next/server/pages/api/whoami.js:112:10)
Apr 28 11:34:46 pibox node[1360]: TypeError: Cannot read properties of null (reading 'sessions')
Apr 28 11:34:46 pibox node[1360]:     at middlewareAuth (/opt/pibox-host/v1.47.0/.next/server/chunks/685.js:553:29)
Apr 28 11:34:46 pibox node[1360]:     at async handler (/opt/pibox-host/v1.47.0/.next/server/pages/api/files/[[...slug]].js:177:10)
Apr 28 11:38:05 pibox node[1360]: TypeError: Cannot read properties of null (reading 'sessions')
Apr 28 11:38:05 pibox node[1360]:     at middlewareAuth (/opt/pibox-host/v1.47.0/.next/server/chunks/685.js:553:29)
Apr 28 11:38:05 pibox node[1360]:     at async handler (/opt/pibox-host/v1.47.0/.next/server/pages/api/files/[[...slug]].js:177:10)
Apr 28 11:38:30 pibox node[1360]: TypeError: Cannot read properties of null (reading 'sessions')
Apr 28 11:38:30 pibox node[1360]:     at middlewareAuth (/opt/pibox-host/v1.47.0/.next/server/chunks/685.js:553:29)
Apr 28 11:38:30 pibox node[1360]:     at async handler (/opt/pibox-host/v1.47.0/.next/server/pages/api/files/[[...slug]].js:177:10)

This is after swiping away the app and re-opening it, and logging out of the app and trying to log back in.