search

neithernut / pam_e4crypt

PAM module for unlocking transparently encrypted directories on ext4
GNU General Public License v2.0
19 stars 8 forks source link

pam_e4crypt: Failed to retrieve key list! #9

Closed seebaclo closed 7 years ago

seebaclo commented 7 years ago

I'm sorry to disturb you again but I can't get it working after installation and the Readme isn't very detailed.

I've set following in pam.d/system-auth:

auth      sufficient    pam_unix.so     try_first_pass nullok
auth      optional   pam_e4crypt.so
auth      optional  pam_permit.so
auth      required  pam_env.so

session    optional   pam_keyinit.so       force revoke debug
session    optional   pam_e4crypt.so
session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_permit.so

And it doesn't add my ext4 keys after login. I have following error in syslog: pam_e4crypt: Failed to retrieve key list! what are the correct entries in pam.d?

neithernut commented 7 years ago

I use the entries:

auth    required pam_e4crypt.so onerr=succeed
session required pam_e4crypt.so onerr=succeed

I'll add them to the README and add a short explanation. This issue should be closed only after the information found its was into the documentation.

neithernut commented 7 years ago

Thanks for pointing this out btw, I didn't realize that the documentation lacked information on the entries.

seebaclo commented 7 years ago

It's weird but I still can't get it. Making it as required locks me out of system. Unfortunately I need further guidance. Let's say those are my current files in /etc/pam.d/:

/etc/pam.d/system-auth
#%PAM-1.0

auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_permit.so
/etc/pam.d/system-login
#%PAM-1.0

auth       required   pam_tally.so         onerr=succeed file=/var/log/faillog
auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session   optional   pam_systemd.so
session    required   pam_env.so

Where exactly put those pam_e4crypt.so and pam_keyinit.so entries?

neithernut commented 7 years ago

It shouldn't matter when you perform the "authentication" with pam_e4crypt, but I recommend doing it rather late. However, it should be invoked as early as possible during the session setup. I recommend having PAM invoke pam_keyinit.so first and pam_e4crypt.so second. You should really use pam_keyinit btw.

For reference, here's my system-login file:

auth        required    pam_tally2.so onerr=succeed
auth        required    pam_shells.so 
auth        required    pam_nologin.so 
auth        include     system-auth
auth        required        pam_e4crypt.so onerr=succeed

account     required    pam_access.so 
account     required    pam_nologin.so 
account     include     system-auth
account     required    pam_tally2.so onerr=succeed 

password    include     system-auth

session         required        pam_keyinit.so
session     required        pam_e4crypt.so onerr=succeed
session         optional        pam_loginuid.so
session     required    pam_env.so 
session     optional    pam_lastlog.so silent 
session     include     system-auth
session     optional    pam_ck_connector.so nox11
session     optional    pam_motd.so motd=/etc/motd
session     optional    pam_mail.so

All of this really ought to be part of the documentation. Shame on me.

seebaclo commented 7 years ago

Ok, I had my auth method set as sufficient which broken the chain. Setting it as required or optional fixed this. Also I had to set session optional forpam_e4crypt.so because required breaks SDDM with dbus can't sync environment error (although console login still works).

One issue which still remains is that after logout my files are still decrypted in plaintext. Using revoke option for pam_keyinit didn't help. My key isn't showed in keyctl anymore but perhaps exist somewhere in cache. This is perhaps limitation of ext4 encryption not an pam_e4crypt issue. Could you confirm this in your setup?

I tested this logging in with password1, confirming I have password1 logon key in keyctl, logging out, logging in with password2, confirming I have password2 logon key in keyctl (password1 key is gone) but files encrypted with password1 logon key are available in plaintext. Everything is done by the same user. Files are encrypted again as they should only after reboot.

I think that new README is ok. You can add notice that users can use optional instead of required for pam_e4crypt.so first to do testing and probably set emergency console available because of locking out risk as I had with SDDM.

I'm very grateful for your support!

neithernut commented 7 years ago

Glad to hear. I'll update the README and open a new issue regarding the problem with files still being visible after.