fscrypt icon indicating copy to clipboard operation
fscrypt copied to clipboard
verified publisher icon google

Devuan chimaera slim/elogind hangs

Open kmihaylov opened this issue 4 years ago • 3 comments

I guess that's not the right place to ask this question, but I didn't get any support where I asked.

To the question. I installed Devuan Chimaera and I wanted to use fscrypt with pam, so as to use my login password to decrypt my home folder. Using the console I successfully log on the system and my files are decrypted. With the login manager (slim) immediately after I put my login details, the screen hangs with the default background and no menus or mouse cursor were shown.

I tried to put session optional pam_fscrypt.so drop_caches lock_policies before session required pam_unix.so in common-session (Debian bug libpam-fscrypt: encrypted home not unlocked in time) with no luck.

Any ideas are welcome!

kmihaylov avatar Dec 14 '21 19:12 kmihaylov

Does this reproduce with the latest version of fscrypt (v0.3.1)? If so, can you append the debug argument to the lines for pam_fscrypt.so in your PAM configuration files, and provide the log output when trying to log in?

ebiggers avatar Dec 16 '21 01:12 ebiggers

I observe the same problem on a gentoo-machine (with a weird installation with fscrypt-0.3.1, slim-1.3.6-r5 and old pam-1.3.1 without elogind which I'm in the process of updating):

  • Encrypted Home-folder on ext4
  • login works on a TTY, home-folder is accessible
  • after login, slim hangs with a child X-server
  • login via slim doesn't work even if I previously authenticated on another TTY (somewhat expected)

My first suspicion was that maybe I screwed up and slim would not end up using a different config due to being a different service. But both login and slim include the same file containing virtually the entire pam config. The module also appears to be called in both cases, judging from a short glimpse on the logs. My current suspicion is that slim/X would try to read the .Xauthority or some other file in $HOME prematurely, but I didn't investigate further, yet.

Graphical login with an encrypted home is known to work on this machine via a custom pam-module which stopped working with pam-1.4. However, I foolishly removed the corresponding bits from the PAM-config already and now I don't know where I placed those entries, exactly, any more.

Current /etc/pam.d/system-auth (pre-update, rest of the config should be gentoo vanilla):

auth		required	pam_env.so 
auth		required	pam_unix.so try_first_pass likeauth nullok 
-auth           optional        pam_fscrypt.so debug
auth		optional	pam_permit.so
account		required	pam_unix.so 
account		optional	pam_permit.so
password	required	pam_unix.so try_first_pass  nullok sha512 shadow 
-password       optional        pam_fscrypt.so debug
password	optional	pam_permit.so
-session        optional        pam_elogind.so
session		required	pam_limits.so 
session		required	pam_env.so 
session		required	pam_unix.so 
-session        optional        pam_fscrypt.so debug
session		optional	pam_permit.so

neithernut avatar Dec 16 '21 14:12 neithernut

Since logs were requested, I extracted them for the logins earlier. I removed date/time and hostname and redacted policy and protector names (even though they should be safe to share IIUC).

This should be a login via slim (at least I find a corresponding line from slim in the auth log)

pam_fscrypt[2797]: Authenticate(map[debug:true]) starting
pam_fscrypt[2797]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
pam_fscrypt[2797]: Setting euid=1000 egid=100 groups=[100 10 14 18 27 85 35 78]
pam_fscrypt[2797]: Current privs (real, effective): uid=(0,1000) gid=(0,100) groups=[10 14 18 27 35 78 85 100]
pam_fscrypt[2797]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[2797]: creating context for user "neithernut"
pam_fscrypt[2797]: found ext4 filesystem "/" (/dev/sda2)
pam_fscrypt[2797]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[2797]: found 1 descriptor(s)
pam_fscrypt[2797]: successfully read metadata from "/.fscrypt/protectors/XXXXXXXXXXXXXXXX"
pam_fscrypt[2797]: Getting protector XXXXXXXXXXXXXXXX from option
pam_fscrypt[2797]: copying AUTHTOK for use in the session open
pam_fscrypt[2797]: Setting euid=0 egid=0 groups=[]
pam_fscrypt[2797]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
pam_fscrypt[2797]: Authenticate(map[debug:true]) succeeded
dbus-daemon[2604]: [system] Activating service name='org.freedesktop.login1' requested by ':1.1' (uid=0 pid=2797 comm="/usr/bin/slim ") (using servicehelper)
dbus-daemon[2604]: [system] Successfully activated service 'org.freedesktop.login1'
pam_fscrypt[2797]: OpenSession(map[debug:true]) starting
pam_fscrypt[2797]: Session count for UID=1000 updated to 1
pam_fscrypt[2797]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
pam_fscrypt[2797]: Setting euid=1000 egid=100 groups=[100 10 14 18 27 85 35 78]

The logs for the login appears to really just end there, shortly after the OpenSession started line.

And this should be a login via login (also find a corresponding line in the auth log). Obviously successful.

pam_fscrypt[2864]: Authenticate(map[debug:true]) starting
pam_fscrypt[2864]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
pam_fscrypt[2864]: Setting euid=1000 egid=100 groups=[100 10 14 18 27 85 35 78]
pam_fscrypt[2864]: Current privs (real, effective): uid=(0,1000) gid=(0,100) groups=[10 14 18 27 35 78 85 100]
pam_fscrypt[2864]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[2864]: creating context for user "neithernut"
pam_fscrypt[2864]: found ext4 filesystem "/" (/dev/sda2)
pam_fscrypt[2864]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[2864]: found 1 descriptor(s)
pam_fscrypt[2864]: successfully read metadata from "/.fscrypt/protectors/XXXXXXXXXXXXXXXX"
pam_fscrypt[2864]: Getting protector XXXXXXXXXXXXXXXX from option
pam_fscrypt[2864]: copying AUTHTOK for use in the session open
pam_fscrypt[2864]: Setting euid=0 egid=0 groups=[]
pam_fscrypt[2864]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
pam_fscrypt[2864]: Authenticate(map[debug:true]) succeeded
pam_fscrypt[2864]: OpenSession(map[debug:true]) starting
pam_fscrypt[2864]: Session count for UID=1000 updated to 2
pam_fscrypt[2864]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
pam_fscrypt[2864]: Setting euid=1000 egid=100 groups=[100 10 14 18 27 85 35 78]
pam_fscrypt[2864]: Current privs (real, effective): uid=(0,1000) gid=(0,100) groups=[10 14 18 27 35 78 85 100]
pam_fscrypt[2864]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[2864]: creating context for user "neithernut"
pam_fscrypt[2864]: found ext4 filesystem "/" (/dev/sda2)
pam_fscrypt[2864]: listing descriptors in "/.fscrypt/protectors"
pam_fscrypt[2864]: found 1 descriptor(s)
pam_fscrypt[2864]: successfully read metadata from "/.fscrypt/protectors/XXXXXXXXXXXXXXXX"
pam_fscrypt[2864]: Getting protector XXXXXXXXXXXXXXXX from option
pam_fscrypt[2864]: successfully read metadata from "/.fscrypt/protectors/XXXXXXXXXXXXXXXX"
pam_fscrypt[2864]: listing descriptors in "/.fscrypt/policies"
pam_fscrypt[2864]: found 1 descriptor(s)
pam_fscrypt[2864]: successfully read metadata from "/.fscrypt/policies/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY"
pam_fscrypt[2864]: got data for YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY from "/"
pam_fscrypt[2864]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
pam_fscrypt[2864]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
pam_fscrypt[2864]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
pam_fscrypt[2864]: stat /sys/kernel/debug/.fscrypt: permission denied
pam_fscrypt[2864]: stat /sys/kernel/debug/.fscrypt/policies: permission denied
pam_fscrypt[2864]: stat /sys/kernel/debug/.fscrypt/protectors: permission denied
pam_fscrypt[2864]: unlocking 1 policies protected with AUTHTOK
pam_fscrypt[2864]: running passphrase hash for protector XXXXXXXXXXXXXXXX
pam_fscrypt[2864]: valid wrapping key for protector XXXXXXXXXXXXXXXX
pam_fscrypt[2864]: Detected support for filesystem keyring
pam_fscrypt[2864]: FS_IOC_GET_ENCRYPTION_KEY_STATUS("/", YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY) = errno 0, status=1, status_flags=0x0
pam_fscrypt[2864]: FS_IOC_ADD_ENCRYPTION_KEY("/", YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY, <raw>) = errno 0
pam_fscrypt[2864]: policy YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY provisioned by neithernut
pam_fscrypt[2864]: Setting euid=0 egid=0 groups=[]
pam_fscrypt[2864]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
pam_fscrypt[2864]: OpenSession(map[debug:true]) succeeded

neithernut avatar Dec 16 '21 18:12 neithernut