fscrypt icon indicating copy to clipboard operation
fscrypt copied to clipboard
verified publisher icon google

PAM setup including pam_fprintd

Open unDocUMeantIt opened this issue 3 years ago • 2 comments

i've sucessfully set up encrypted home using pam_fscrypt. after that, i configured a fingerprint sensor for login (SDDM/console). that also worked pretty well, but when i rebooted i noticed that while i was able to log in using a fingerprint, my home was no longer decrypted, hence KDE won't start (SDDM hangs). i suspected this was due to the fact that obviously i didn't provide a password, so the protector can't be unlocked.

however, this issue remained even when i logged in with a password instead of a figerprint, and only went away after i completely deactivated pam_fprintd again. configuration was done using pam-auth-update on kubuntu 22.04 (fscrypt v0.3.3).

is there a proper way of cofiguring pam_fscrypt together with pam_fprintd?

unDocUMeantIt avatar May 15 '22 21:05 unDocUMeantIt

My guess would be it's an ordering issue in your various pam configuration files. You can turn on debugging for pam_fscrypt. If you post your pam configuration files, and the debug output when you're trying to login, we could help diagnose the problem.

There are two things pam_fscrypt is doing here:

  • (Password Stuff) Unlocking your login protector with the user-provided password
  • (Session Stuff) Unlocking any directories configured to be protected with your login protector

We would need to know which piece of functionality wasn't working.

josephlr avatar May 15 '22 21:05 josephlr

here's the content of all PAM files that contain either pam_fscrypt or pam_fprintd, and SDDM:

# /etc/pam.d/common-auth
auth    [success=2 default=ignore]      pam_fprintd.so max-tries=1 timeout=10 # debug
auth    [success=1 default=ignore]      pam_unix.so nullok try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_fscrypt.so debug
auth    optional                        pam_cap.so

#/etc/pam.d/common-password
password        [success=1 default=ignore]      pam_unix.so obscure yescrypt
password        requisite                       pam_deny.so
password        required                        pam_permit.so
password        optional                        pam_fscrypt.so debug
password        optional                        pam_gnome_keyring.so

# /etc/pam.d/common-session
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_umask.so
session required                        pam_unix.so
session optional                        pam_fscrypt.so debug
session optional                        pam_systemd.so

# /etc/pam.d/sddm
auth    requisite       pam_nologin.so
auth    required        pam_succeed_if.so user != root quiet_success
@include common-auth
-auth   optional        pam_gnome_keyring.so
-auth   optional        pam_kwallet5.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session optional        pam_keyinit.so force revoke
session required        pam_limits.so
session required        pam_loginuid.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional       pam_gnome_keyring.so auto_start
-session optional       pam_kwallet5.so auto_start
@include common-password
session required        pam_env.so
session required        pam_env.so envfile=/etc/default/locale user_readenv=1

this is what i get in my syslog with the above configuration when attempting to login via SDDM (password):

pam_fscrypt[2081]: OpenSession(map[debug:true]) starting
pam_fscrypt[2081]: invoked for system user "sddm" (119), doing nothing
pam_fscrypt[2081]: OpenSession(map[debug:true]) succeeded
pam_fscrypt[2377]: Authenticate(map[debug:true]) starting
pam_fscrypt[2377]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
pam_fscrypt[2377]: Setting euid=1000 egid=1000 groups=[1000 4 24 27 29 30 46 122 132 133]
pam_fscrypt[2377]: Current privs (real, effective): uid=(0,1000) gid=(0,1000) groups=[4 24 27 29 30 46 122 132 133 1000]
pam_fscrypt[2377]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[2377]: creating context for user "x"
pam_fscrypt[2377]: found ext4 filesystem "/" (/dev/nvme1n1p3)
pam_fscrypt[2377]: listing protectors in "/.fscrypt/protectors"
pam_fscrypt[2377]: found 1 protectors
pam_fscrypt[2377]: successfully read metadata from "/.fscrypt/protectors/a287f05b93438c06"
pam_fscrypt[2377]: Getting protector a287f05b93438c06 from option
pam_fscrypt[2377]: copying AUTHTOK for use in the session open
pam_fscrypt[2377]: Setting euid=0 egid=0 groups=[]
pam_fscrypt[2377]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
pam_fscrypt[2377]: Authenticate(map[debug:true]) failed: could not get AUTHTOK: item not found
pam_fscrypt[2377]: OpenSession(map[debug:true]) starting
pam_fscrypt[2377]: Session count for UID=1000 updated to 1
pam_fscrypt[2377]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
pam_fscrypt[2377]: Setting euid=1000 egid=1000 groups=[1000 4 24 27 29 30 46 122 132 133]
pam_fscrypt[2377]: Current privs (real, effective): uid=(0,1000) gid=(0,1000) groups=[4 24 27 29 30 46 122 132 133 1000]
pam_fscrypt[2377]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[2377]: creating context for user "x"
pam_fscrypt[2377]: found ext4 filesystem "/" (/dev/nvme1n1p3)
pam_fscrypt[2377]: listing protectors in "/.fscrypt/protectors"
pam_fscrypt[2377]: found 1 protectors
pam_fscrypt[2377]: successfully read metadata from "/.fscrypt/protectors/a287f05b93438c06"
pam_fscrypt[2377]: Getting protector a287f05b93438c06 from option
pam_fscrypt[2377]: successfully read metadata from "/.fscrypt/protectors/a287f05b93438c06"
pam_fscrypt[2377]: listing policies in "/.fscrypt/policies"
pam_fscrypt[2377]: found 0 policies
pam_fscrypt[2377]: following protector link /home/.fscrypt/protectors/a287f05b93438c06.link
pam_fscrypt[2377]: resolved filesystem link using UUID "b7f705ae-2dd0-4efd-90fe-5086a24b96cc"
pam_fscrypt[2377]: successfully read metadata from "/.fscrypt/protectors/a287f05b93438c06"
pam_fscrypt[2377]: listing policies in "/home/.fscrypt/policies"
pam_fscrypt[2377]: found 1 policies
pam_fscrypt[2377]: successfully read metadata from "/home/.fscrypt/policies/34c615f245adfd75aefe571bf246bdcb"
pam_fscrypt[2377]: got data for 34c615f245adfd75aefe571bf246bdcb from "/home"
pam_fscrypt[2377]: following protector link /media/crypt/.fscrypt/protectors/a287f05b93438c06.link
pam_fscrypt[2377]: resolved filesystem link using UUID "b7f705ae-2dd0-4efd-90fe-5086a24b96cc"
pam_fscrypt[2377]: successfully read metadata from "/.fscrypt/protectors/a287f05b93438c06"
pam_fscrypt[2377]: listing policies in "/media/crypt/.fscrypt/policies"
pam_fscrypt[2377]: found 1 policies
pam_fscrypt[2377]: successfully read metadata from "/media/crypt/.fscrypt/policies/41b9563c12e480fb3af7c4eece5e34d3"
pam_fscrypt[2377]: got data for 41b9563c12e480fb3af7c4eece5e34d3 from "/media/crypt/mail"
pam_fscrypt[2377]: unlocking 2 policies protected with AUTHTOK
pam_fscrypt[2377]: Setting euid=0 egid=0 groups=[]
pam_fscrypt[2377]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[]
pam_fscrypt[2377]: OpenSession(map[debug:true]) failed: unlocking protector a287f05b93438c06: AUTHTOK data missing: No module specific data is present

trying login on a console:

pam_fscrypt[2493]: Authenticate(map[debug:true]) starting
pam_fscrypt[2493]: Current privs (real, effective): uid=(1000,0) gid=(1000,1000) groups=[4 24 27 29 30 46 122 132 133 1000]
pam_fscrypt[2493]: Setting euid=1000 egid=1000 groups=[1000 4 24 27 29 30 46 122 132 133]
pam_fscrypt[2493]: Current privs (real, effective): uid=(1000,1000) gid=(1000,1000) groups=[4 24 27 29 30 46 122 132 133 1000]
pam_fscrypt[2493]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[2493]: creating context for user "x"
pam_fscrypt[2493]: found ext4 filesystem "/" (/dev/nvme1n1p3)
pam_fscrypt[2493]: listing protectors in "/.fscrypt/protectors"
pam_fscrypt[2493]: found 1 protectors
pam_fscrypt[2493]: successfully read metadata from "/.fscrypt/protectors/a287f05b93438c06"
pam_fscrypt[2493]: Getting protector a287f05b93438c06 from option
pam_fscrypt[2493]: copying AUTHTOK for use in the session open
pam_fscrypt[2493]: Setting euid=0 egid=1000 groups=[4 24 27 29 30 46 122 132 133 1000]
pam_fscrypt[2493]: Current privs (real, effective): uid=(1000,0) gid=(1000,1000) groups=[4 24 27 29 30 46 122 132 133 1000]
pam_fscrypt[2493]: Authenticate(map[debug:true]) failed: could not get AUTHTOK: item not found

login after deactivating pam_fprintd:

pam_fscrypt[2377]: CloseSession(map[debug:true]) starting
pam_fscrypt[2377]: Session count for UID=1000 updated to 0
pam_fscrypt[2377]: locking policies protected with login protector
pam_fscrypt[2377]: Current privs (real, effective): uid=(0,0) gid=(1000,1000) groups=[4 24 27 29 30 46 122 132 133 1000]
pam_fscrypt[2377]: Setting euid=1000 egid=1000 groups=[1000 4 24 27 29 30 46 122 132 133]
pam_fscrypt[2377]: Current privs (real, effective): uid=(0,1000) gid=(1000,1000) groups=[4 24 27 29 30 46 122 132 133 1000]
pam_fscrypt[2377]: Reading config from "/etc/fscrypt.conf"
pam_fscrypt[2377]: creating context for user "x"
pam_fscrypt[2377]: found ext4 filesystem "/" (/dev/nvme1n1p3)
pam_fscrypt[2377]: listing protectors in "/.fscrypt/protectors"
pam_fscrypt[2377]: found 1 protectors
pam_fscrypt[2377]: successfully read metadata from "/.fscrypt/protectors/a287f05b93438c06"
pam_fscrypt[2377]: Getting protector a287f05b93438c06 from option
pam_fscrypt[2377]: successfully read metadata from "/.fscrypt/protectors/a287f05b93438c06"
pam_fscrypt[2377]: listing policies in "/.fscrypt/policies"
pam_fscrypt[2377]: found 0 policies
pam_fscrypt[2377]: following protector link /home/.fscrypt/protectors/a287f05b93438c06.link
pam_fscrypt[2377]: resolved filesystem link using UUID "b7f705ae-2dd0-4efd-90fe-5086a24b96cc"
pam_fscrypt[2377]: successfully read metadata from "/.fscrypt/protectors/a287f05b93438c06"
pam_fscrypt[2377]: listing policies in "/home/.fscrypt/policies"
pam_fscrypt[2377]: found 1 policies
pam_fscrypt[2377]: successfully read metadata from "/home/.fscrypt/policies/34c615f245adfd75aefe571bf246bdcb"
pam_fscrypt[2377]: got data for 34c615f245adfd75aefe571bf246bdcb from "/home"
pam_fscrypt[2377]: following protector link /media/crypt/.fscrypt/protectors/a287f05b93438c06.link
pam_fscrypt[2377]: resolved filesystem link using UUID "b7f705ae-2dd0-4efd-90fe-5086a24b96cc"
pam_fscrypt[2377]: successfully read metadata from "/.fscrypt/protectors/a287f05b93438c06"
pam_fscrypt[2377]: listing policies in "/media/crypt/.fscrypt/policies"
pam_fscrypt[2377]: found 1 policies
pam_fscrypt[2377]: successfully read metadata from "/media/crypt/.fscrypt/policies/41b9563c12e480fb3af7c4eece5e34d3"
pam_fscrypt[2377]: got data for 41b9563c12e480fb3af7c4eece5e34d3 from "/media/crypt/mail"
pam_fscrypt[2377]: Detected support for filesystem keyring
pam_fscrypt[2377]: FS_IOC_GET_ENCRYPTION_KEY_STATUS("/home", 34c615f245adfd75aefe571bf246bdcb) = errno 0, status=1, status_flags=0x0
pam_fscrypt[2377]: policy 34c615f245adfd75aefe571bf246bdcb not provisioned by x
pam_fscrypt[2377]: FS_IOC_GET_ENCRYPTION_KEY_STATUS("/media/crypt/mail", 41b9563c12e480fb3af7c4eece5e34d3) = errno 0, status=1, status_flags=0x0
pam_fscrypt[2377]: policy 41b9563c12e480fb3af7c4eece5e34d3 not provisioned by x
pam_fscrypt[2377]: Setting euid=0 egid=1000 groups=[4 24 27 29 30 46 122 132 133 1000]
pam_fscrypt[2377]: Current privs (real, effective): uid=(0,0) gid=(1000,1000) groups=[4 24 27 29 30 46 122 132 133 1000]
pam_fscrypt[2377]: CloseSession(map[debug:true]) succeeded
``'

unDocUMeantIt avatar May 15 '22 22:05 unDocUMeantIt