gocryptfs
gocryptfs copied to clipboard
rfjakob
pam_mount: Volume is not mounted at login time: password prompt never appears
I have installed gocryptfs 1.6.1 on Debian Buster.
In this example the non-root user is sjb.
When I login either locally o though ssh it fails, for example with this message log:
May 2 15:21:38 controller sshd[1933]: (pam_mount.c:365): pam_mount 2.16: entering auth stage
May 2 15:21:38 controller sshd[1933]: Accepted password for sjb from 192.168.79.41 port 38000 ssh2
May 2 15:21:38 controller sshd[1933]: pam_unix(sshd:session): session opened for user sjb by (uid=0)
May 2 15:21:38 controller sshd[1933]: (pam_mount.c:568): pam_mount 2.16: entering session stage
May 2 15:21:38 controller sshd[1933]: (mount.c:262): Mount info: globalconf, user=sjb <volume fstype="fuse" server="(null)" path="/usr/bin/gocryptfs#/home/sjb_cifrado" mountpoint="/home/sjb" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" options="nodev,nosuid,quiet,nonempty,allow_other" /> fstab=0 ssh=0
May 2 15:21:38 controller sshd[1933]: (mount.c:659): Password will be sent to helper as-is.
May 2 15:21:38 controller sshd[1933]: command: 'mount.fuse' '/usr/bin/gocryptfs#/home/sjb_cifrado' '/home/sjb' '-o' 'nodev,nosuid,quiet,nonempty,allow_other'
May 2 15:21:38 controller sshd[1935]: (spawn.c:136): setting uid to user sjb
May 2 15:21:38 controller sshd[1933]: (mount.c:72): Messages from underlying mount program:
May 2 15:21:38 controller sshd[1933]: (mount.c:76): failed to unlock master key: cipher: message authentication failed
May 2 15:21:38 controller sshd[1933]: (mount.c:76): Password incorrect.
Prompt for password never occurs. However, I can mount the encrypted directory manually. In fact If I run from root with su - sjb, it prompted for mount password y and it workfs.
I've included this in /etc/security/pam_mount.conf.xml:
<volume user="sjb" fstype="fuse" uid="1003" gid="1004" options="nodev,nosuid,quiet,nonempty,allow_other"
path="/usr/bin/gocryptfs#/home/%(USER)_cifrado" mountpoint="/home/%(USER)" />
My config of pam is as follows:
egrep -v '^$1|^#' /etc/pam.d/common-{account,auth,password,session}
/etc/pam.d/common-account:
/etc/pam.d/common-account:account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
/etc/pam.d/common-account:account requisite pam_deny.so
/etc/pam.d/common-account:account required pam_permit.so
/etc/pam.d/common-auth:
/etc/pam.d/common-auth:auth [success=1 default=ignore] pam_unix.so nullok_secure
/etc/pam.d/common-auth:auth requisite pam_deny.so
/etc/pam.d/common-auth:auth required pam_permit.so
/etc/pam.d/common-auth:auth optional pam_mount.so
/etc/pam.d/common-password:
/etc/pam.d/common-password:
/etc/pam.d/common-password:
/etc/pam.d/common-password:password [success=1 default=ignore] pam_unix.so obscure sha512
/etc/pam.d/common-password:password requisite pam_deny.so
/etc/pam.d/common-password:password required pam_permit.so
/etc/pam.d/common-password:password optional pam_mount.so disable_interactive
/etc/pam.d/common-session:
/etc/pam.d/common-session:session [default=1] pam_permit.so
/etc/pam.d/common-session:session requisite pam_deny.so
/etc/pam.d/common-session:session required pam_permit.so
/etc/pam.d/common-session:session required pam_unix.so
/etc/pam.d/common-session:session optional pam_mount.so
/etc/pam.d/common-session:session optional pam_systemd.so
I've attached a more complete log, please could you help to determine if I missing something?
Thanks in advance! log-gofs.txt
Well, I've found a workaround setting the same cipher password as the user password. I wonder what I should do to use different passwords...
Hmm, what happens when you comment
auth optional pam_mount.so
? This may force pam_mount to prompt for a password.
Hmm, what happens when you comment
auth optional pam_mount.so? This may force pam_mount to prompt for a password.
Hi rfjakob, Sadly it didn't work.
Also I've tried with "requisite" instead of "optional" and it didn't work either:
I'd like to emphasize that this issue happens when user password is different from mount password.
So I found this, https://sourceforge.net/p/pam-mount/support-requests/57/#bc84 , which says to add disable_pam_password to the pam config like this:
auth optional pam_mount.so disable_pam_password
However, I still don't get it to work here on a Debian Buster. I do not get a 2nd password prompt.
Hi,
I am not sure if the module prompts on failure. Maybe it has to be required? Otherwise the module argument route is worth exploring. I might check the source code of libpam-mount. Here are your choices, but I do not see them documented in the manual page.
My login and volume passwords are the same. For the sake of completeness, here is the setup that worked for me on Debian until recently, when my NFS changed:
➤ more /usr/share/pam-configs/libpam-mount
Name: Mount volumes for user
Default: yes
Priority: 128
Auth-Type: Additional
Auth:
[success=1 default=ignore] pam_succeed_if.so debug uid eq 0
optional pam_mount.so
Session-Interactive-Only: yes
Session-Type: Additional
Session:
[success=1 default=ignore] pam_succeed_if.so debug uid eq 0
optional pam_mount.so
Password-Type: Additional
Password:
optional pam_mount.so disable_interactive
When working with split PAM configs, you would have to run pam-auth-update after making changes. Please be careful: that tool also processes left-over backup files (*~).
Kind regards Felix Lechner
I found docs about the options here: https://sourceforge.net/p/pam-mount/pam-mount/ci/master/tree/doc/options.txt
AFAICS in the source code, it should prompt for a password here:
https://salsa.debian.org/debian/libpam-mount/-/blob/4c1a655847a1ac9ae0f6b2f066bdc232588ba4de/src/pam_mount.c#L313
But I never actually saw the prompt on ssh login.
EDIT: IT DOES WORK VIA SU! SEE BELOW
$ su test1
(pam_mount.c:365): pam_mount 2.16: entering auth stage
pam_mount password:
Password:
(pam_mount.c:568): pam_mount 2.16: entering session stage
(mount.c:262): Mount info: globalconf, user=test1 <volume fstype="fuse" server="(null)" path="/usr/bin/gocryptfs#/home/test1/cipher" mountpoint="/home/test1/plain" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" options="nodev,nosuid,quiet" /> fstab=0 ssh=0
(mount.c:659): Password will be sent to helper as-is.
command: 'mount.fuse' '/usr/bin/gocryptfs#/home/test1/cipher' '/home/test1/plain' '-o' 'nodev,nosuid,quiet'
(spawn.c:136): setting uid to user test1
(mount.c:553): 19 24 0:18 / /sys rw,nosuid,nodev,noexec,relatime shared:7 - sysfs sysfs rw
(mount.c:553): 20 24 0:4 / /proc rw,nosuid,nodev,noexec,relatime shared:14 - proc proc rw
(mount.c:553): 21 24 0:6 / /dev rw,nosuid,relatime shared:2 - devtmpfs udev rw,size=232292k,nr_inodes=58073,mode=755
(mount.c:553): 22 21 0:19 / /dev/pts rw,nosuid,noexec,relatime shared:3 - devpts devpts rw,gid=5,mode=620,ptmxmode=000
(mount.c:553): 23 24 0:20 / /run rw,nosuid,noexec,relatime shared:5 - tmpfs tmpfs rw,size=49480k,mode=755
(mount.c:553): 24 0 254:1 / / rw,relatime shared:1 - ext4 /dev/vda1 rw,discard,errors=remount-ro
(mount.c:553): 25 19 0:7 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime shared:8 - securityfs securityfs rw
(mount.c:553): 26 21 0:21 / /dev/shm rw,nosuid,nodev shared:4 - tmpfs tmpfs rw
(mount.c:553): 27 23 0:22 / /run/lock rw,nosuid,nodev,noexec,relatime shared:6 - tmpfs tmpfs rw,size=5120k
(mount.c:553): 28 19 0:23 / /sys/fs/cgroup ro,nosuid,nodev,noexec shared:9 - tmpfs tmpfs ro,mode=755
(mount.c:553): 29 28 0:24 / /sys/fs/cgroup/unified rw,nosuid,nodev,noexec,relatime shared:10 - cgroup2 cgroup2 rw,nsdelegate
(mount.c:553): 30 28 0:25 / /sys/fs/cgroup/systemd rw,nosuid,nodev,noexec,relatime shared:11 - cgroup cgroup rw,xattr,name=systemd
(mount.c:553): 31 19 0:26 / /sys/fs/pstore rw,nosuid,nodev,noexec,relatime shared:12 - pstore pstore rw
(mount.c:553): 32 19 0:27 / /sys/fs/bpf rw,nosuid,nodev,noexec,relatime shared:13 - bpf bpf rw,mode=700
(mount.c:553): 33 28 0:28 / /sys/fs/cgroup/perf_event rw,nosuid,nodev,noexec,relatime shared:15 - cgroup cgroup rw,perf_event
(mount.c:553): 34 28 0:29 / /sys/fs/cgroup/freezer rw,nosuid,nodev,noexec,relatime shared:16 - cgroup cgroup rw,freezer
(mount.c:553): 35 28 0:30 / /sys/fs/cgroup/pids rw,nosuid,nodev,noexec,relatime shared:17 - cgroup cgroup rw,pids
(mount.c:553): 36 28 0:31 / /sys/fs/cgroup/cpuset rw,nosuid,nodev,noexec,relatime shared:18 - cgroup cgroup rw,cpuset
(mount.c:553): 37 28 0:32 / /sys/fs/cgroup/cpu,cpuacct rw,nosuid,nodev,noexec,relatime shared:19 - cgroup cgroup rw,cpu,cpuacct
(mount.c:553): 38 28 0:33 / /sys/fs/cgroup/net_cls,net_prio rw,nosuid,nodev,noexec,relatime shared:20 - cgroup cgroup rw,net_cls,net_prio
(mount.c:553): 39 28 0:34 / /sys/fs/cgroup/rdma rw,nosuid,nodev,noexec,relatime shared:21 - cgroup cgroup rw,rdma
(mount.c:553): 40 28 0:35 / /sys/fs/cgroup/blkio rw,nosuid,nodev,noexec,relatime shared:22 - cgroup cgroup rw,blkio
(mount.c:553): 41 28 0:36 / /sys/fs/cgroup/memory rw,nosuid,nodev,noexec,relatime shared:23 - cgroup cgroup rw,memory
(mount.c:553): 42 28 0:37 / /sys/fs/cgroup/devices rw,nosuid,nodev,noexec,relatime shared:24 - cgroup cgroup rw,devices
(mount.c:553): 44 20 0:38 / /proc/sys/fs/binfmt_misc rw,relatime shared:25 - autofs systemd-1 rw,fd=34,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=10084
(mount.c:553): 45 21 0:39 / /dev/hugepages rw,relatime shared:26 - hugetlbfs hugetlbfs rw,pagesize=2M
(mount.c:553): 46 21 0:17 / /dev/mqueue rw,relatime shared:27 - mqueue mqueue rw
(mount.c:553): 47 19 0:8 / /sys/kernel/debug rw,relatime shared:28 - debugfs debugfs rw
(mount.c:553): 171 23 0:42 / /run/user/1000 rw,nosuid,nodev,relatime shared:93 - tmpfs tmpfs rw,size=49476k,mode=700,uid=1000,gid=1000
(mount.c:553): 181 19 0:44 / /sys/fs/fuse/connections rw,relatime shared:99 - fusectl fusectl rw
(mount.c:553): 176 23 0:43 / /run/user/1001 rw,nosuid,nodev,relatime shared:96 - tmpfs tmpfs rw,size=49476k,mode=700,uid=1001,gid=1001
(mount.c:553): 186 24 0:45 / /home/test1/plain rw,nosuid,nodev,relatime shared:102 - fuse.gocryptfs /home/test1/cipher rw,user_id=1001,group_id=1001,max_read=131072
command: 'pmvarrun' '-u' 'test1' '-o' '1'
(pmvarrun.c:258): parsed count value 1
(pam_mount.c:441): pmvarrun says login count is 2
(pam_mount.c:660): done opening session (ret=0)
Hi, this ticket caused me to take a deep dive into libpam-mount. (I was the one who patched it for the %{USER} substitution.) For now, I only looked into my own issues. This PAM module may not work that well with gocryptfs. It mounts all volumes as root.
While required for regular mounts, I think it can create access problems with FUSE (and kerberized NFSv4) although it is perhaps not the issue here.
Hmm, in the su test1 case above, it looks like the gocryptfs process is running as user "test1":
$ ps auxwww | grep gocryptfs
test1 22473 4.0 1.7 622808 8852 ? Ssl 08:17 0:00 /usr/bin/gocryptfs -fg -notifypid=22466 -nodev -nosuid -quiet /home/test1/cipher /home/test1/plain
test1 22482 0.0 0.2 4740 1112 ? S 08:17 0:00 /usr/bin/logger -t gocryptfs-22473-logger
Yeah, I misspoke. It reads <luserconf> as root. Some patches are in the works that may help here, too.
Requests and ideas are welcome.
@sebelk: Have you tried disable_pam_password as shown in https://github.com/rfjakob/gocryptfs/issues/566#issuecomment-904867405 ?
This does work for me for local logins (but not ssh, see https://github.com/rfjakob/gocryptfs/issues/566#issuecomment-905216157 )