Comments (6)
I don't know if it can help you but I'm using this file to force systemd to inherit keys (in Ubuntu /etc/systemd/system/service_name.service.d/customexec.conf):
[Service]
KeyringMode=shared
from pam_e4crypt.
Thanks for the hint. Maybe I should add this to the README.
from pam_e4crypt.
We use the session keyring. That keyring is inherited by child processes. Unlike the user and user session keyrings, it is not bound to a UID and can not be used by arbitrary sessions of the same user. As far as I remember, using the session keyring was the only possibility to get the module to work properly (keys in other keyrings would be ignored), but I could well be mistaken. At least the e4crypt
tool uses the session key, as is apparent from your keyctl
output.
It could well be that systemd-run
initializes its own session keyring and hence doesn't propagate your keys to services. Honestly, I don't care about systemd and I try to stay as far away as possible from it.
This module will probably be of no use for solving this problem. You could try to link the keys to a user keyring using keyctl link
and then link them back to the service's session from there.
TL;DR: his is clearly outside the scope of this module. Anyways, good luck.
from pam_e4crypt.
Just quick recap after I found solution:
pam_keyinit
module automatically links user keyring @u
to session keyring @s
so I couldn't link back @s
to u@
due to recursion.
User keyring @u
is automatically linked to user session keyring @us
. I could link from @s
to @us
manually after login but it was too late for some services to get access. On the other hand linking it early didn't work (services didn't used this keyring then).
So, finally I had to disable pam_keyinit
module from system-login
pam section and link session keyring @s
to user keyring @u
. I don't know if there are any disadvantages of this as I don't add any keys to my user keyring anyway and Archlinux even didn't include this module by default. It's still included in systemd-user pam section and i believe it's enough.
from pam_e4crypt.
Hm, I just thinked about it:
e4crypt
tool uses session keyring by default but it has -k
option which provide ability to choose keyring manually i.e e4crypt add_key -k @u
.
You wrote that you can't use other keyrings within pam_e4crypt
- wasn't pam_keyinit
the reason here as it occurred in my case? If yes whe can move pam_keyinit
module below pam_e4crypt
in system-login
pam section and add key to user's keyring which will be automatically linked to session's keyring by pam_keyinit
later.
So we end up with keys in both user and session keyrings which should be easier to manage.
from pam_e4crypt.
@seebaclo could you publish your service file? I'm trying to do something similiar and this would really help me.
from pam_e4crypt.
Related Issues (20)
- Keys not flushed from cache after logout HOT 1
- [Idea] Add an option for system-wide user specific salt HOT 6
- Adhere to XDG spec HOT 2
- [info] fscrypt by google HOT 1
- Implement password management function HOT 5
- Packaged for distros HOT 1
- Add ext2fs package to cmake dependencies
- Userspace usage HOT 1
- Salt handling does not match `e4crypt add_key` HOT 1
- PAM failed: Cannot make/remove an entry for the specified session HOT 3
- Make a man page
- nice work HOT 1
- Mention cron problems in documentation HOT 1
- Is the 16-byte salt length required ? HOT 2
- Re-introduce support for EXT4_IOC_GET_ENCRYPTION_PWSALT and iterating over mtab HOT 3
- Failure to transport keys from auth to session stage with pam-1.4.0
- sshd support HOT 6
- Changing LIBDIR to /usr/lib HOT 2
- pam_e4crypt: Failed to retrieve key list! HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pam_e4crypt.