Comments (6)
Do you happen to use an ssh-key? In this case, PAM will never see your password and hence pam_e4crypt
will not be able to derive a key to add to the keyring.
I'm not sure whether it's feasible to make this module work in such scenarios. I will investigate, but don't expect any outcome anytime soon. As in this year. (My maintainership of this module is... lacking)
Btw: you'll find that kerberos or AD-protected network mounts exhibit a similar limitation.
If you authenticate via a (plain) password, this should work and you likely suffer from some missconfiguration. It's kind of hard to tell, however, just from those logs.
from pam_e4crypt.
I assumed that, so tried both methods: with and without key - no difference, sadly. Misconfiguration? Maybe, but its so simple that i can't even imagine what kind of mistake i could do in 2 strings :) Don't have that laptop at my hand at this moment, but will post full pam (include-recursive) config as soon as i can... Don't you mind to take a look?
And many thanks for the reply! ^_^
from pam_e4crypt.
Mh... given your logs, at least the authentication stage is configured correctly. And also, actually, that the passphrase does make it to the PAM module (which I could have made out earlier, if I did pay attention, duh).
Assuming that you put both the "auth" and the "session" line in the same file, the problem probably lies somewhere else. It may actually be related to #39, in that internal information is not properly forwarded. Which makes me interested in your config, especially the differences between the services used by local login (i.e. the login
file in /etc/pam.d
) vs. login via ssh (should be sshd
).
I'd check the differences between them by resolving all the "include" lines manually for both cases, recursively, and then compare those two. Obviously in separate files, not your system config. You're welcome to either do so yourself or make the contents of your /erc/pam.d
available somewhere. If you did not modify your PAM config too much, you can also just point me to the Linux distro you are using and post a diff of your config/describe where exactly you inserted and additional lines after installation.
from pam_e4crypt.
Hello! Sorry about late, i'm using linux gentoo distribution and i use default (except pam_e4crypt.so itself changes) pam configuration. Here is my config
~ # cat /etc/pam.d/sshd
auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login
~ # cat /etc/pam.d/system-remote-login
auth include system-login
account include system-login
password include system-login
session include system-login
~ # cat /etc/pam.d/system-login
auth required pam_shells.so
auth required pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_e4crypt.so
session optional pam_loginuid.so
session required pam_env.so envfile=/etc/profile.env
session optional pam_lastlog.so silent
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so
-session optional pam_elogind.so
~ # cat /etc/pam.d/system-auth
auth required pam_env.so
auth requisite pam_faillock.so preauth
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail
auth optional pam_e4crypt.so saltpath=/etc/pam.d
auth optional pam_permit.so
account required pam_unix.so
account required pam_faillock.so
account optional pam_permit.so
password required pam_passwdqc.so config=/etc/security/passwdqc.conf
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
About pambase:
[I] sys-auth/pambase
Available versions: 20201103^b ~20210201.1^b **999999999*l^b {caps debug elogind gnome-keyring homed minimal mktemp +nullok pam_krb5 pam_ssh +passwdqc pwhistory pwquality securetty selinux +sha512 systemd}
Installed versions: 20201103^b(02:32:39 PM 02/26/2021)(elogind nullok passwdqc sha512 -caps -debug -gnome-keyring -minimal -mktemp -pam_krb5 -pam_ssh -pwhistory -pwquality -securetty -selinux -systemd)
Homepage: https://github.com/gentoo/pambase
Description: PAM base configuration files
Note about 'optional' for pam_e4crypt.so: unfortunately i can't login via ssh at all (due to module error in session part) if i put 'required' here. Anyway as i noticed there is no difference for local login.
from pam_e4crypt.
Thanks for the input!
I think you omitted the login
and system-local-login
files, but these should be identical to sshd
and system-remote-login
, respectively, on a Gentoo installation.
So, it looks like there is indeed no practical difference between the configuration for local and ssh login. Which (probably) means that the difference lies in how PAM is invoked by login
(or you session manager/whatever) and sshd
. My current hypothesis is that the auth and session phase are performed by separate processes in the ssh case. I'll probably be able to confirm this myself in the "near" future.
If my hypothesis is correct, I'll need to come up with another channel for passing around the key. Which is tricky, since you definitely don't want it to leak.
For reference, I'd appreciate if you could also tell me what version of ssh (net-misc/openssh
) and sys-libs/pam
you are using.
Note about 'optional' for pam_e4crypt.so: unfortunately i can't login via ssh at all (due to module error in session part) if i put 'required' here. Anyway as i noticed there is no difference for local login.
That's a perfectly sensible choice.
from pam_e4crypt.
I'm sorry about my late feedback, i have some new info related to this problem. Recently i've successful logged in via ssh and got a key insertion with my current pam configuration. Nothing was changed except system libs/ssh version and login process went fine.
Now i think that this was not pam_e4crypt-related problem, therefore this issue can be closed, imho.
Thank you for your support... and patience :)
P.S. My current software versions - if the question is still actual:
net-misc/openssh-8.8_p1-r4
sys-libs/pam-1.5.1_p20210622-r1
from pam_e4crypt.
Related Issues (20)
- Keys not flushed from cache after logout HOT 1
- [Idea] Add an option for system-wide user specific salt HOT 6
- systemd --user instance doesn't inherit user's session keyring HOT 6
- Adhere to XDG spec HOT 2
- [info] fscrypt by google HOT 1
- Implement password management function HOT 5
- Packaged for distros HOT 1
- Add ext2fs package to cmake dependencies
- Userspace usage HOT 1
- Salt handling does not match `e4crypt add_key` HOT 1
- PAM failed: Cannot make/remove an entry for the specified session HOT 3
- Make a man page
- nice work HOT 1
- Mention cron problems in documentation HOT 1
- Is the 16-byte salt length required ? HOT 2
- Re-introduce support for EXT4_IOC_GET_ENCRYPTION_PWSALT and iterating over mtab HOT 3
- Failure to transport keys from auth to session stage with pam-1.4.0
- Changing LIBDIR to /usr/lib HOT 2
- pam_e4crypt: Failed to retrieve key list! HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pam_e4crypt.