pam_e4crypt: Failed to retrieve key list! about pam_e4crypt HOT 6 CLOSED

I use the entries:

auth    required pam_e4crypt.so onerr=succeed
session required pam_e4crypt.so onerr=succeed

I'll add them to the README and add a short explanation. This issue should be closed only after the information found its was into the documentation.

from pam_e4crypt.

Thanks for pointing this out btw, I didn't realize that the documentation lacked information on the entries.

from pam_e4crypt.

It's weird but I still can't get it. Making it as required locks me out of system. Unfortunately I need further guidance. Let's say those are my current files in /etc/pam.d/:

/etc/pam.d/system-auth
#%PAM-1.0

auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_permit.so

/etc/pam.d/system-login
#%PAM-1.0

auth       required   pam_tally.so         onerr=succeed file=/var/log/faillog
auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session   optional   pam_systemd.so
session    required   pam_env.so

Where exactly put those pam_e4crypt.so and pam_keyinit.so entries?

from pam_e4crypt.

It shouldn't matter when you perform the "authentication" with pam_e4crypt, but I recommend doing it rather late. However, it should be invoked as early as possible during the session setup. I recommend having PAM invoke pam_keyinit.so first and pam_e4crypt.so second. You should really use pam_keyinit btw.

For reference, here's my system-login file:

auth		required	pam_tally2.so onerr=succeed
auth		required	pam_shells.so 
auth		required	pam_nologin.so 
auth		include		system-auth
auth		required        pam_e4crypt.so onerr=succeed

account		required	pam_access.so 
account		required	pam_nologin.so 
account		include		system-auth
account		required	pam_tally2.so onerr=succeed 

password	include		system-auth

session         required        pam_keyinit.so
session		required        pam_e4crypt.so onerr=succeed
session         optional        pam_loginuid.so
session		required	pam_env.so 
session		optional	pam_lastlog.so silent 
session		include		system-auth
session		optional	pam_ck_connector.so nox11
session		optional	pam_motd.so motd=/etc/motd
session		optional	pam_mail.so

All of this really ought to be part of the documentation. Shame on me.

from pam_e4crypt.

Ok, I had my auth method set as sufficient which broken the chain. Setting it as required or optional fixed this. Also I had to set session optional for pam_e4crypt.so because required breaks SDDM with dbus can't sync environment error (although console login still works).

One issue which still remains is that after logout my files are still decrypted in plaintext. Using revoke option for pam_keyinit didn't help. My key isn't showed in keyctl anymore but perhaps exist somewhere in cache. This is perhaps limitation of ext4 encryption not an pam_e4crypt issue. Could you confirm this in your setup?

I tested this logging in with password1, confirming I have password1 logon key in keyctl, logging out, logging in with password2, confirming I have password2 logon key in keyctl (password1 key is gone) but files encrypted with password1 logon key are available in plaintext. Everything is done by the same user. Files are encrypted again as they should only after reboot.

I think that new README is ok. You can add notice that users can use optional instead of required for pam_e4crypt.so first to do testing and probably set emergency console available because of locking out risk as I had with SDDM.

I'm very grateful for your support!

from pam_e4crypt.

Glad to hear. I'll update the README and open a new issue regarding the problem with files still being visible after.

from pam_e4crypt.