Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure. - gentoo-user

From:	Daniel Troeder <daniel@×××××××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure.
Date:	Tue, 04 May 2010 21:26:11
Message-Id:	`4BE090A5.9080804@admin-box.com`
In Reply to:	Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure. by "Stefan G. Weichinger"

1

On 05/04/2010 09:28 PM, Stefan G. Weichinger wrote:

2

> Am 04.05.2010 19:38, schrieb Stefan G. Weichinger:

3

>

4

>> I don't yet have the whole picture ...

5

>

6

> I did some "emerge -avuDN world", quite some packages updated even

7

> though I am doing "emerge -avu world" nearly every day ...

8

>

9

> After a reboot and setting debug to 1 for pam_mount it says:

10

>

11

> May  4 21:25:38 enzo slim: pam_mount(pam_mount.c:364): pam_mount 2.0:

12

> entering auth stage

13

> May  4 21:25:38 enzo slim: gkr-pam: invalid option: use_first_pass

14

> May  4 21:25:38 enzo slim: pam_unix(slim:session): session opened for

15

> user sgw by (uid=0)

16

> May  4 21:25:38 enzo slim: pam_mount(pam_mount.c:552): pam_mount 2.0:

17

> entering session stage

18

> May  4 21:25:38 enzo slim: pam_mount(misc.c:38): Session open: (uid=0,

19

> euid=0, gid=0, egid=0)

20

> May  4 21:25:38 enzo slim: pam_mount(mount.c:196): Mount info:

21

> globalconf, user=sgw <volume fstype="crypt" server="(null)"

22

> path="/dev/mapper/VG01-crypthome" mountpoint="/home/sgw"

23

> cipher="aes-cbc-plain" fskeypath="/etc/security/verysekrit.key"

24

> fskeycipher="aes-256-cbc" fskeyhash="md5"

25

> options="data=journal,commit=15" /> fstab=0

26

> May  4 21:25:38 enzo slim: command: 'mount.crypt'

27

> '-ocipher=aes-cbc-plain' '-ofsk_cipher=aes-256-cbc' '-ofsk_hash=md5'

28

> '-okeyfile=/etc/security/verysekrit.key' '-odata=journal,commit=15'

29

> '/dev/mapper/VG01-crypthome' '/home/sgw'

30

> May  4 21:25:38 enzo slim: pam_mount(misc.c:38): set_myuid<pre>: (uid=0,

31

> euid=0, gid=0, egid=0)

32

> May  4 21:25:38 enzo slim: pam_mount(misc.c:38): set_myuid<post>:

33

> (uid=0, euid=0, gid=0, egid=0)

34

> May  4 21:25:40 enzo slim: pam_mount(mount.c:64): Errors from underlying

35

> mount program:

36

> May  4 21:25:40 enzo slim: pam_mount(mount.c:68):

37

> crypt_activate_by_passphrase: Operation not permitted

38

> May  4 21:25:40 enzo slim: pam_mount(pam_mount.c:520): mount of

39

> /dev/mapper/VG01-crypthome failed

40

> May  4 21:25:40 enzo slim: command: 'pmvarrun' '-u' 'sgw' '-o' '1'

41

> May  4 21:25:40 enzo slim: pam_mount(misc.c:38): set_myuid<pre>: (uid=0,

42

> euid=0, gid=0, egid=0)

43

> May  4 21:25:40 enzo slim: pam_mount(misc.c:38): set_myuid<post>:

44

> (uid=0, euid=0, gid=0, egid=0)

45

> May  4 21:25:40 enzo slim: pam_mount(pam_mount.c:440): pmvarrun says

46

> login count is 1

47

> May  4 21:25:40 enzo slim: pam_mount(pam_mount.c:642): done opening

48

> session (ret=0)

49

> May  4 21:25:40 enzo slim: pam_mount(pam_mount.c:115): Clean global

50

> config (0)

51

> May  4 21:25:40 enzo slim: pam_mount(pam_mount.c:132): clean system

52

> authtok=0x80e6870 (0)

53

> May  4 21:25:40 enzo seahorse-daemon[1426]: DNS-SD initialization

54

> failed: Daemon not running

55

> May  4 21:25:40 enzo seahorse-daemon[1426]: unsupported key server uri

56

> scheme: ldap

57

> May  4 21:25:40 enzo seahorse-daemon[1426]: init gpgme version 1.3.0

58

> May  4 21:25:41 enzo pulseaudio[1475]: module-alsa-card.c: Failed to

59

> find a working profile.

60

> May  4 21:25:41 enzo pulseaudio[1475]: module.c: Failed to load  module

61

> "module-alsa-card" (argument: "device_id="5"

62

> name="platform-thinkpad_acpi"

63

> card_name="alsa_card.platform-thinkpad_acpi" tsched=yes ignore_dB=no

64

> card_properties="module-udev-detect.discovered=1""): initialization failed.

65

> May  4 21:25:41 enzo polkitd(authority=local): Registered Authentication

66

> Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name

67

> :1.49 [/usr/libexec/polkit-gnome-authentication-agent-1], object path

68

> /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)

69

>

70

>

71

> ----- (maybe I pasted too much, this was everything from typing my

72

> username to the Gnome-session opened, but with the "wrong" /home for

73

> user sgw)

74

>

75

> Some bits of additional info:

76

>

77

> # cat /etc/pam.d/system-auth

78

> auth		required	pam_env.so

79

> auth		required	pam_unix.so try_first_pass likeauth nullok

80

> auth optional pam_mount.so

81

> auth optional pam_gnome_keyring.so

82

>

83

> account		required	pam_unix.so

84

>

85

> password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2

86

> retry=3

87

> password optional pam_gnome_keyring.so

88

> password	required	pam_unix.so try_first_pass use_authtok nullok sha512

89

> shadow

90

> session		required	pam_limits.so

91

> session optional pam_gnome_keyring.so auto_start

92

> session		required	pam_env.so

93

> session		required	pam_unix.so

94

> session		optional	pam_permit.so

95

> session optional pam_mount.so

96

>

97

>

98

>

99

> # cat /etc/security/pam_mount.conf.xml

100

> <?xml version="1.0" encoding="utf-8" ?>

101

> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">

102

> <!--

103

> 	See pam_mount.conf(5) for a description.

104

> -->

105

>

106

> <pam_mount>

107

>

108

>                <!-- debug should come before everything else,

109

>                since this file is still processed in a single pass

110

>                from top-to-bottom -->

111

>

112

>  <debug enable="0" />

113

>

114

>

115

> 		<!-- Volume definitions -->

116

>

117

> <!--

118

>

119

> <volume user="username"

120

> path="/dev/mmcblk0p1"

121

> mountpoint="/mnt/mmc"

122

> fstype="auto" />

123

>

124

> -->

125

>

126

> <volume user="sgw"

127

> path="/dev/mapper/VG01-crypthome"

128

> mountpoint="/home/sgw"

129

> fstype="crypt"

130

> options="data=journal,commit=15"

131

> cipher="aes-cbc-plain"

132

> fskeypath="/etc/security/verysekrit.key"

133

> fskeycipher="aes-256-cbc"

134

> fskeyhash="md5" />

135

>

136

> 		<!-- pam_mount parameters: General tunables -->

137

>

138

> <debug enable="1" />

139

> <!--

140

> <luserconf name=".pam_mount.conf.xml" />

141

> -->

142

>

143

> <!-- Note that commenting out mntoptions will give you the defaults.

144

>      You will need to explicitly initialize it with the empty string

145

>      to reset the defaults to nothing. -->

146

> <mntoptions

147

> allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />

148

> <!--

149

> <mntoptions deny="suid,dev" />

150

> <mntoptions allow="*" />

151

> <mntoptions deny="*" />

152

> -->

153

> <mntoptions require="nosuid,nodev" />

154

> <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>

155

>

156

> <logout wait="0" hup="0" term="0" kill="0" />

157

>

158

>

159

> 		<!-- pam_mount parameters: Volume-related -->

160

>

161

> <mkmountpoint enable="1" remove="true" />

162

>

163

>

164

> </pam_mount>

165

>

166

>

167

>

168

> --- I didn't change both files except for the debug-parameter ...

169

>

170

>

171

> [root@enzo]:~ # eix pam_mount

172

> [I] sys-auth/pam_mount

173

>      Available versions:  (~)1.20 (~)1.21 (~)1.22 (~)1.24 (~)1.25

174

> (~)1.25-r1 (~)1.26 (~)1.31 (~)1.32 (~)1.33 (~)2.0 {crypt}

175

>      Installed versions:  2.0(12:45:53 04.05.2010)(crypt)

176

>      Homepage:            http://pam-mount.sourceforge.net

177

>      Description:         A PAM module that can mount volumes for a user

178

> session

179

>

180

> [root@enzo]:~ # eix cryptset

181

> [I] sys-fs/cryptsetup

182

>      Available versions:  0.1-r3 1.0.5-r1 1.0.6-r2 (~)1.0.7 (~)1.0.7-r1

183

> (~)1.1.0 (~)1.1.1_rc1{tbz2} {dynamic nls selinux}

184

>      Installed versions:  1.1.1_rc1{tbz2}(13:04:41 04.05.2010)(nls

185

> -dynamic -selinux)

186

>      Homepage:            http://code.google.com/p/cryptsetup/

187

>      Description:         Tool to setup encrypted devices with dm-crypt

188

>

189

>

190

> Thanks for any hints, Stefan

191

>

192

I'm using sys-fs/cryptsetup-1.1.1_rc1 since 02.05.2010 and didn't have

193

any issues.

194

Please decrypt your partition from the command line, so we can see if it

195

is a cryptsetup/luks/kernel problem or a pam_mount problem.

196

197

Cmdline should something like:

198

$ sudo cryptsetup -d /etc/security/verysekrit.key luksOpen

199

/dev/mapper/VG01-crypthome myhome

200

Which should create /dev/mapper/myhome.

201

202

Bye,

203

Daniel

204

205

206

--

207

PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get

208

# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887

Gentoo Archives: gentoo-user

Attachments

Replies

1	On 05/04/2010 09:28 PM, Stefan G. Weichinger wrote:
2	> Am 04.05.2010 19:38, schrieb Stefan G. Weichinger:
3	>
4	>> I don't yet have the whole picture ...
5	>
6	> I did some "emerge -avuDN world", quite some packages updated even
7	> though I am doing "emerge -avu world" nearly every day ...
8	>
9	> After a reboot and setting debug to 1 for pam_mount it says:
10	>
11	> May 4 21:25:38 enzo slim: pam_mount(pam_mount.c:364): pam_mount 2.0:
12	> entering auth stage
13	> May 4 21:25:38 enzo slim: gkr-pam: invalid option: use_first_pass
14	> May 4 21:25:38 enzo slim: pam_unix(slim:session): session opened for
15	> user sgw by (uid=0)
16	> May 4 21:25:38 enzo slim: pam_mount(pam_mount.c:552): pam_mount 2.0:
17	> entering session stage
18	> May 4 21:25:38 enzo slim: pam_mount(misc.c:38): Session open: (uid=0,
19	> euid=0, gid=0, egid=0)
20	> May 4 21:25:38 enzo slim: pam_mount(mount.c:196): Mount info:
21	> globalconf, user=sgw <volume fstype="crypt" server="(null)"
22	> path="/dev/mapper/VG01-crypthome" mountpoint="/home/sgw"
23	> cipher="aes-cbc-plain" fskeypath="/etc/security/verysekrit.key"
24	> fskeycipher="aes-256-cbc" fskeyhash="md5"
25	> options="data=journal,commit=15" /> fstab=0
26	> May 4 21:25:38 enzo slim: command: 'mount.crypt'
27	> '-ocipher=aes-cbc-plain' '-ofsk_cipher=aes-256-cbc' '-ofsk_hash=md5'
28	> '-okeyfile=/etc/security/verysekrit.key' '-odata=journal,commit=15'
29	> '/dev/mapper/VG01-crypthome' '/home/sgw'
30	> May 4 21:25:38 enzo slim: pam_mount(misc.c:38): set_myuid<pre>: (uid=0,
31	> euid=0, gid=0, egid=0)
32	> May 4 21:25:38 enzo slim: pam_mount(misc.c:38): set_myuid<post>:
33	> (uid=0, euid=0, gid=0, egid=0)
34	> May 4 21:25:40 enzo slim: pam_mount(mount.c:64): Errors from underlying
35	> mount program:
36	> May 4 21:25:40 enzo slim: pam_mount(mount.c:68):
37	> crypt_activate_by_passphrase: Operation not permitted
38	> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:520): mount of
39	> /dev/mapper/VG01-crypthome failed
40	> May 4 21:25:40 enzo slim: command: 'pmvarrun' '-u' 'sgw' '-o' '1'
41	> May 4 21:25:40 enzo slim: pam_mount(misc.c:38): set_myuid<pre>: (uid=0,
42	> euid=0, gid=0, egid=0)
43	> May 4 21:25:40 enzo slim: pam_mount(misc.c:38): set_myuid<post>:
44	> (uid=0, euid=0, gid=0, egid=0)
45	> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:440): pmvarrun says
46	> login count is 1
47	> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:642): done opening
48	> session (ret=0)
49	> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:115): Clean global
50	> config (0)
51	> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:132): clean system
52	> authtok=0x80e6870 (0)
53	> May 4 21:25:40 enzo seahorse-daemon[1426]: DNS-SD initialization
54	> failed: Daemon not running
55	> May 4 21:25:40 enzo seahorse-daemon[1426]: unsupported key server uri
56	> scheme: ldap
57	> May 4 21:25:40 enzo seahorse-daemon[1426]: init gpgme version 1.3.0
58	> May 4 21:25:41 enzo pulseaudio[1475]: module-alsa-card.c: Failed to
59	> find a working profile.
60	> May 4 21:25:41 enzo pulseaudio[1475]: module.c: Failed to load module
61	> "module-alsa-card" (argument: "device_id="5"
62	> name="platform-thinkpad_acpi"
63	> card_name="alsa_card.platform-thinkpad_acpi" tsched=yes ignore_dB=no
64	> card_properties="module-udev-detect.discovered=1""): initialization failed.
65	> May 4 21:25:41 enzo polkitd(authority=local): Registered Authentication
66	> Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name
67	> :1.49 [/usr/libexec/polkit-gnome-authentication-agent-1], object path
68	> /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
69	>
70	>
71	> ----- (maybe I pasted too much, this was everything from typing my
72	> username to the Gnome-session opened, but with the "wrong" /home for
73	> user sgw)
74	>
75	> Some bits of additional info:
76	>
77	> # cat /etc/pam.d/system-auth
78	> auth required pam_env.so
79	> auth required pam_unix.so try_first_pass likeauth nullok
80	> auth optional pam_mount.so
81	> auth optional pam_gnome_keyring.so
82	>
83	> account required pam_unix.so
84	>
85	> password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2
86	> retry=3
87	> password optional pam_gnome_keyring.so
88	> password required pam_unix.so try_first_pass use_authtok nullok sha512
89	> shadow
90	> session required pam_limits.so
91	> session optional pam_gnome_keyring.so auto_start
92	> session required pam_env.so
93	> session required pam_unix.so
94	> session optional pam_permit.so
95	> session optional pam_mount.so
96	>
97	>
98	>
99	> # cat /etc/security/pam_mount.conf.xml
100	> <?xml version="1.0" encoding="utf-8" ?>
101	> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
102	> <!--
103	> See pam_mount.conf(5) for a description.
104	> -->
105	>
106	> <pam_mount>
107	>
108	> <!-- debug should come before everything else,
109	> since this file is still processed in a single pass
110	> from top-to-bottom -->
111	>
112	> <debug enable="0" />
113	>
114	>
115	> <!-- Volume definitions -->
116	>
117	> <!--
118	>
119	> <volume user="username"
120	> path="/dev/mmcblk0p1"
121	> mountpoint="/mnt/mmc"
122	> fstype="auto" />
123	>
124	> -->
125	>
126	> <volume user="sgw"
127	> path="/dev/mapper/VG01-crypthome"
128	> mountpoint="/home/sgw"
129	> fstype="crypt"
130	> options="data=journal,commit=15"
131	> cipher="aes-cbc-plain"
132	> fskeypath="/etc/security/verysekrit.key"
133	> fskeycipher="aes-256-cbc"
134	> fskeyhash="md5" />
135	>
136	> <!-- pam_mount parameters: General tunables -->
137	>
138	> <debug enable="1" />
139	> <!--
140	> <luserconf name=".pam_mount.conf.xml" />
141	> -->
142	>
143	> <!-- Note that commenting out mntoptions will give you the defaults.
144	> You will need to explicitly initialize it with the empty string
145	> to reset the defaults to nothing. -->
146	> <mntoptions
147	> allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
148	> <!--
149	> <mntoptions deny="suid,dev" />
150	> <mntoptions allow="*" />
151	> <mntoptions deny="*" />
152	> -->
153	> <mntoptions require="nosuid,nodev" />
154	> <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
155	>
156	> <logout wait="0" hup="0" term="0" kill="0" />
157	>
158	>
159	> <!-- pam_mount parameters: Volume-related -->
160	>
161	> <mkmountpoint enable="1" remove="true" />
162	>
163	>
164	> </pam_mount>
165	>
166	>
167	>
168	> --- I didn't change both files except for the debug-parameter ...
169	>
170	>
171	> [root@enzo]:~ # eix pam_mount
172	> [I] sys-auth/pam_mount
173	> Available versions: (~)1.20 (~)1.21 (~)1.22 (~)1.24 (~)1.25
174	> (~)1.25-r1 (~)1.26 (~)1.31 (~)1.32 (~)1.33 (~)2.0 {crypt}
175	> Installed versions: 2.0(12:45:53 04.05.2010)(crypt)
176	> Homepage: http://pam-mount.sourceforge.net
177	> Description: A PAM module that can mount volumes for a user
178	> session
179	>
180	> [root@enzo]:~ # eix cryptset
181	> [I] sys-fs/cryptsetup
182	> Available versions: 0.1-r3 1.0.5-r1 1.0.6-r2 (~)1.0.7 (~)1.0.7-r1
183	> (~)1.1.0 (~)1.1.1_rc1{tbz2} {dynamic nls selinux}
184	> Installed versions: 1.1.1_rc1{tbz2}(13:04:41 04.05.2010)(nls
185	> -dynamic -selinux)
186	> Homepage: http://code.google.com/p/cryptsetup/
187	> Description: Tool to setup encrypted devices with dm-crypt
188	>
189	>
190	> Thanks for any hints, Stefan
191	>
192	I'm using sys-fs/cryptsetup-1.1.1_rc1 since 02.05.2010 and didn't have
193	any issues.
194	Please decrypt your partition from the command line, so we can see if it
195	is a cryptsetup/luks/kernel problem or a pam_mount problem.
196
197	Cmdline should something like:
198	$ sudo cryptsetup -d /etc/security/verysekrit.key luksOpen
199	/dev/mapper/VG01-crypthome myhome
200	Which should create /dev/mapper/myhome.
201
202	Bye,
203	Daniel
204
205
206	--
207	PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
208	# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887