1 |
On 05/04/2010 09:28 PM, Stefan G. Weichinger wrote: |
2 |
> Am 04.05.2010 19:38, schrieb Stefan G. Weichinger: |
3 |
> |
4 |
>> I don't yet have the whole picture ... |
5 |
> |
6 |
> I did some "emerge -avuDN world", quite some packages updated even |
7 |
> though I am doing "emerge -avu world" nearly every day ... |
8 |
> |
9 |
> After a reboot and setting debug to 1 for pam_mount it says: |
10 |
> |
11 |
> May 4 21:25:38 enzo slim: pam_mount(pam_mount.c:364): pam_mount 2.0: |
12 |
> entering auth stage |
13 |
> May 4 21:25:38 enzo slim: gkr-pam: invalid option: use_first_pass |
14 |
> May 4 21:25:38 enzo slim: pam_unix(slim:session): session opened for |
15 |
> user sgw by (uid=0) |
16 |
> May 4 21:25:38 enzo slim: pam_mount(pam_mount.c:552): pam_mount 2.0: |
17 |
> entering session stage |
18 |
> May 4 21:25:38 enzo slim: pam_mount(misc.c:38): Session open: (uid=0, |
19 |
> euid=0, gid=0, egid=0) |
20 |
> May 4 21:25:38 enzo slim: pam_mount(mount.c:196): Mount info: |
21 |
> globalconf, user=sgw <volume fstype="crypt" server="(null)" |
22 |
> path="/dev/mapper/VG01-crypthome" mountpoint="/home/sgw" |
23 |
> cipher="aes-cbc-plain" fskeypath="/etc/security/verysekrit.key" |
24 |
> fskeycipher="aes-256-cbc" fskeyhash="md5" |
25 |
> options="data=journal,commit=15" /> fstab=0 |
26 |
> May 4 21:25:38 enzo slim: command: 'mount.crypt' |
27 |
> '-ocipher=aes-cbc-plain' '-ofsk_cipher=aes-256-cbc' '-ofsk_hash=md5' |
28 |
> '-okeyfile=/etc/security/verysekrit.key' '-odata=journal,commit=15' |
29 |
> '/dev/mapper/VG01-crypthome' '/home/sgw' |
30 |
> May 4 21:25:38 enzo slim: pam_mount(misc.c:38): set_myuid<pre>: (uid=0, |
31 |
> euid=0, gid=0, egid=0) |
32 |
> May 4 21:25:38 enzo slim: pam_mount(misc.c:38): set_myuid<post>: |
33 |
> (uid=0, euid=0, gid=0, egid=0) |
34 |
> May 4 21:25:40 enzo slim: pam_mount(mount.c:64): Errors from underlying |
35 |
> mount program: |
36 |
> May 4 21:25:40 enzo slim: pam_mount(mount.c:68): |
37 |
> crypt_activate_by_passphrase: Operation not permitted |
38 |
> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:520): mount of |
39 |
> /dev/mapper/VG01-crypthome failed |
40 |
> May 4 21:25:40 enzo slim: command: 'pmvarrun' '-u' 'sgw' '-o' '1' |
41 |
> May 4 21:25:40 enzo slim: pam_mount(misc.c:38): set_myuid<pre>: (uid=0, |
42 |
> euid=0, gid=0, egid=0) |
43 |
> May 4 21:25:40 enzo slim: pam_mount(misc.c:38): set_myuid<post>: |
44 |
> (uid=0, euid=0, gid=0, egid=0) |
45 |
> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:440): pmvarrun says |
46 |
> login count is 1 |
47 |
> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:642): done opening |
48 |
> session (ret=0) |
49 |
> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:115): Clean global |
50 |
> config (0) |
51 |
> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:132): clean system |
52 |
> authtok=0x80e6870 (0) |
53 |
> May 4 21:25:40 enzo seahorse-daemon[1426]: DNS-SD initialization |
54 |
> failed: Daemon not running |
55 |
> May 4 21:25:40 enzo seahorse-daemon[1426]: unsupported key server uri |
56 |
> scheme: ldap |
57 |
> May 4 21:25:40 enzo seahorse-daemon[1426]: init gpgme version 1.3.0 |
58 |
> May 4 21:25:41 enzo pulseaudio[1475]: module-alsa-card.c: Failed to |
59 |
> find a working profile. |
60 |
> May 4 21:25:41 enzo pulseaudio[1475]: module.c: Failed to load module |
61 |
> "module-alsa-card" (argument: "device_id="5" |
62 |
> name="platform-thinkpad_acpi" |
63 |
> card_name="alsa_card.platform-thinkpad_acpi" tsched=yes ignore_dB=no |
64 |
> card_properties="module-udev-detect.discovered=1""): initialization failed. |
65 |
> May 4 21:25:41 enzo polkitd(authority=local): Registered Authentication |
66 |
> Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name |
67 |
> :1.49 [/usr/libexec/polkit-gnome-authentication-agent-1], object path |
68 |
> /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8) |
69 |
> |
70 |
> |
71 |
> ----- (maybe I pasted too much, this was everything from typing my |
72 |
> username to the Gnome-session opened, but with the "wrong" /home for |
73 |
> user sgw) |
74 |
> |
75 |
> Some bits of additional info: |
76 |
> |
77 |
> # cat /etc/pam.d/system-auth |
78 |
> auth required pam_env.so |
79 |
> auth required pam_unix.so try_first_pass likeauth nullok |
80 |
> auth optional pam_mount.so |
81 |
> auth optional pam_gnome_keyring.so |
82 |
> |
83 |
> account required pam_unix.so |
84 |
> |
85 |
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 |
86 |
> retry=3 |
87 |
> password optional pam_gnome_keyring.so |
88 |
> password required pam_unix.so try_first_pass use_authtok nullok sha512 |
89 |
> shadow |
90 |
> session required pam_limits.so |
91 |
> session optional pam_gnome_keyring.so auto_start |
92 |
> session required pam_env.so |
93 |
> session required pam_unix.so |
94 |
> session optional pam_permit.so |
95 |
> session optional pam_mount.so |
96 |
> |
97 |
> |
98 |
> |
99 |
> # cat /etc/security/pam_mount.conf.xml |
100 |
> <?xml version="1.0" encoding="utf-8" ?> |
101 |
> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> |
102 |
> <!-- |
103 |
> See pam_mount.conf(5) for a description. |
104 |
> --> |
105 |
> |
106 |
> <pam_mount> |
107 |
> |
108 |
> <!-- debug should come before everything else, |
109 |
> since this file is still processed in a single pass |
110 |
> from top-to-bottom --> |
111 |
> |
112 |
> <debug enable="0" /> |
113 |
> |
114 |
> |
115 |
> <!-- Volume definitions --> |
116 |
> |
117 |
> <!-- |
118 |
> |
119 |
> <volume user="username" |
120 |
> path="/dev/mmcblk0p1" |
121 |
> mountpoint="/mnt/mmc" |
122 |
> fstype="auto" /> |
123 |
> |
124 |
> --> |
125 |
> |
126 |
> <volume user="sgw" |
127 |
> path="/dev/mapper/VG01-crypthome" |
128 |
> mountpoint="/home/sgw" |
129 |
> fstype="crypt" |
130 |
> options="data=journal,commit=15" |
131 |
> cipher="aes-cbc-plain" |
132 |
> fskeypath="/etc/security/verysekrit.key" |
133 |
> fskeycipher="aes-256-cbc" |
134 |
> fskeyhash="md5" /> |
135 |
> |
136 |
> <!-- pam_mount parameters: General tunables --> |
137 |
> |
138 |
> <debug enable="1" /> |
139 |
> <!-- |
140 |
> <luserconf name=".pam_mount.conf.xml" /> |
141 |
> --> |
142 |
> |
143 |
> <!-- Note that commenting out mntoptions will give you the defaults. |
144 |
> You will need to explicitly initialize it with the empty string |
145 |
> to reset the defaults to nothing. --> |
146 |
> <mntoptions |
147 |
> allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> |
148 |
> <!-- |
149 |
> <mntoptions deny="suid,dev" /> |
150 |
> <mntoptions allow="*" /> |
151 |
> <mntoptions deny="*" /> |
152 |
> --> |
153 |
> <mntoptions require="nosuid,nodev" /> |
154 |
> <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path> |
155 |
> |
156 |
> <logout wait="0" hup="0" term="0" kill="0" /> |
157 |
> |
158 |
> |
159 |
> <!-- pam_mount parameters: Volume-related --> |
160 |
> |
161 |
> <mkmountpoint enable="1" remove="true" /> |
162 |
> |
163 |
> |
164 |
> </pam_mount> |
165 |
> |
166 |
> |
167 |
> |
168 |
> --- I didn't change both files except for the debug-parameter ... |
169 |
> |
170 |
> |
171 |
> [root@enzo]:~ # eix pam_mount |
172 |
> [I] sys-auth/pam_mount |
173 |
> Available versions: (~)1.20 (~)1.21 (~)1.22 (~)1.24 (~)1.25 |
174 |
> (~)1.25-r1 (~)1.26 (~)1.31 (~)1.32 (~)1.33 (~)2.0 {crypt} |
175 |
> Installed versions: 2.0(12:45:53 04.05.2010)(crypt) |
176 |
> Homepage: http://pam-mount.sourceforge.net |
177 |
> Description: A PAM module that can mount volumes for a user |
178 |
> session |
179 |
> |
180 |
> [root@enzo]:~ # eix cryptset |
181 |
> [I] sys-fs/cryptsetup |
182 |
> Available versions: 0.1-r3 1.0.5-r1 1.0.6-r2 (~)1.0.7 (~)1.0.7-r1 |
183 |
> (~)1.1.0 (~)1.1.1_rc1{tbz2} {dynamic nls selinux} |
184 |
> Installed versions: 1.1.1_rc1{tbz2}(13:04:41 04.05.2010)(nls |
185 |
> -dynamic -selinux) |
186 |
> Homepage: http://code.google.com/p/cryptsetup/ |
187 |
> Description: Tool to setup encrypted devices with dm-crypt |
188 |
> |
189 |
> |
190 |
> Thanks for any hints, Stefan |
191 |
> |
192 |
I'm using sys-fs/cryptsetup-1.1.1_rc1 since 02.05.2010 and didn't have |
193 |
any issues. |
194 |
Please decrypt your partition from the command line, so we can see if it |
195 |
is a cryptsetup/luks/kernel problem or a pam_mount problem. |
196 |
|
197 |
Cmdline should something like: |
198 |
$ sudo cryptsetup -d /etc/security/verysekrit.key luksOpen |
199 |
/dev/mapper/VG01-crypthome myhome |
200 |
Which should create /dev/mapper/myhome. |
201 |
|
202 |
Bye, |
203 |
Daniel |
204 |
|
205 |
|
206 |
-- |
207 |
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get |
208 |
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 |