eCryptfs

ecryptfs-setup-pam-wrapped.sh has destroyed root login password

Asked by Ted_Smith

Hi

Am trying to have an eCryptfs directory outside of ~/ on another physical disk and partition. I found ecryptfs-setup-pam-wrapped.sh at http://ecryptfs.sourceforge.net/ecryptfs-pam-doc.txt and I gave it a whirl.

OS = Fedora 12
Kernel = 2.6.31.12-174.2.3.fc12.i686
eCryptfs downloaded and installed using the Fedora yum package manager.

1) Logged in as root (su -)
2) sh ecryptfs-setup-pam-wrapped.sh username 'MountPassphrase' 'LoginPassword'
3) Accepted the defaults

All appeared to work OK.

However, ever since, whenever I try to use the root account it tells me the password is incorrect! So I rebooted into run level 1 and tried to execute passwd to reset the root password. It said it could not retrieve the authentication information. So now I am a bit screwed!

Any ideas what's happened here? I assume it's something to do with /etc/pam.d/system-auth getting corrupted or changed in a way that it shouldn't? I noticed there are two entries relating to eCryptfs :

auth required pam_ecryptfs.so unwrap

and

password required pam_ecryptfs.so

I tried rebooting into run level 1 again and used vi to remove those two lines. Having rebooted back into Fedora, root is still inaccessible.

I seriously don't want to have re-install the OS so any suggestions on how to fix this warmly received!

Ted

Question information

Language:
English Edit question
Status:
Solved
For:
eCryptfs Edit question
Assignee:
No assignee Edit question
Solved by:
Dustin Kirkland 
Solved:
Last query:
Last reply:

This question was reopened

Revision history for this message
Dustin Kirkland  (kirkland) said : 		#1

Holy smokes, that's a very old, not-tested-in-a-very-long-time script.
 I'm surprised the sourceforge site is even still up.

I can't recommend using it...

The problem that you're seeing is that the current pam_ecryptfs.so
module is not equipped to handle whatever it was that
ecryptfs-setup-pam-wrapped.sh did way back in the day.

Sorry.

Revision history for this message
Best Dustin Kirkland  (kirkland) said : 		#2

I recommend looking at the ecryptfs-setup-pam-wrapped.sh script and
manually undoing what it did to your system.

Revision history for this message
Dustin Kirkland  (kirkland) said : 		#3

I'll try to get those sourceforge pages taken down.

Revision history for this message
Ted_Smith (tedsmith28) said : 		#4

Hey Dustin

We fixed it mate!

As you suggested, I went through the script in reverse order. If you look at line 66 you'll see that it backs-up /etc/pam.d/system-auth and renames it as a hidden file called .system-auth-before-pam_ecryptfs.

So, I rebooted into run level 1 (the only way to get root in this case), rm'd system-auth and cp'd the backup into it's place and renamed it back to system-auth. Before rebooting I tried passwd and straight away it gave me the option to change the password, whereas it didn't before.

A reboot later and I can now su - to root again!! I am delighted.

Sorry for wasting your time by using an old script. I'd assumed that because it was on Sourceforge it was still OK to use. You live and learn. I'll stick to the packaged scripts from now on!!

Thanks mate

Ted

Revision history for this message
Ted_Smith (tedsmith28) said : 		#5

Thanks Dustin Kirkland, that solved my question.

Revision history for this message
Ted_Smith (tedsmith28) said : 		#6

PS...what is the best way to select a directory other than ~/Private to act as an eCryptfs directory? I have a dir that I'd like to mount as eCryptfs on a secondary disk outside of my ~/home. It was my efforts at trying to achieve this that led me to this script initially. Perhaps I need to go through the ecryptfs-setup-private process first to ensure all the appropriate mount passwords and keys etc are generated first, and then use eCryptfs to manually mount the secondary dir?

Revision history for this message
Ted_Smith (tedsmith28) said : 		#7

Thanks Dustin Kirkland, that solved my question.

Revision history for this message
Ted_Smith (tedsmith28) said : 		#8

Dustin

By the way, in the latest source download, in /doc there's the same ecryptfs-pam-doc.txt file that links to the same script. You'll need to remove that too, or edit it perhaps?