eCryptfs

Use pam_ecryptfs only to unwrap passphrase. How to debug?

Asked by Florian Schmaus

I created a encrypted directory with
mount -t ecryptfs /home/.ecryptfs/<user>/.Private /home/<user>

Now I want the passsphrase to automatically unwrap on login: I created <user>/.ecryptfs/wrapped-passphrase and added pam_ecryptfs into pam. But the passphrase is not inserted into the session keyring on login. The documentation is not consistent on pam_ecryptfs:
- http://ecryptfs.sourceforge.net/ecryptfs-pam-doc.txt tells me to use "password required pam_ecryptfs.so"
- man pam_encryptfs tells me to "session optional pam_ecryptfs.so unwrap"
I tried both...

I have setup pam_mount to do the mount. The mount succeeds when I add the key manually with "ecryptfs-insert-wrapped-passphrase-into-keyring" but thats the part I expected to pam_ecryptfs to do :)

How can I debug my setup?

Question information

Language:
English Edit question
Status:
Answered
For:
eCryptfs Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Florian Schmaus (flowdalic) said : 		#1

Took me a while. But I had to touch ~/.ecryptfs/auto-mount to let pam_ecryptfs do its work (see also http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/view/head:/src/pam_ecryptfs/pam_ecryptfs.c#L152 ).

2. Suggestions:
- Change line 152 of pam_encryptfs.c to "if (!file_exists_dotecryptfs(homedir, "auto-mount") && !file_exists_dotecryptfs(homedir, "auto-unwrap"))", to add an extra option to only unwrap the passphrase without mounting.
- Please prefix the pam_ecryptfs.c syslog() messages. Seeing something like
Jul 3 22:36:00 flo-nbook login[9194]: pam_sm_authenticate: Called
Jul 3 22:36:00 flo-nbook login[9194]: pam_sm_authenticate: username = [flo]
in the syslog doesn't help debuggin, because I was at first unable to verify that these messages in fact came from pam_ecryptfs.

Should I create separate bug reports/enhancement requests for this?

Revision history for this message
Serge Hallyn (serge-hallyn) said : 		#2

Quoting Florian Schmaus (<email address hidden>):
> Question #163420 on eCryptfs changed:
> https://answers.launchpad.net/ecryptfs/+question/163420
>
> Florian Schmaus gave more information on the question:
> Took me a while. But I had to touch ~/.ecryptfs/auto-mount to let
> pam_ecryptfs do its work (see also
> http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/view/head:/src/pam_ecryptfs/pam_ecryptfs.c#L152
> ).
>
>
> 2. Suggestions:
> - Change line 152 of pam_encryptfs.c to "if (!file_exists_dotecryptfs(homedir, "auto-mount") && !file_exists_dotecryptfs(homedir, "auto-unwrap"))", to add an extra option to only unwrap the passphrase without mounting.

That sounds like a good idea, thanks.

> - Please prefix the pam_ecryptfs.c syslog() messages. Seeing something like
> Jul 3 22:36:00 flo-nbook login[9194]: pam_sm_authenticate: Called
> Jul 3 22:36:00 flo-nbook login[9194]: pam_sm_authenticate: username = [flo]
> in the syslog doesn't help debuggin, because I was at first unable to verify that these messages in fact came from pam_ecryptfs.
>
> Should I create separate bug reports/enhancement requests for this?

You should IIRC be able to 'convert this question to a bug'? If not,
then yes please create a new bug, and you can link it to this question.

Can you help with this problem?

Provide an answer of your own, or ask Florian Schmaus for more information if necessary.

To post a message you must log in.