Use pam_ecryptfs only to unwrap passphrase. How to debug?

Asked by Florian Schmaus on 2011-07-01

I created a encrypted directory with
mount -t ecryptfs /home/.ecryptfs/<user>/.Private /home/<user>

Now I want the passsphrase to automatically unwrap on login: I created <user>/.ecryptfs/wrapped-passphrase and added pam_ecryptfs into pam. But the passphrase is not inserted into the session keyring on login. The documentation is not consistent on pam_ecryptfs:
- http://ecryptfs.sourceforge.net/ecryptfs-pam-doc.txt tells me to use "password required pam_ecryptfs.so"
- man pam_encryptfs tells me to "session optional pam_ecryptfs.so unwrap"
I tried both...

I have setup pam_mount to do the mount. The mount succeeds when I add the key manually with "ecryptfs-insert-wrapped-passphrase-into-keyring" but thats the part I expected to pam_ecryptfs to do :)

How can I debug my setup?

Question information

Florian Schmaus (flowdalic) said : #1

Took me a while. But I had to touch ~/.ecryptfs/auto-mount to let pam_ecryptfs do its work (see also http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/view/head:/src/pam_ecryptfs/pam_ecryptfs.c#L152 ).

2. Suggestions:
- Change line 152 of pam_encryptfs.c to "if (!file_exists_dotecryptfs(homedir, "auto-mount") && !file_exists_dotecryptfs(homedir, "auto-unwrap"))", to add an extra option to only unwrap the passphrase without mounting.
- Please prefix the pam_ecryptfs.c syslog() messages. Seeing something like
Jul 3 22:36:00 flo-nbook login[9194]: pam_sm_authenticate: Called
Jul 3 22:36:00 flo-nbook login[9194]: pam_sm_authenticate: username = [flo]
in the syslog doesn't help debuggin, because I was at first unable to verify that these messages in fact came from pam_ecryptfs.

Should I create separate bug reports/enhancement requests for this?

Serge Hallyn (serge-hallyn) said : #2

Quoting Florian Schmaus (<email address hidden>):
> Question #163420 on eCryptfs changed:
> https://answers.launchpad.net/ecryptfs/+question/163420
>
> Florian Schmaus gave more information on the question:
> Took me a while. But I had to touch ~/.ecryptfs/auto-mount to let
> pam_ecryptfs do its work (see also
> http://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/view/head:/src/pam_ecryptfs/pam_ecryptfs.c#L152
> ).
>
>
> 2. Suggestions:
> - Change line 152 of pam_encryptfs.c to "if (!file_exists_dotecryptfs(homedir, "auto-mount") && !file_exists_dotecryptfs(homedir, "auto-unwrap"))", to add an extra option to only unwrap the passphrase without mounting.

That sounds like a good idea, thanks.

> - Please prefix the pam_ecryptfs.c syslog() messages. Seeing something like
> Jul 3 22:36:00 flo-nbook login[9194]: pam_sm_authenticate: Called
> Jul 3 22:36:00 flo-nbook login[9194]: pam_sm_authenticate: username = [flo]
> in the syslog doesn't help debuggin, because I was at first unable to verify that these messages in fact came from pam_ecryptfs.
>
> Should I create separate bug reports/enhancement requests for this?

You should IIRC be able to 'convert this question to a bug'? If not,
then yes please create a new bug, and you can link it to this question.

Can you help with this problem?

Provide an answer of your own, or ask Florian Schmaus for more information if necessary.

To post a message you must log in.