FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 05-04-2010, 05:38 PM
"Stefan G. Weichinger"
 
Default Kernel upgrade and now LUKS failure.

Am 04.05.2010 18:54, schrieb walt:

>> pam_mount(mount.c): crypt_activate_by_passphrase: Operation not
>> permitted
>
> I don't have a pam_mount, where does it come from? Perhaps it needs
> a reference to pam_ssh.so?

What do you mean with "where does it come from?" ?

It's in portage ... for example

http://home.coming.dk/index.php/2009/05/20/encrypted_home_partition_using_luks_pam_

shows how to make use of it.

I am not sure which HOWTO I followed ... but it is the same approach.
What would the reference to pam_ssh.so look like?


Googling for "crypt_activate_by_passphrase" I found:

http://code.google.com/p/cryptsetup/issues/detail?id=58

which says:

"crypt_activate_by_passphrase is the new API"

Could it be the case that my current setup somehow uses "the new API"
which isn't available yet in some package?

I don't yet have the whole picture ...

Thanks, Stefan
 
Old 05-04-2010, 07:28 PM
"Stefan G. Weichinger"
 
Default Kernel upgrade and now LUKS failure.

Am 04.05.2010 19:38, schrieb Stefan G. Weichinger:

> I don't yet have the whole picture ...

I did some "emerge -avuDN world", quite some packages updated even
though I am doing "emerge -avu world" nearly every day ...

After a reboot and setting debug to 1 for pam_mount it says:

May 4 21:25:38 enzo slim: pam_mount(pam_mount.c:364): pam_mount 2.0:
entering auth stage
May 4 21:25:38 enzo slim: gkr-pam: invalid option: use_first_pass
May 4 21:25:38 enzo slim: pam_unix(slim:session): session opened for
user sgw by (uid=0)
May 4 21:25:38 enzo slim: pam_mount(pam_mount.c:552): pam_mount 2.0:
entering session stage
May 4 21:25:38 enzo slim: pam_mount(misc.c:38): Session open: (uid=0,
euid=0, gid=0, egid=0)
May 4 21:25:38 enzo slim: pam_mount(mount.c:196): Mount info:
globalconf, user=sgw <volume fstype="crypt" server="(null)"
path="/dev/mapper/VG01-crypthome" mountpoint="/home/sgw"
cipher="aes-cbc-plain" fskeypath="/etc/security/verysekrit.key"
fskeycipher="aes-256-cbc" fskeyhash="md5"
options="data=journal,commit=15" /> fstab=0
May 4 21:25:38 enzo slim: command: 'mount.crypt'
'-ocipher=aes-cbc-plain' '-ofsk_cipher=aes-256-cbc' '-ofsk_hash=md5'
'-okeyfile=/etc/security/verysekrit.key' '-odata=journal,commit=15'
'/dev/mapper/VG01-crypthome' '/home/sgw'
May 4 21:25:38 enzo slim: pam_mount(misc.c:38): set_myuid<pre>: (uid=0,
euid=0, gid=0, egid=0)
May 4 21:25:38 enzo slim: pam_mount(misc.c:38): set_myuid<post>:
(uid=0, euid=0, gid=0, egid=0)
May 4 21:25:40 enzo slim: pam_mount(mount.c:64): Errors from underlying
mount program:
May 4 21:25:40 enzo slim: pam_mount(mount.c:68):
crypt_activate_by_passphrase: Operation not permitted
May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:520): mount of
/dev/mapper/VG01-crypthome failed
May 4 21:25:40 enzo slim: command: 'pmvarrun' '-u' 'sgw' '-o' '1'
May 4 21:25:40 enzo slim: pam_mount(misc.c:38): set_myuid<pre>: (uid=0,
euid=0, gid=0, egid=0)
May 4 21:25:40 enzo slim: pam_mount(misc.c:38): set_myuid<post>:
(uid=0, euid=0, gid=0, egid=0)
May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:440): pmvarrun says
login count is 1
May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:642): done opening
session (ret=0)
May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:115): Clean global
config (0)
May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:132): clean system
authtok=0x80e6870 (0)
May 4 21:25:40 enzo seahorse-daemon[1426]: DNS-SD initialization
failed: Daemon not running
May 4 21:25:40 enzo seahorse-daemon[1426]: unsupported key server uri
scheme: ldap
May 4 21:25:40 enzo seahorse-daemon[1426]: init gpgme version 1.3.0
May 4 21:25:41 enzo pulseaudio[1475]: module-alsa-card.c: Failed to
find a working profile.
May 4 21:25:41 enzo pulseaudio[1475]: module.c: Failed to load module
"module-alsa-card" (argument: "device_id="5"
name="platform-thinkpad_acpi"
card_name="alsa_card.platform-thinkpad_acpi" tsched=yes ignore_dB=no
card_properties="module-udev-detect.discovered=1""): initialization failed.
May 4 21:25:41 enzo polkitd(authority=local): Registered Authentication
Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name
:1.49 [/usr/libexec/polkit-gnome-authentication-agent-1], object path
/org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)


----- (maybe I pasted too much, this was everything from typing my
username to the Gnome-session opened, but with the "wrong" /home for
user sgw)

Some bits of additional info:

# cat /etc/pam.d/system-auth
auth required pam_env.so
auth required pam_unix.so try_first_pass likeauth nullok
auth optional pam_mount.so
auth optional pam_gnome_keyring.so

account required pam_unix.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2
retry=3
password optional pam_gnome_keyring.so
password required pam_unix.so try_first_pass use_authtok nullok sha512
shadow
session required pam_limits.so
session optional pam_gnome_keyring.so auto_start
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
session optional pam_mount.so



# cat /etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->

<pam_mount>

<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->

<debug enable="0" />


<!-- Volume definitions -->

<!--

<volume user="username"
path="/dev/mmcblk0p1"
mountpoint="/mnt/mmc"
fstype="auto" />

-->

<volume user="sgw"
path="/dev/mapper/VG01-crypthome"
mountpoint="/home/sgw"
fstype="crypt"
options="data=journal,commit=15"
cipher="aes-cbc-plain"
fskeypath="/etc/security/verysekrit.key"
fskeycipher="aes-256-cbc"
fskeyhash="md5" />

<!-- pam_mount parameters: General tunables -->

<debug enable="1" />
<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions
allow="nosuid,nodev,loop,encryption,fsck,nonempty, allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>

<logout wait="0" hup="0" term="0" kill="0" />


<!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />


</pam_mount>



--- I didn't change both files except for the debug-parameter ...


[root@enzo]:~ # eix pam_mount
[i] sys-auth/pam_mount
Available versions: (~)1.20 (~)1.21 (~)1.22 (~)1.24 (~)1.25
(~)1.25-r1 (~)1.26 (~)1.31 (~)1.32 (~)1.33 (~)2.0 {crypt}
Installed versions: 2.0(12:45:53 04.05.2010)(crypt)
Homepage: http://pam-mount.sourceforge.net
Description: A PAM module that can mount volumes for a user
session

[root@enzo]:~ # eix cryptset
[i] sys-fs/cryptsetup
Available versions: 0.1-r3 1.0.5-r1 1.0.6-r2 (~)1.0.7 (~)1.0.7-r1
(~)1.1.0 (~)1.1.1_rc1{tbz2} {dynamic nls selinux}
Installed versions: 1.1.1_rc1{tbz2}(13:04:41 04.05.2010)(nls
-dynamic -selinux)
Homepage: http://code.google.com/p/cryptsetup/
Description: Tool to setup encrypted devices with dm-crypt


Thanks for any hints, Stefan
 
Old 05-04-2010, 09:24 PM
Daniel Troeder
 
Default Kernel upgrade and now LUKS failure.

On 05/04/2010 09:28 PM, Stefan G. Weichinger wrote:
> Am 04.05.2010 19:38, schrieb Stefan G. Weichinger:
>
>> I don't yet have the whole picture ...
>
> I did some "emerge -avuDN world", quite some packages updated even
> though I am doing "emerge -avu world" nearly every day ...
>
> After a reboot and setting debug to 1 for pam_mount it says:
>
> May 4 21:25:38 enzo slim: pam_mount(pam_mount.c:364): pam_mount 2.0:
> entering auth stage
> May 4 21:25:38 enzo slim: gkr-pam: invalid option: use_first_pass
> May 4 21:25:38 enzo slim: pam_unix(slim:session): session opened for
> user sgw by (uid=0)
> May 4 21:25:38 enzo slim: pam_mount(pam_mount.c:552): pam_mount 2.0:
> entering session stage
> May 4 21:25:38 enzo slim: pam_mount(misc.c:38): Session open: (uid=0,
> euid=0, gid=0, egid=0)
> May 4 21:25:38 enzo slim: pam_mount(mount.c:196): Mount info:
> globalconf, user=sgw <volume fstype="crypt" server="(null)"
> path="/dev/mapper/VG01-crypthome" mountpoint="/home/sgw"
> cipher="aes-cbc-plain" fskeypath="/etc/security/verysekrit.key"
> fskeycipher="aes-256-cbc" fskeyhash="md5"
> options="data=journal,commit=15" /> fstab=0
> May 4 21:25:38 enzo slim: command: 'mount.crypt'
> '-ocipher=aes-cbc-plain' '-ofsk_cipher=aes-256-cbc' '-ofsk_hash=md5'
> '-okeyfile=/etc/security/verysekrit.key' '-odata=journal,commit=15'
> '/dev/mapper/VG01-crypthome' '/home/sgw'
> May 4 21:25:38 enzo slim: pam_mount(misc.c:38): set_myuid<pre>: (uid=0,
> euid=0, gid=0, egid=0)
> May 4 21:25:38 enzo slim: pam_mount(misc.c:38): set_myuid<post>:
> (uid=0, euid=0, gid=0, egid=0)
> May 4 21:25:40 enzo slim: pam_mount(mount.c:64): Errors from underlying
> mount program:
> May 4 21:25:40 enzo slim: pam_mount(mount.c:68):
> crypt_activate_by_passphrase: Operation not permitted
> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:520): mount of
> /dev/mapper/VG01-crypthome failed
> May 4 21:25:40 enzo slim: command: 'pmvarrun' '-u' 'sgw' '-o' '1'
> May 4 21:25:40 enzo slim: pam_mount(misc.c:38): set_myuid<pre>: (uid=0,
> euid=0, gid=0, egid=0)
> May 4 21:25:40 enzo slim: pam_mount(misc.c:38): set_myuid<post>:
> (uid=0, euid=0, gid=0, egid=0)
> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:440): pmvarrun says
> login count is 1
> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:642): done opening
> session (ret=0)
> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:115): Clean global
> config (0)
> May 4 21:25:40 enzo slim: pam_mount(pam_mount.c:132): clean system
> authtok=0x80e6870 (0)
> May 4 21:25:40 enzo seahorse-daemon[1426]: DNS-SD initialization
> failed: Daemon not running
> May 4 21:25:40 enzo seahorse-daemon[1426]: unsupported key server uri
> scheme: ldap
> May 4 21:25:40 enzo seahorse-daemon[1426]: init gpgme version 1.3.0
> May 4 21:25:41 enzo pulseaudio[1475]: module-alsa-card.c: Failed to
> find a working profile.
> May 4 21:25:41 enzo pulseaudio[1475]: module.c: Failed to load module
> "module-alsa-card" (argument: "device_id="5"
> name="platform-thinkpad_acpi"
> card_name="alsa_card.platform-thinkpad_acpi" tsched=yes ignore_dB=no
> card_properties="module-udev-detect.discovered=1""): initialization failed.
> May 4 21:25:41 enzo polkitd(authority=local): Registered Authentication
> Agent for session /org/freedesktop/ConsoleKit/Session3 (system bus name
> :1.49 [/usr/libexec/polkit-gnome-authentication-agent-1], object path
> /org/gnome/PolicyKit1/AuthenticationAgent, locale de_DE.UTF-8)
>
>
> ----- (maybe I pasted too much, this was everything from typing my
> username to the Gnome-session opened, but with the "wrong" /home for
> user sgw)
>
> Some bits of additional info:
>
> # cat /etc/pam.d/system-auth
> auth required pam_env.so
> auth required pam_unix.so try_first_pass likeauth nullok
> auth optional pam_mount.so
> auth optional pam_gnome_keyring.so
>
> account required pam_unix.so
>
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2
> retry=3
> password optional pam_gnome_keyring.so
> password required pam_unix.so try_first_pass use_authtok nullok sha512
> shadow
> session required pam_limits.so
> session optional pam_gnome_keyring.so auto_start
> session required pam_env.so
> session required pam_unix.so
> session optional pam_permit.so
> session optional pam_mount.so
>
>
>
> # cat /etc/security/pam_mount.conf.xml
> <?xml version="1.0" encoding="utf-8" ?>
> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
> <!--
> See pam_mount.conf(5) for a description.
> -->
>
> <pam_mount>
>
> <!-- debug should come before everything else,
> since this file is still processed in a single pass
> from top-to-bottom -->
>
> <debug enable="0" />
>
>
> <!-- Volume definitions -->
>
> <!--
>
> <volume user="username"
> path="/dev/mmcblk0p1"
> mountpoint="/mnt/mmc"
> fstype="auto" />
>
> -->
>
> <volume user="sgw"
> path="/dev/mapper/VG01-crypthome"
> mountpoint="/home/sgw"
> fstype="crypt"
> options="data=journal,commit=15"
> cipher="aes-cbc-plain"
> fskeypath="/etc/security/verysekrit.key"
> fskeycipher="aes-256-cbc"
> fskeyhash="md5" />
>
> <!-- pam_mount parameters: General tunables -->
>
> <debug enable="1" />
> <!--
> <luserconf name=".pam_mount.conf.xml" />
> -->
>
> <!-- Note that commenting out mntoptions will give you the defaults.
> You will need to explicitly initialize it with the empty string
> to reset the defaults to nothing. -->
> <mntoptions
> allow="nosuid,nodev,loop,encryption,fsck,nonempty, allow_root,allow_other" />
> <!--
> <mntoptions deny="suid,dev" />
> <mntoptions allow="*" />
> <mntoptions deny="*" />
> -->
> <mntoptions require="nosuid,nodev" />
> <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
>
> <logout wait="0" hup="0" term="0" kill="0" />
>
>
> <!-- pam_mount parameters: Volume-related -->
>
> <mkmountpoint enable="1" remove="true" />
>
>
> </pam_mount>
>
>
>
> --- I didn't change both files except for the debug-parameter ...
>
>
> [root@enzo]:~ # eix pam_mount
> [i] sys-auth/pam_mount
> Available versions: (~)1.20 (~)1.21 (~)1.22 (~)1.24 (~)1.25
> (~)1.25-r1 (~)1.26 (~)1.31 (~)1.32 (~)1.33 (~)2.0 {crypt}
> Installed versions: 2.0(12:45:53 04.05.2010)(crypt)
> Homepage: http://pam-mount.sourceforge.net
> Description: A PAM module that can mount volumes for a user
> session
>
> [root@enzo]:~ # eix cryptset
> [i] sys-fs/cryptsetup
> Available versions: 0.1-r3 1.0.5-r1 1.0.6-r2 (~)1.0.7 (~)1.0.7-r1
> (~)1.1.0 (~)1.1.1_rc1{tbz2} {dynamic nls selinux}
> Installed versions: 1.1.1_rc1{tbz2}(13:04:41 04.05.2010)(nls
> -dynamic -selinux)
> Homepage: http://code.google.com/p/cryptsetup/
> Description: Tool to setup encrypted devices with dm-crypt
>
>
> Thanks for any hints, Stefan
>
I'm using sys-fs/cryptsetup-1.1.1_rc1 since 02.05.2010 and didn't have
any issues.
Please decrypt your partition from the command line, so we can see if it
is a cryptsetup/luks/kernel problem or a pam_mount problem.

Cmdline should something like:
$ sudo cryptsetup -d /etc/security/verysekrit.key luksOpen
/dev/mapper/VG01-crypthome myhome
Which should create /dev/mapper/myhome.

Bye,
Daniel


--
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887
 
Old 05-04-2010, 11:51 PM
walt
 
Default Kernel upgrade and now LUKS failure.

On 05/04/2010 10:38 AM, Stefan G. Weichinger wrote:

Am 04.05.2010 18:54, schrieb walt:


pam_mount(mount.c): crypt_activate_by_passphrase: Operation not
permitted


I don't have a pam_mount, where does it come from? Perhaps it needs
a reference to pam_ssh.so?


What do you mean with "where does it come from?" ?

It's in portage ...


Okay, I'm assuming pam_mount.so and mount.crypt come from the sys-auth/
pam_mount package but I can't check because all of those packages are
masked by the ~x86 keyword at the moment.


Could it be the case that my current setup somehow uses "the new API"
which isn't available yet in some package?

I don't yet have the whole picture ...


Daniel knows more than I do about this subject, so I recommend that you
follow his advice. However, all of the pam_mount packages being masked
at the same time makes me suspect that not everything is working exactly
as it should. I'll follow this thread, hoping to learn more.
 
Old 05-05-2010, 04:42 AM
"Stefan G. Weichinger"
 
Default Kernel upgrade and now LUKS failure.

Am 04.05.2010 23:24, schrieb Daniel Troeder:

> I'm using sys-fs/cryptsetup-1.1.1_rc1 since 02.05.2010 and didn't have
> any issues.
> Please decrypt your partition from the command line, so we can see if it
> is a cryptsetup/luks/kernel problem or a pam_mount problem.
>
> Cmdline should something like:
> $ sudo cryptsetup -d /etc/security/verysekrit.key luksOpen
> /dev/mapper/VG01-crypthome myhome
> Which should create /dev/mapper/myhome.

My user sgw is currently not allowed to sudo this (should it be? it
never was).

And for root it says "Kein Schlüssel mit diesem Passsatz verfügbar."
(german) which should be "No key available with this passphrase." in
english.

Thanks, Stefan
 
Old 05-05-2010, 08:00 AM
Daniel Troeder
 
Default Kernel upgrade and now LUKS failure.

On 05/05/2010 06:42 AM, Stefan G. Weichinger wrote:
> Am 04.05.2010 23:24, schrieb Daniel Troeder:
>
>> I'm using sys-fs/cryptsetup-1.1.1_rc1 since 02.05.2010 and didn't have
>> any issues.
>> Please decrypt your partition from the command line, so we can see if it
>> is a cryptsetup/luks/kernel problem or a pam_mount problem.
>>
>> Cmdline should something like:
>> $ sudo cryptsetup -d /etc/security/verysekrit.key luksOpen
>> /dev/mapper/VG01-crypthome myhome
>> Which should create /dev/mapper/myhome.
>
> My user sgw is currently not allowed to sudo this (should it be? it
> never was).
>
> And for root it says "Kein Schlüssel mit diesem Passsatz verfügbar."
> (german) which should be "No key available with this passphrase." in
> english.
That is a message from cryptsetup. As you are using openssl to get the
key, I think the problem might be there.

I followed the guide you linked here (website is down, but google-cache
works:
http://webcache.googleusercontent.com/search?q=cache:7eaSac72CoIJ:home.coming.dk/index.php/2009/05/20/encrypted_home_partition_using_luks_pam_+encrypted _home_partition_using_luks_pam&cd=2&hl=de&ct=clnk& gl=de&client=firefox-a)
and it works for me (kernel is 2.6.33-zen2):

lvcreate -n crypttest -L 100M vg0
KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`
echo $KEY | openssl aes-256-ecb > verysekrit.key
openssl aes-256-ecb -d -in verysekrit.key
# (aha
openssl aes-256-ecb -d -in verysekrit.key | cryptsetup -v --cipher
aes-cbc-plain --key-size 256 luksFormat /dev/vg0/crypttest
openssl aes-256-ecb -d -in verysekrit.key | cryptsetup luksOpen
/dev/vg0/crypttest decryptedtest
cryptsetup luksClose crypttest
# (i couldn't close it... don't know why...)

The key that cryptsetup is given to decrypt the partition is created by
openssl from the file. Please check the output of
$ openssl aes-256-ecb -d -in verysekrit.key
under both kernel - it should be identical.
BTW: You'll get your error message if you run:
$ echo notmykey | cryptsetup luksOpen /dev/vg0/crypttest decryptedtes

Bye,
Daniel




--
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887
 
Old 05-05-2010, 08:42 AM
"Stefan G. Weichinger"
 
Default Kernel upgrade and now LUKS failure.

Am 05.05.2010 10:00, schrieb Daniel Troeder:

> That is a message from cryptsetup. As you are using openssl to get
> the key, I think the problem might be there.

ok ....

> lvcreate -n crypttest -L 100M vg0 KEY=`tr -cd [:graph:] <
> /dev/urandom | head -c 79` echo $KEY | openssl aes-256-ecb >
> verysekrit.key openssl aes-256-ecb -d -in verysekrit.key # (aha
> openssl aes-256-ecb -d -in verysekrit.key | cryptsetup -v --cipher
> aes-cbc-plain --key-size 256 luksFormat /dev/vg0/crypttest openssl
> aes-256-ecb -d -in verysekrit.key | cryptsetup luksOpen
> /dev/vg0/crypttest decryptedtest cryptsetup luksClose crypttest # (i
> couldn't close it... don't know why...)
>
> The key that cryptsetup is given to decrypt the partition is created
> by openssl from the file. Please check the output of $ openssl
> aes-256-ecb -d -in verysekrit.key under both kernel - it should be
> identical.

At first, thank you for your time and work!

Tried that. I have to admit that I don't know the decryption password
... but as far as I understand it should be the same as the
unix-password of the user sgw. pam_mount.so should read it when I log
in, correct?

With this password I get a "bad decrypt" so this explains why it fails.

Please let me repeat/point out that it is the same for 3 kernels
(2.6.32-r1, 2.6.33-r[12] ... ), so I should change the subject to stay
correct ...

> BTW: You'll get your error message if you run: $ echo
> notmykey | cryptsetup luksOpen /dev/vg0/crypttest decryptedtes

Yes, correct.

-

I really wonder what the reason is ... should I downgrade openssl?

Thanks Stefan
 
Old 05-05-2010, 07:39 PM
Daniel Troeder
 
Default Kernel upgrade and now LUKS failure.

On 05/05/2010 10:42 AM, Stefan G. Weichinger wrote:
> Am 05.05.2010 10:00, schrieb Daniel Troeder:
>
>> That is a message from cryptsetup. As you are using openssl to get
>> the key, I think the problem might be there.
>
> ok ....
>
>> lvcreate -n crypttest -L 100M vg0 KEY=`tr -cd [:graph:] <
>> /dev/urandom | head -c 79` echo $KEY | openssl aes-256-ecb >
>> verysekrit.key openssl aes-256-ecb -d -in verysekrit.key # (aha
>> openssl aes-256-ecb -d -in verysekrit.key | cryptsetup -v --cipher
>> aes-cbc-plain --key-size 256 luksFormat /dev/vg0/crypttest
>> openssl aes-256-ecb -d -in verysekrit.key | cryptsetup luksOpen
>> /dev/vg0/crypttest decryptedtest cryptsetup luksClose crypttest #
>> (i couldn't close it... don't know why...)
>>
>> The key that cryptsetup is given to decrypt the partition is
>> created by openssl from the file. Please check the output of $
>> openssl aes-256-ecb -d -in verysekrit.key under both kernel - it
>> should be identical.
>
> At first, thank you for your time and work!
>
> Tried that. I have to admit that I don't know the decryption
> password ... but as far as I understand it should be the same as the
> unix-password of the user sgw. pam_mount.so should read it when I
> log in, correct?
Yes. Than pam_mount man page (http://linux.die.net/man/8/pam_mount) says so.
It's actually quite verbose on the topic.

> With this password I get a "bad decrypt" so this explains why it
> fails.
If you cannot decrypt your keyfile (with openssl) then you have just
lost any way to decrypt your partition!

But there is an idea in the man page of which I didn't think: did you
maybe change your users password? If so, you need to use the old pw to
decrypt the keyfile. If you can, then you can use the new pw to encrypt
the key again (make backups of the original file).

There is also the possibility your keyfile was corrupted somehow (file
system corruption?). Do you have a backup of the keyfile (and your data?

BTW: a LUKS encrypted partition can have 8 keys (in so called "key
slots"), so that you can add a "fallback key" the next time, which you
store at a trusted place.

Good luck,
Daniel

> Please let me repeat/point out that it is the same for 3 kernels
> (2.6.32-r1, 2.6.33-r[12] ... ), so I should change the subject to
> stay correct ...
>
>> BTW: You'll get your error message if you run: $ echo notmykey |
>> cryptsetup luksOpen /dev/vg0/crypttest decryptedtes
>
> Yes, correct.
>
> -
>
> I really wonder what the reason is ... should I downgrade openssl?
>
> Thanks Stefan
>


--
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887
 
Old 05-05-2010, 08:17 PM
"Stefan G. Weichinger"
 
Default Kernel upgrade and now LUKS failure.

Am 05.05.2010 21:39, schrieb Daniel Troeder:

>> With this password I get a "bad decrypt" so this explains why it
>> fails.
> If you cannot decrypt your keyfile (with openssl) then you have just
> lost any way to decrypt your partition!
>
> But there is an idea in the man page of which I didn't think: did
> you maybe change your users password? If so, you need to use the old
> pw to decrypt the keyfile. If you can, then you can use the new pw to
> encrypt the key again (make backups of the original file).

user-pw not changed, no ...

> There is also the possibility your keyfile was corrupted somehow
> (file system corruption?). Do you have a backup of the keyfile (and
> your data?

Restored the key-file from tape, no diff, no success.
I have some images as backup, would have to look closer ...

> BTW: a LUKS encrypted partition can have 8 keys (in so called "key
> slots"), so that you can add a "fallback key" the next time, which
> you store at a trusted place.

I am pretty sure that I used several slots, yes.

-

Remember that I said: "I am not sure which HOWTO I followed" ?

What if I didn't use aes-256-ecb?

I will try some other ciphers .... ;-)

Oh my, I luv documentation :-)

S
 
Old 05-05-2010, 08:23 PM
"Stefan G. Weichinger"
 
Default Kernel upgrade and now LUKS failure.

Am 05.05.2010 22:17, schrieb Stefan G. Weichinger:

> Remember that I said: "I am not sure which HOWTO I followed" ?
>
> What if I didn't use aes-256-ecb?

Yep. See pam_mount.conf.xml:
It's "aes-256-cbc" in my case.

I was now able to luksOpen and I have the decrypted device mounted.

Nice.

So:

the user-pw didn't change and the keyfile is OK.

So why is pam_mount unable to mount it?

I will now pull another backup and check/add fallback keys ;-)

Thanks so far, regards, Stefan
 

Thread Tools




All times are GMT. The time now is 06:57 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org