google
PAM configuration on Fedora
This is perhaps more a question although maybe it's better that the documentation be updated. I am trying to use fscrypt on Fedora and since there are no packages available I compiled it from sources. I managed to make it work with pass phrase protector, but login protector doesn't work. Documentation says to add pam_fscrypt.so lines to /etc/pam.d/common-auth and /etc/pam.d/common-session Both files don't exist, here's the listing of /etc/pam.d
config-util gdm-password password-auth smartcard-auth system-auth cups gdm-pin polkit-1 sshd systemd-user fingerprint-auth gdm-smartcard postlogin sssd-shadowutils vlock fscrypt liveinst ppp su vmtoolsd gdm-autologin login remote sudo xserver gdm-fingerprint other runuser sudo-i gdm-launch-environment passwd runuser-l su-l
I already tried to add the lines to gdm-password, login, passwd, password-auth, system-auth but none of them worked. Also, I don't see any errors in the logs. It's as if the lines get ignored. Any help would be appreciated.
Small additition: I found out that pam_fscrypt.so should be installed to /usr/lib64/security instead of of /usr/lib/security as all other similar modules are there. The problem still remains, though, and auto unlock doesn't work.
Do developer test the software on Fedora at all?
I haven't tested fscrypt on Fedora.
PAM configuration differs between distributions, so issues like this are expected to some extent.
If you can put together a working configuration on Fedora, we'd be glad to add it to the documentation. You can also request that your distro packages fscrypt as an official package, in which case the packager would likely take care of the PAM configuration.
Hello,
First thing first, thanks for the wonderful project ! I am currently using it to encrypt virtual machines images at rest, and it is working great !
Alas, as OP, PAM configuration seems to be a bit tricky on Fedora. I am also trying to make auto unlock work on Fedora 34, and intend to eventually request a port or port it to Fedora myself.
My test configuration
- New fresh Fedora 34 server installation with gnome-shell
- SELinux disabled (temporarily, until the issue is solved)
- Linux kernel 5.12.13
What works
-
Everything related to fscrypt that I have tested
-
Allow fscrypt to check your login passphrase (as least when it comes to the login protector). As expected, adding an
fscryptfile toetc/pam.d/fscryptallowsfscryptto use the login protector.
[root@test]# cat /etc/pam.d/fscrypt
auth required pam_unix.so
What doesn't (yet)
- Automatically unlock directories when logging in
- Keep login protector in sync with unix passphrase
Fedora specifics
- As correctly pointed out by @yerlaser, Fedora expects the
pam_fscrypt.somodule to be located in/usr/lib64/security - Instead of three separate
pam.dconf files,common-password,common-authandcommon-session, Fedora seems to rely on only one filepassword-authorsystem-auth, which seem to include everything provided by the three Ubuntu conf files. - The content of
password-authorsystem-authis almost identical.
According to this forum tread, password-auth uses modules which can be used in remote configuration. We will use this one but it should be ok to use system-auth too.
[root@test]# cat /etc/pam.d/password-auth
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
auth optional pam_fscrypt.so debug
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so
password optional pam_fscrypt.so debug
session optional pam_keyinit.so revoke
session required pam_limits.so
session required pam_unix.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session optional pam_fscrypt.so drop_caches lock_policies debug
Content of /etc/fscrypt.conf
cat /etc/fscrypt.conf
{
"source": "custom_passphrase",
"hash_costs": {
"time": "26",
"memory": "131072",
"parallelism": "2"
},
"options": {
"padding": "32",
"contents": "AES_256_XTS",
"filenames": "AES_256_CTS",
"policy_version": "2"
},
"use_fs_keyring_for_v1_policies": false
}
According to the logs bellow, it seems that fscrypt AUTHTOK cannot access the unix password.
[root@test ~]# journalctl -b | grep fscrypt
Jul 07 09:54:22 vdmed kernel: Key type ._fscrypt registered
Jul 07 09:54:22 vdmed kernel: Key type .fscrypt registered
Jul 07 09:54:22 vdmed kernel: Key type fscrypt-provisioning registered
Jul 07 09:54:24 vdmed pam_fscrypt[600]: OpenSession(map[debug:true]) starting
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Session count for UID=42 updated to 1
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[42]
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Setting euid=42 egid=42 groups=[42]
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Current privs (real, effective): uid=(0,42) gid=(0,42) groups=[42]
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Reading config from "/etc/fscrypt.conf"
Jul 07 09:54:24 vdmed pam_fscrypt[600]: creating context for user "gdm"
Jul 07 09:54:24 vdmed pam_fscrypt[600]: found ext4 filesystem "/" (/dev/vda3)
Jul 07 09:54:24 vdmed pam_fscrypt[600]: listing descriptors in "/.fscrypt/protectors"
Jul 07 09:54:24 vdmed pam_fscrypt[600]: found 2 descriptor(s)
Jul 07 09:54:24 vdmed pam_fscrypt[600]: could not read metadata from "/.fscrypt/protectors/41cbb2c50c977db8": open /.fscrypt/protectors/41cbb2c50c977db8: permission denied
Jul 07 09:54:24 vdmed pam_fscrypt[600]: could not read metadata from "/.fscrypt/protectors/a6943dd52cec7cc4": open /.fscrypt/protectors/a6943dd52cec7cc4: permission denied
Jul 07 09:54:24 vdmed pam_fscrypt[600]: no protector to unlock: no PAM protector for UID=42 on "/"
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Setting euid=0 egid=0 groups=[42]
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[42]
Jul 07 09:54:24 vdmed audit[600]: USER_START pid=600 uid=0 auid=42 ses=1 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_fscrypt acct="gdm" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 07 09:54:24 vdmed pam_fscrypt[600]: OpenSession(map[debug:true]) succeeded
Jul 07 09:54:24 vdmed pam_fscrypt[575]: OpenSession(map[debug:true]) starting
Jul 07 09:54:24 vdmed pam_fscrypt[575]: OpenSession(map[debug:true]) failed: open /run/fscrypt/42.count: permission denied
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: OpenSession(map[debug:true]) starting
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Session count for UID=1000 updated to 1
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[1000]
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Setting euid=1000 egid=1000 groups=[1000]
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Current privs (real, effective): uid=(0,1000) gid=(0,1000) groups=[1000]
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Reading config from "/etc/fscrypt.conf"
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: creating context for user "test"
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: found ext4 filesystem "/" (/dev/vda3)
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: listing descriptors in "/.fscrypt/protectors"
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: found 2 descriptor(s)
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: could not read metadata from "/.fscrypt/protectors/41cbb2c50c977db8": open /.fscrypt/protectors/41cbb2c50c977db8: permission denied
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: could not read metadata from "/.fscrypt/protectors/a6943dd52cec7cc4": open /.fscrypt/protectors/a6943dd52cec7cc4: permission denied
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: no protector to unlock: no PAM protector for UID=1000 on "/"
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Setting euid=0 egid=0 groups=[1000]
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[1000]
Jul 07 09:54:32 vdmed audit[1083]: USER_START pid=1083 uid=0 auid=1000 ses=3 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_fscrypt acct="test" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: OpenSession(map[debug:true]) succeeded
Jul 07 09:54:36 vdmed pam_fscrypt[575]: CloseSession(map[debug:true]) starting
Jul 07 09:54:36 vdmed pam_fscrypt[575]: count is 0 and we are not locking
Jul 07 09:54:36 vdmed pam_fscrypt[575]: CloseSession(map[debug:true]) failed: open /run/fscrypt/42.count: permission denied
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: OpenSession(map[debug:true]) starting
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Session count for UID=0 updated to 1
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Current privs (real, effective): uid=(1000,0) gid=(1000,1000) groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Setting euid=0 egid=0 groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Current privs (real, effective): uid=(1000,0) gid=(1000,0) groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Reading config from "/etc/fscrypt.conf"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: creating context for user "root"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: found ext4 filesystem "/" (/dev/vda3)
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: listing descriptors in "/.fscrypt/protectors"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: found 2 descriptor(s)
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/protectors/41cbb2c50c977db8"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/protectors/a6943dd52cec7cc4"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Getting protector a6943dd52cec7cc4 from option
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/protectors/a6943dd52cec7cc4"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: listing descriptors in "/.fscrypt/policies"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: found 3 descriptor(s)
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/policies/5a646c836b29ab1cd7a570119e314804"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: got data for 5a646c836b29ab1cd7a570119e314804 from "/"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/policies/1e3a25c695b1e4b9fde46f5ee44c9f4a"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: got data for 1e3a25c695b1e4b9fde46f5ee44c9f4a from "/"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/policies/032e9d66c10fcf915991a6c0d411d41d"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: got data for 032e9d66c10fcf915991a6c0d411d41d from "/"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/fs/bpf/.fscrypt: operation not permitted
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/fs/bpf/.fscrypt/policies: operation not permitted
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/fs/bpf/.fscrypt/protectors: operation not permitted
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: unlocking 1 policies protected with AUTHTOK
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Setting euid=0 egid=1000 groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Current privs (real, effective): uid=(1000,0) gid=(1000,1000) groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: OpenSession(map[debug:true]) failed: unlocking protector a6943dd52cec7cc4: AUTHTOK data missing: No module specific data is present
The problem seems to be how can we apply /usr/local/share/pam-configs/fscrypt to Fedora. For Ubuntu or Debian, there is a tool to do pam-auth-update. By knowing what exactly is happening during this step, it might help us to make pam_fscrypt.so works on Fedora. (Or perhaps more accurately, make Fedora works with pam_fscrypt.so)
Any idea how it could be solved ?
- Current instructions to build it on Fedora (feel free to hack it) : https://docs.phyllo.me/Lv26rFvIS9GmCVIzTm06fw?view
- Current quick instructions to set-up fscrypt on Ubuntu (likewise) : https://docs.phyllo.me/N30CxBKCTTGyDLf-mQNcjQ?view
Hi, Unfortunately, I gave up after several attempts and had to switch back to Ubuntu because unlocking manually after each restart was too annoying.
Looking at the Ubuntu configs, I found out that the session file looks like this:
session optional pam_fscrypt.so drop_caches lock_policies
So, there are two additional parameters: drop_caches and lock_policies
I don't know if that matters, but, if you have a chance, can you check that?
So, there are two additional parameters: drop_caches and lock_policies I don't know if that matters, but, if you have a chance, can you check that?
The drop_caches and lock_policies options only affect locking (not unlocking), and they aren't needed with the latest version of fscrypt (they are now no-ops). So they aren't relevant here, as the issue here is with unlocking.
OK, thanks, you saved me a hassle of installing Fedora to check just that. But, sadly, we are at the dead end currently until someone with deeper PAM knowledge comes by.
Hi @luzeal,
Did you try to run authselect or authconfig (https://fedoraproject.org/wiki/Changes/Authselect) to update PAM configuration?
Good news, I have been able to find a good PAM configuration for Fedora (and perhaps by extension other related distributions) !
@yerlaser : thanks for your suggestion, I dove into authselect* and found out that there is a opt-in feature for ecryptfs on certain ready-made profiles such as minimal. I used that as an inspiration to get a working configuration for pam_fscrypt.so. (*authselect now supersedes authconfig and allows an administrator to apply specific authentication schemes on a system).
-
Current limitations : it doesn't work with SELinux, so I had to deactivate it completely for now (I don't use it in production yet). More precisely, it seems that SELinux doesn't allow regular users to access the hidden fscrypt folder
./fscryptwhere the protector resides. -
What works : everything that I have tested so far, including auto-unlock of encrypted folders on user login and password "synchronization" between
fscryptand the unix password program.
Incomplete walk-through**
- Compile
fscryptfrom source, ready the targeted ext4 filesystemtune2fs -O encrypt /dev/vda3 - Move
pam_fscrypt.soto correct locationmv /usr/local/lib/security/pam_fscrypt.so /usr/lib64/security/pam_fscrypt.so - Create fscrypt file under
pam.ddirectory to letfscryptcheck the user password.echo "auth required pam_unix.so" > /etc/pam.d/fscrypt - Create a fscrypt profile based on the minimal template.
authselect create-profile fscrypt --based-on=minimal - Select this profile
authselect select custom/fscrypt --force - Modify the content of the
password-authfile to match this one (especially when it comes to thepam_fscrypt.so):
cat /etc/authselect/custom/fscrypt/password-auth
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
auth optional pam_fscrypt.so debug
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password required pam_deny.so
password optional pam_fscrypt.so debug
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_fscrypt.so debug
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
- Modify the content of the
system-authfile to match this one:
cat /etc/authselect/custom/fscrypt/system-auth
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent {include if "with-faillock"}
auth sufficient pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth required pam_faillock.so authfail {include if "with-faillock"}
auth required pam_deny.so
auth optional pam_fscrypt.so debug
account required pam_access.so {include if "with-pamaccess"}
account required pam_faillock.so {include if "with-faillock"}
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass
password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password required pam_deny.so
password optional pam_fscrypt.so debug
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
session optional pam_fscrypt.so debug
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so {include if "with-mkhomedir"}
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
- Modify the content of the
postloginfile to match this one:
cat /etc/authselect/custom/fscrypt/postlogin
auth optional pam_fscrypt.so debug
auth optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
password optional pam_fscrypt.so debug
password optional pam_ecryptfs.so unwrap {include if "with-ecryptfs"}
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
session optional pam_lastlog.so silent noupdate showfailed
- Apply changes:
authselect apply-changes - Setup fscrypt:
fscrypt setup - Et voilà !
**A more complete walk-through will follow when I am back from holidays next week.
Clearly, pam_fscrypt.so for Fedora and related distributions ought to be implemented as a feature of an existing profile, not as an entire profile. But this will be for another day...
Took me a while to figure this out, but I think the easiest way to use fscrypt'ed home directories in Fedora today is using systemd-homed:
# enable systemd homed support in pam
authselect enable-feature with-systemd-homed
systemctl enable --now systemd-homed.service
# Then recreate the user
homectl create username --storage=fscrypt
That's it.
Note that if no user with uid 1000 exists, gdm will load the initial setup screen on next boot
You can disable this in /etc/gdm/custom.conf change
[daemon]
InitialSetupEnable=false
You can use systemd-homed if you want to. Just keep in mind that it's not actually related to this project https://github.com/google/fscrypt. It uses the same kernel functionality, but not the userspace code. The userspace code of systemd-homed is separate and is written by the systemd developers. systemd-homed uses v1 encryption policies instead of v2, so you may encounter the known issues from those.