I have a laptop, user home is encrypted with LUKS and gets mounted via pam_mount. Local login and logout work ok, but remote access via ssh doesn't work. /etc/pam.d/sshd is as follow: auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session include system-auth [root@shell:/etc/pam.d]$ grep mount system-auth auth optional pam_mount.so session optional pam_mount.so
Created attachment 217988 [details] gdb output for sshd This session shows two runs, the first the user is logged out and his home unmounted, the first attempt with a wrong password (no segfault) the second with the right password; and that gives the first segfault. Then the second run, with three login attempts, the first triggered by ssh_agent, wrong password, then via pam_mount (wrong password, no segfault) and in the end with the right password. It gives the second segfault.
[root@shell:~]$ emerge --info Portage 2.2_rc61 (default/linux/x86/10.0/developer, gcc-4.3.4, glibc-2.10.1-r1, 2.6.32-gentoo-r3 i686) ================================================================= System uname: Linux-2.6.32-gentoo-r3-i686-Intel-R-_Core-TM-2_Duo_CPU_T9600_@_2.80GHz-with-gentoo-2.0.1 Timestamp of tree: Sun, 31 Jan 2010 08:15:01 +0000 app-shells/bash: 4.0_p35 dev-java/java-config: 2.1.10 dev-lang/python: 2.6.4 dev-python/pycrypto: 2.1.0_beta1 dev-util/cmake: 2.6.4-r3 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.0-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA PUEL dlj-1.1 sun-bcla-java-vm skype-eula" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=i686 -O1 -ggdb" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=i686 -O1 -ggdb" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests buildpkg candy collision-protect cvs distlocks fixpackages metadata-transfer multilib-strict news parallel-fetch pcre postgres preserve-libs protect-owned sandbox session sfperms sign splitdebug strict unmerge-logs unmerge-orphans userfetch userpriv" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_US.UTF-8" LC_ALL="" LDFLAGS="-Wl,-O1" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://192.168.3.200/gentoo-portage" USE="3dnow 3dnowext 7zip X Xaw3d a52 aac aalib acl acpi ada additions akode alsa amr apache2 artswrappersuid asf audiofile bash-completion berkdb blas bluetooth bzip2 cairo ccache cdb cdda cddb cdio cdparanoia cdr cgi chm clearcase cli consolekit cracklib crypt ctype cups curl cvs cxx daap dba dbm dbus dbx devmap dga directfb divx dri dts dv dvb dvd dvdr dvdread edl emboss encode esd evo examples fat fbcon ffmpeg fftw firefox fits flac fmod fortran ftp fuse gcj gd gdbm geos ggi gif gimp glitz glut gmedia gmp gnokii gnutls gocr gpm graphviz grass gs gstreamer gtk gtk2 hal hash haskell hfs httpd iconv imagemagick imlib inotify ipv6 irda irmc jadetex java jfs jpeg jpeg2k kde kde4 kdehiddenvisibility kqemu lcms ldap libcaca libnotify live lm_sensors loop-aes lzo mad madwifi mhash mikmod mmx mng mod modules motif moznocompose moznoirc moznomail moznoxft mp3 mp4 mpeg mpeg2 mplayer msn mssql mtp mudflap musepack musicbrainz mysql mysqli mythtv ncurses netboot network network-cron nls nodrm nokia6600 nptlonly nsplugin ntfs ocrad odbc ogdi ogg old-daemons ole opengl openmp pam pascal pcre pdf perforce perl php png povray ppds pppd python qt3support qt4 quicktime readline reflection reiserfs rtc ruby samba sample sasl scanner screen sdk sdl semantic-desktop sensord session shout skins slang snmp spell spl sql sse sse2 ssl startup-notification stats stream subversion svg svga sysfs syslog t1lib tcltk tcpd tesseract tetex tga theora threads thunar tidy tiff tk truetype type1 unicode usb v4l v4l2 vlm vorbis webkit wifi win32codecs winbind wmp wxgtk1 wxwindows x264 x86 xanim xattr xcb xfs xgetdefault xine xml xmms xorg xosd xpm xscreensaver xulrunner xv xvid xvmc yahoo zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel fbdev vesa" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
I don't know if it's relevant but when it logs in succesfully the user isn't silent: shell login: yolk pam_mount password: Last login: Sun Jan 31 11:11:24 CET 2010 on tty4 pam_mount(mount.c:64): Errors from underlying mount program: pam_mount(mount.c:68): Command successful. a failed login is silent.
Same problem here, but probably not a segfault. I tried to ssh my box from work and it went like this: $ ssh minder@remote.host -v OpenSSH_4.3p2 Debian-9etch3, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to remote.host [172.16.15.33] port 65222. debug1: Connection established. debug1: identity file /home/minder/.ssh/identity type -1 debug1: identity file /home/minder/.ssh/id_rsa type 1 debug1: identity file /home/minder/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2 debug1: match: OpenSSH_5.2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-9etch3 debug1: Unspecified GSS failure. Minor code may provide more information No credentials cache found debug1: Unspecified GSS failure. Minor code may provide more information No credentials cache found debug1: Unspecified GSS failure. Minor code may provide more information No credentials cache found debug1: Unspecified GSS failure. Minor code may provide more information Unknown code H 1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'remote.host' is known and matches the RSA host key. debug1: Found key in /home/minder/.ssh/known_hosts:2 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/minder/.ssh/identity debug1: Offering public key: /home/minder/.ssh/id_rsa debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Trying private key: /home/minder/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive Password: debug1: Authentication succeeded (keyboard-interactive). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: channel 0: free: client-session, nchannels 1 Connection to remote.host closed by remote host. Connection to remote.host closed. debug1: Transferred: stdin 0, stdout 0, stderr 95 bytes in 0.0 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 53135.3 debug1: Exit status -1 In sshd_log it looked like this: Feb 4 17:20:33 [sshd] Accepted keyboard-interactive/pam for minder from 172.16.55.76 port 37707 ssh2 Feb 4 17:20:33 [sshd] pam_unix(sshd:session): session opened for user minder by (uid=0) Feb 4 17:20:33 [sshd] pam_mount(pam_mount.c:172): conv->conv(...): Conversation error_ Feb 4 17:20:33 [sshd] pam_mount(pam_mount.c:456): warning: could not obtain password interactively either_
I'm experiencing the same problem on multiple boxes. I've narrowed the problem down to pam_mount's PAM session management group implementation. If I comment out the line "session optional pam_mount.so" in /etc/pam.d/system-auth, SSH logins work. I attached gdb to an SSH process and tracked the error specifically down to the strlen() function call in line 460 of pam_mount.c. The relevant backtrace is: Program received signal SIGSEGV, Segmentation fault. 0x00007f97f42c5bd2 in strlen () from /lib/libc.so.6 (gdb) bt #0 0x00007f97f42c5bd2 in strlen () from /lib/libc.so.6 #1 0x00007f97f1e8a28f in grab_authtok (pamh=0xb2b350) at pam_mount.c:460 #2 0x00007f97f1e8a7e7 in pam_sm_open_session (pamh=0xb2b350, flags=0, argc=0, argv=0x0) at pam_mount.c:594 The strlen() call fails because the authtok variable is NULL. I think the problem here, if I'm reading the source correctly, is that pam_mount is trying to ask the user for his/her password again in the session layer because the password wasn't, for some reason, stored during the authentication layer. If it had been successfully stored during the authentication layer, the grab_authtok() function would have exited at line 449. I presume that: 1) PAM authentication through SSH is somehow not allowing the storage of the password during pam_mount's auth layer; 2) SSH is preventing pam_mount from asking for the password again in the session layer; and 3) pam_mount is subsequently encountering a bug: not checking the validity of the authtok variable before passing it around willy-nilly. #3 is easy to fix, and I've attached a patch. Someone with better PAM and OpenSSH knowledge is going to have to investigate #1 and #2.
Created attachment 218485 [details, diff] fix segfault in session management layer of pam_mount
(In reply to comment #6) > Created an attachment (id=218485) [details] > fix segfault in session management layer of pam_mount > FYI, I've reported the bug and submitted this patch to upstream: http://sourceforge.net/tracker/?func=detail&aid=2946351&group_id=41452&atid=430593
Thanks Brett, I think we are getting somewhere. I tried the patch, and reverted PAM config files to use pam_mount (in the meanwhile as a workaround I had UsePAM disabled in /etc/ssh/sshd_config) Now I can log in via ssh, but the encrypted partition still isn't automounted Feb 6 12:29:27 shell sshd[12930]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.3.200 user=yolk Feb 6 12:29:36 shell sshd[12928]: Accepted keyboard-interactive/pam for yolk from 192.168.3.200 port 59614 ssh2 Feb 6 12:29:36 shell sshd[12928]: pam_unix(sshd:session): session opened for user yolk by (uid=0) Feb 6 12:29:36 shell sshd[12928]: pam_mount(pam_mount.c:172): conv->conv(...): Conversation error Feb 6 12:29:36 shell sshd[12928]: pam_mount(pam_mount.c:456): warning: could not obtain password interactively either Feb 6 12:29:37 shell sshd[12928]: pam_mount(mount.c:64): Errors from underlying mount program: Feb 6 12:29:37 shell sshd[12928]: pam_mount(mount.c:68): Command failed: No key available with this passphrase. Feb 6 12:29:37 shell sshd[12928]: pam_mount(mount.c:68): Feb 6 12:29:37 shell sshd[12928]: pam_mount(pam_mount.c:501): mount of /dev/sda6 failed But then, as I'm logged in, it's possible to get pam_mount to mount the partition "su-ing" the user as himself yolk@shell / $ su - yolk pam_mount password: pam_mount(mount.c:64): Errors from underlying mount program: pam_mount(mount.c:68): Command successful. in /var/log/messages: Feb 6 12:31:15 shell su[12993]: Successful su for yolk by yolk Feb 6 12:31:15 shell su[12993]: + pts/0 yolk:yolk Feb 6 12:31:15 shell su[12993]: pam_unix(su:session): session opened for user yolk by yolk(uid=501) Feb 6 12:31:16 shell su[12993]: pam_mount(mount.c:64): Errors from underlying mount program: Feb 6 12:31:16 shell su[12993]: pam_mount(mount.c:68): Command successful. Feb 6 12:31:16 shell kernel: kjournald starting. Commit interval 5 seconds Feb 6 12:31:16 shell kernel: EXT3 FS on dm-1, internal journal Feb 6 12:31:16 shell kernel: EXT3-fs: mounted filesystem with writeback data mode.
(In reply to comment #8) > Now I can log in via ssh, but the encrypted partition still isn't automounted I had just the same issue (besides the segfault) and was able to fix it by deactivating ChallengeResponseAuthentication in /etc/ssh/sshd_config. This, however, was with pam_mount 1.36. See bug 315991 and bug 315993 to fix this one.
So hopefully this is fixed with 2.0. If not, please re-open.
