Encrypted device is not mounted with pam_mount 2.0 or 2.1. Same device is mounted correctly with pam_mount 1.33 Reproducible: Always Steps to Reproduce: 1. emerge "=pam_mount-2.1" 2. login as user mentioned in /etc/security/pam_mount.conf.xml 3. device is not decrypted and mounted Actual Results: device is not decrypted. Error message in /var/log/messages: pam_mount(mount.c:64): Errors from underlying mount program: pam_mount(mount.c:68): crypt_activate_by_passphrase: Operation not permitted Expected Results: device should be decrypted and mounted Test of mount.crypt: # pam_mount-2.1 # mount.crypt -v -o fsk_cipher=aes-256-cbc,fsk_hash=md5,keyfile=/etc/security/verysekrit.key /dev/VG01/crypthome /mnt/gschwind command: 'readlink' '-fn' '/dev/VG01/crypthome' command: 'readlink' '-fn' '/mnt/gschwind' Password: mount.crypt(crypto-dmc.c:144): Using _dev_dm_0 as dmdevice name crypt_activate_by_passphrase: Operation not permitted Same command works fine with pam_mount-1.33 ---> # emerge --info Portage 2.1.8.3 (default/linux/x86/10.0/desktop, gcc-4.4.3, glibc-2.11.1-r0, 2.6.33-tuxonice-r2 i686) ================================================================= System uname: Linux-2.6.33-tuxonice-r2-i686-Intel-R-_Core-TM-2_Duo_CPU_T8100_@_2.10GHz-with-gentoo-2.0.1 Timestamp of tree: Fri, 07 May 2010 08:00:01 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] ccache version 2.4 [enabled] app-shells/bash: 4.1_p5 dev-java/java-config: 1.3.7-r1, 2.1.11 dev-lang/python: 2.5.4-r4, 2.6.5-r2, 3.1.2-r3 dev-python/pycrypto: 2.1.0 dev-util/ccache: 2.4-r8 dev-util/cmake: 2.8.1-r1 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.1-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.13, 2.65 sys-devel/automake: 1.9.6-r2, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1 sys-devel/gcc: 4.4.3-r2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.33 ACCEPT_KEYWORDS="x86 ~x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests ccache distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="de_DE.UTF-8" LC_ALL="de_DE.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="de en" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise /usr/portage/local/layman/vmware /usr/local/portage" SYNC="rsync://172.32.99.6/gentoo-portage" USE="X a52 aac aalib acl acpi alsa avahi avi berkdb bitmap-fonts bluetooth branding bzip2 cairo cdparanoia cdr cli consolekit cracklib crypt cups cxx dbus divx4linux dri dts dv dvd dvdr dvdread emboss encode exif fam ffmpeg firefox flac fortran gdbm gif gnome gnome-keyring gpm gtk hal hdaps howl iconv ipv6 jpeg lame lcms libnotify live mad mikmod mjpeg mmx mng modules mp3 mp4 mpeg mudflap ncurses nls nptlonly ogg opengl openmp pam pango pcre pda pdf perl png ppds pppd python qt3support quicktime readline reflection sdl session spell spl sse sse2 ssl startup-notification svg sysfs tcpd tetex tiff truetype truetype-fonts type1-fonts unicode usb vcd vidix vorbis win32codecs x264 x86 xcb xml xmms xorg xulrunner xv xvid zlib" ALSA_CARDS="hda-intel intel8x0 intel8x0m" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev synaptics keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS -- # cat /etc/security/pam_mount.conf.xml <?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <!-- See pam_mount.conf(5) for a description. --> <pam_mount> <!-- debug should come before everything else, since this file is still processed in a single pass from top-to-bottom --> <debug enable="0" /> <!-- Volume definitions --> <!-- <volume user="username" path="/dev/mmcblk0p1" mountpoint="/mnt/mmc" fstype="auto" /> --> <volume user="sgw" path="/dev/mapper/VG01-crypthome" mountpoint="/home/sgw" fstype="crypt" options="data=journal,commit=15" cipher="aes-cbc-plain" fskeypath="/etc/security/verysekrit.key" fskeycipher="aes-256-cbc" fskeyhash="md5" /> <!-- pam_mount parameters: General tunables --> <debug enable="0" /> <!-- <luserconf name=".pam_mount.conf.xml" /> --> <!-- Note that commenting out mntoptions will give you the defaults. You will need to explicitly initialize it with the empty string to reset the defaults to nothing. --> <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> <!-- <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> --> <mntoptions require="nosuid,nodev" /> <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path> <logout wait="0" hup="0" term="0" kill="0" /> <!-- pam_mount parameters: Volume-related --> <mkmountpoint enable="1" remove="true" /> </pam_mount> --- # cat /etc/pam.d/system-auth auth required pam_env.so auth required pam_unix.so try_first_pass likeauth nullok auth optional pam_mount.so auth optional pam_gnome_keyring.so account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password optional pam_gnome_keyring.so password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow session required pam_limits.so session optional pam_gnome_keyring.so auto_start session required pam_env.so session required pam_unix.so session optional pam_permit.so session optional pam_mount.so
## Output with pam_mount-1.33 --> # mount.crypt -v -o fsk_cipher=aes-256-cbc,fsk_hash=md5,keyfile=/etc/security/verysekrit.key /dev/VG01/crypthome /mnt/gschwind command: [readlink] [-fn] [/dev/VG01/crypthome] command: [readlink] [-fn] [/mnt/gschwind] Password: mount.crypt(crypto-dmc.c:145): Using _dev_dm_0 as dmdevice name command: [cryptsetup] [luksOpen] [/dev/dm-0] [_dev_dm_0] Schlüsselfach 0 entsperrt. command: [mount] [-n] [/dev/mapper/_dev_dm_0] [/mnt/gschwind]
Which version of cryptsetup is installed on your system?
(In reply to comment #2) > Which version of cryptsetup is installed on your system? 1.1.1_rc1
As discussed in the following bug report, this is not an issue of pam_mount, but rather of pam_mount no longer using the cryptsetup command line program. Using the cryptsetup command line program stripped off everything after the first newline in the passphrase, and, hence, you get a different passphrase now: https://sourceforge.net/tracker/?func=detail&atid=430593&aid=2997185&group_id=41452
(In reply to comment #4) > As discussed in the following bug report, this is not an issue of pam_mount, > but rather of pam_mount no longer using the cryptsetup command line program. > Using the cryptsetup command line program stripped off everything after the > first newline in the passphrase, and, hence, you get a different passphrase > now: > > https://sourceforge.net/tracker/?func=detail&atid=430593&aid=2997185&group_id=41452 > What should I say ... ? I was really sure that there was no newline in my hexdumped key when jengelh asked me so in the thread on gentoo-users. Your link and his posting mentioning: openssl aes-256-ecb -d -in ritschi.key | perl -pe 's/\n//gs' | openssl aes-256-cbc >new.key made me have another look. Today there really was a newline, I just don't know ... I substituted the key and pam_mount-2.1 mounted the encrypted volume OK, even after a fresh boot. Thanks very much! I change this ticket to WORKSFORME ;-) Stefan
(In reply to comment #5) > (In reply to comment #4) > > As discussed in the following bug report, this is not an issue of pam_mount, > > but rather of pam_mount no longer using the cryptsetup command line program. pam_mount-2.4 did not work for me again ... even as I edited/corrected my keys etc as mentioned above. Going back to 2.1 helped ...
(In reply to comment #6) > (In reply to comment #5) > > (In reply to comment #4) > > > As discussed in the following bug report, this is not an issue of pam_mount, > > > but rather of pam_mount no longer using the cryptsetup command line program. > > pam_mount-2.4 did not work for me again ... even as I edited/corrected my keys > etc as mentioned above. Going back to 2.1 helped ... Umm, false alarm somehow: had that problem this morning, went back to 2.1 ... now after posting the last comment I re-emerged 2.4 to reproduce the problem and debug-logs. Now it works ... even after a reboot. Sorry for the noise .... Let's wait if others hit that as well?
false alarm, closing