Ask Your Question
0

LUKS encrypted partition requires two passwords

asked 2015-03-23 05:22:34 -0500

pnadk gravatar image

updated 2015-03-23 05:23:19 -0500

I have set up LUKS or dm-crypt on a partition on an external USB disk. When I log on I am prompted for the password to decrypt the partition as I would expect. But when I enter the password, I am then prompted for my regular password with the message "authentication required to mount partition". Is there a way to avoid this second step?

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
2

answered 2015-07-10 11:20:26 -0500

BRPocock gravatar image

updated 2015-07-10 11:24:50 -0500

Setting aside the security implications of allowing arbitrary users to mount disks on your system for a moment, let's suppose that you do want to do this.

I'd recommend, first, ensuring that the user is a member of a trusted group. For a small system, the normal wheel group (set by the “Administrative user” switch in the Settings program) is probably sufficient.

The Policy Kit provides authorizations and asks your shell to prompt for your password. (Its manual is on your system — eg, in Gnome Help hit Control+L, then type man:polkit, or from a terminal, type man polkit)

The following is one example from that manual:

  // Allow users in group 'engineers' to perform any operation on 
  // some drives without having to authenticate 
  // 
  polkit.addRule(function(action, subject) {
    if (action.id.indexOf("org.freedesktop.udisks2.") == 0 &&
        action.lookup("drive.vendor") == "SEAGATE" &&
        action.lookup("drive.model") == "ST3300657SS" &&
        subject.isInGroup("engineers")) {
            return polkit.Result.YES;
        }
    } });

The variation that might work particularly for you, would be:

 polkit.addRule(function(action, subject) {
    if (action.id.indexOf("org.freedesktop.udisks2.filesystem-mount-system") == 0 &&
       subject.isInGroup("wheel")) {
            return polkit.Result.YES;
        }});

To enable this policy, write it to a file, then use this command to install it into the policy directory:

sudo tee /etc/polkit-1/rules.d/99-local.rules <your-local-file

(The use of sudo tee will ensure that the policy file has correct security context; you could also do sudo mvyour-local-file/etc/polkit-1/rules.d/99-local.rules && sudo restorecon /etc/polkit-1/rules.d/99-local.rules for a similar effect.)

PS — to determine the action.id for some action, look through the files in /usr/share/polkit-1/actions. They're XML files that have all of the actions and the translations into human languages.

edit flag offensive delete link more

Comments

Would you expand on security implications, taking into account that USB drives are being mounted automatically without the need for extra authorization? But the same drive requires a password when connected directly (SATA). Do you know why is that? And I'm not claiming there is no security implications, I'm just being curious.

teodor gravatar imageteodor ( 2015-07-15 14:05:48 -0500 )edit

Mostly having to do with file permissions and capabilities. A typical FAT32 USB stick has only “read-only” or not permissions; but mounting an ext[234] filesystem, one must consider: file owner UID's matching up with the local system UID's (or not); +s permissions (setuid/setgid); device special files; security contexts; capabilities; ACL's; and more. Mounting with nosuid,nodev,noexec lowers the profile of possible problems a great deal, however.

BRPocock gravatar imageBRPocock ( 2015-07-15 14:10:10 -0500 )edit

Thanks for your answer @BRPocock

teodor gravatar imageteodor ( 2015-07-16 10:12:11 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-03-23 05:22:34 -0500

Seen: 341 times

Last updated: Jul 10 '15