English
Ask Your Question
1

ecryptfs-mount-private not working on F26

asked 2017-08-05 20:02:09 +0000

blueser gravatar image

I had been successfully using ecryptfs-mount-private with F25 but, for some reason, it doesn't work anymore on F26.

Even before it prompts for my login password to unwrap the mount password, this appears on system logs (with journalctl -f):

Aug 05 16:36:33 localhost.localdomain kernel: Could not find key with description: [xxx]
Aug 05 16:36:33 localhost.localdomain kernel: process_request_key_err: No key
Aug 05 16:36:33 localhost.localdomain kernel: Could not find valid key in user session keyring for sig specified in mount option: [xxx]
Aug 05 16:36:33 localhost.localdomain kernel: One or more global auth toks could not properly register; rc = [-2]
Aug 05 16:36:33 localhost.localdomain kernel: Error parsing options; rc = [-2]

The description xxx for the key is correct BTW.

After I enter my login password, the output is:

Inserted auth tok with sig [xxx] into the user session keyring
mount: No such file or directory

(again, xxx is correct)

and the same errors appear on system log:

Aug 05 16:36:54 localhost.localdomain kernel: Could not find key with description: [xxx]
Aug 05 16:36:54 localhost.localdomain kernel: process_request_key_err: No key
Aug 05 16:36:54 localhost.localdomain kernel: Could not find valid key in user session keyring for sig specified in mount option: [xxx]
Aug 05 16:36:54 localhost.localdomain kernel: One or more global auth toks could not properly register; rc = [-2]
Aug 05 16:36:54 localhost.localdomain kernel: Error parsing options; rc = [-2]

If I mount ~/Private as root (with "sudo mount -t ecryptfs ~/.Private ~/Private"), it asks for all usual questions, but it works:

Select key type to use for newly created files: 
 1) pkcs11-helper
 2) tspi
 3) passphrase
Selection: 3
Passphrase: 
Select cipher: 
 1) aes: blocksize = 16; min keysize = 16; max keysize = 32
 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56
 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24
 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32
 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32
 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16
Selection [aes]: 
Select key bytes: 
 1) 16
 2) 32
 3) 24
Selection [16]: 
Enable plaintext passthrough (y/n) [n]: 
Enable filename encryption (y/n) [n]: 
Attempting to mount with the following options:
  ecryptfs_unlink_sigs
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=xxx
Mounted eCryptfs

Anyone knows what's wrong with ecryptfs-mount-private? BTW my user is on the ecryptfs group.

edit retag flag offensive close merge delete

Comments

This may be an issue with SeLinux look here and this Not and expert on exryptfs but seems to me selinux issue. Good Luck.

aeperezt ( 2017-08-06 00:02:38 +0000 )edit

Ouch X-{ thks for the insight, will try to find some SELinux gurus to help me out...

blueser ( 2017-08-07 21:27:39 +0000 )edit

6 answers

Sort by » oldest newest most voted
1

answered 2017-08-08 00:21:15 +0000

sixpack13 gravatar image

updated 2017-08-08 01:26:06 +0000

don't know if "setsebool -P useecryptfshome_dirs 1" will break something.

I fetched the setsebool command years ago from the internet and can't find it anymore - maybe obsolet -

I guess you are able to reset it via

setsebool -P use_ecryptfs_home_dirs 0

see https://www.mankier.com/8/setsebool

Update: tested my setting with useecryptfshome_dirs 0. No impairments mounting ecryptfs dir's, so far. Obsolet ?

Note: my F26-box is an upgrade from F25, ecryptfs works fine.

What's about to
- create a testuser
- passwd testuser
- sudo usermod -a -G ecryptfs testuser
- login as testuser
- ecryptfs-setup-private
- passphrase same as userpasswd
- logoff
- logon
- /home/testuser/Private/ mounted ???

yes => ecryptfs works in general => you got a problem with your intial user: key, passwd, passphrase, ...

no => to be fixed first

edit flag offensive delete link more

Comments

That's indeed a good suggestion (try it with a different -- brand new -- user). I will do it, thks for suggesting it. For the record, my F26 is a brand new installation, I only preserved /home from F25 (could this be the cause for some obscure SELinux problem?)

blueser ( 2017-08-09 00:34:41 +0000 )edit

You were right on your assumption: trying it from scratch, on a brand new user, works :-/ Now I have to find out how the hell am I supposed to understand what is wrong with my home dir (or, more specifically, with ~/.Private and ~/Private), since ecryptfs-verify says everything is allright... my guess is something odd related to SELinux, but that's something totally obscure for me. Any advice?

blueser ( 2017-08-09 01:30:02 +0000 )edit
1

answered 2017-08-11 21:26:10 +0000

blueser gravatar image

I finally did some proper testing, and got some valuable information.

There are a couple of things going on:

  • ecryptfs-mount-private DOES WORK if the passphrase signature is (also?) on ROOT's keyring
  • ecryptfs-mount-private increases /dev/shm/ecryptfs-costa-Private even if it fails
  • ecryptfs-umount-private decreases /dev/shm/ecryptfs-costa-Private even if it fails

Here's the evidence I gathered:

~ keyctl list @u
keyring is empty
~ sudo keyctl list @u
[sudo] password for costa: 
keyring is empty
~ cat /dev/shm/ecryptfs-costa-Private 
0

Ok, so passphrase signature isn't on any keyring, and ~/Private mount count is 0

~ ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [XXX] into the user session keyring
mount: No such file or directory
~ cat /dev/shm/ecryptfs-costa-Private 
1

?!? something's fishy.

~ ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [XXX] into the user session keyring
mount: No such file or directory
~ cat /dev/shm/ecryptfs-costa-Private 
3

Apparently, it will keep incrementing it indefinitely.

~ ecryptfs-umount-private 
Sessions still open, not unmounting
~ cat /dev/shm/ecryptfs-costa-Private 
2

Mmmh... it fails, but it decreases the (bogus) counter anyway. One bug compensates the other.

~ ecryptfs-umount-private 
Sessions still open, not unmounting
~ cat /dev/shm/ecryptfs-costa-Private 
1

And now it worked. All "sessions" disappeared.

~ ecryptfs-umount-private 
~ cat /dev/shm/ecryptfs-costa-Private 
0
~ ecryptfs-umount-private 
~ cat /dev/shm/ecryptfs-costa-Private 
0

At least it doesn't go below 0! =) Now, let's see what happens if I add the passphrase signature to root's keyring:

~ sudo ecryptfs-add-passphrase 
Passphrase: 
Inserted auth tok with sig [XXX] into the user session keyring
~ ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [XXX] into the user session keyring

And now ecryptfs-mount-private worked!

~ cat /dev/shm/ecryptfs-costa-Private 
1
~ ecryptfs-umount-private

All seems to be as expected.

~ ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [XXX] into the user session keyring
~ ecryptfs-umount-private 
~ sudo keyctl list @u
1 key in keyring:
438925633: --alswrv     0     0 user: XXX

But if I remove the passphrase signature from root's keyring...

~ sudo keyctl unlink 438925633 @u
~ sudo keyctl list @u
keyring is empty
~ ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [XXX] into the user session keyring
mount: No such file or directory

... it starts failing again.

I'll file a bug report.

edit flag offensive delete link more

Comments

care to publish the link to the bug report here ?

sixpack13 ( 2017-08-12 17:46:21 +0000 )edit
0

answered 2017-08-11 16:22:56 +0000

sixpack13 gravatar image

updated 2017-08-11 17:14:16 +0000

ls -dZ .ecryptfs/ Private/ .Private

unconfined_u:object_r:ecryptfs_t:s0 .ecryptfs/      
system_u:object_r:ecryptfs_t:s0      Private/
unconfined_u:object_r:ecryptfs_t:s0 .Private

setsebool -P useecryptfshome_dirs 1

has no influence of the above output

/home is a separat partition, if this matter

Hint/Question:

- why does this editor ever quezzes the first underscores in the setsebool command ?
- why doesn't this editor sort comments and answers in a sequenced serie ?
- why are comments not formatable ?
edit flag offensive delete link more
0

answered 2017-08-09 02:00:37 +0000

blueser gravatar image

After last suggestion by sixpack13, I tried this:

  1. created a backup of (unencrypted) ~/.Private contents
  2. rm -fr ~/.Private ~/Private ~/.ecryptfs
  3. ecrypts-setup-private -n --noautomount

The output was:

Enter your login passphrase [costa]: 
Enter your mount passphrase [leave blank to generate one]: 
Enter your mount passphrase (again): 
[snip]
INFO: /home/costa/Private will not be mounted on login
/usr/sbin/restorecon
/usr/sbin/restorecon

Done configuring.

Testing mount/write/umount/read...
Inserted auth tok with sig [xxx] into the user session keyring
Sessions still open, not unmounting
Sessions still open, not unmounting
ERROR:  Could not unmount private ecryptfs directory

Those last three lines were suspicious. I tried ecrypts-umount-private, and it failed the same way. Then, I checked with 'mount' and ~/.Private was correctly mounted on ~/Private (which was a good sign). I started searching system logs for some info, but after a couple of minutes, I tried ecryptfs-umount-private, and this time it worked! It does appear that some sessions (?) were indeed still open, and after a couple of minutes they went out of the way, and things went back to normal. Now ecryptfs-mount-private and ecryptfs-umount-private work as expected.

I still don't know what exactly was wrong but, AFAICS, the problem is solved now =)

Thks to all who tried to help, specially to sixpack13.

edit flag offensive delete link more

Comments

Unfortunately, it seems I spoke too soon :-( I just turned my machine back on, and the problem is back:

ecryptfs-mount-private 
Enter your login passphrase:
Inserted auth tok with sig [xxx] into the user session keyring
mount: No such file or directory

:-(

blueser ( 2017-08-09 12:55:32 +0000 )edit

This seems suspicious on system logs:

Aug 09 10:16:12 localhost.localdomain su[5347]: ecryptfs: fill_keyring: Unable to get ecryptfs pam data : No module specific data is present

Searching Google for this error message, I found [this post], ( https://forums.fedoraforum.org/archiv... ), but: authconfig --enableecryptfs --updateall doesn't add ecryptfs lines to /etc/pam.d/system-auth, and even if I add them manually, it doesn't fix the problem.

blueser ( 2017-08-09 13:32:19 +0000 )edit

Some additional data:

sudo mount -i -t ecryptfs -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,ecryptfs_unlink_sigs,ecryptfs_sig=xxx ~/.Private ~/Private/
[sudo] password for costa: 
mount: /home/costa/Private: mount(2) system call failed: No such file or directory.

ls -ld /home/costa/Private
dr-x------. 2 costa costa 4096 ago  8 22:38 /home/costa/Private

ls -dZ ~/Private/ ~/.Private
 unconfined_u:object_r:ecryptfs_t:s0 /home/costa/.Private
unconfined_u:object_r:user_home_t:s0 /home/costa/Private/
blueser ( 2017-08-09 14:01:55 +0000 )edit
0

answered 2017-08-07 19:49:47 +0000

sixpack13 gravatar image

updated 2017-08-07 20:03:32 +0000

many moon's ago I set:

setsebool -P use_ecryptfs_home_dirs 1

sudo usermod -a -G ecryptfs <your-user-name>

logoff, logon

ecryptfs-verify -h
ecryptfs-verify -p
edit flag offensive delete link more

Comments

Thks, didn't know about ecrypts-verify. Everything seems to be fine, though, ecryptfs-verify -p runs smoothly.

I really don't know anything about SELinux, but is there any chance the setsebool command above could break anything since I am not encrypting my whole home directory, but instead only a subdirectory? I googled for it and no results came back...

blueser ( 2017-08-07 21:26:32 +0000 )edit
0

answered 2017-08-10 02:31:28 +0000

sixpack13 gravatar image

updated 2017-08-10 02:39:51 +0000

to be checked:

grep ecrypt /etc/pam.d/*

/etc/pam.d/postlogin:auth           optional      pam_ecryptfs.so unwrap
/etc/pam.d/postlogin:password       optional      pam_ecryptfs.so unwrap
/etc/pam.d/postlogin:session        optional      pam_ecryptfs.so unwrap
/etc/pam.d/postlogin-ac:auth        optional      pam_ecryptfs.so unwrap
/etc/pam.d/postlogin-ac:password    optional      pam_ecryptfs.so unwrap
/etc/pam.d/postlogin-ac:session     optional      pam_ecryptfs.so unwrap

ls -l

drwx------.  2 otto otto 4096 27. Nov 2015  .ecryptfs
dr-x------.  2 otto otto 4096 27. Nov 2015   Private
drwx------.  5 otto otto 4096  6. Aug 01:43 .Private
edit flag offensive delete link more

Comments

Both commands match your outputs. However, if I use -Z with ls to show the security context for these directories, this is what I get:

ls -dZ .ecryptfs/ Private/ .Private
unconfined_u:object_r:user_home_t:s0 .ecryptfs/
 unconfined_u:object_r:ecryptfs_t:s0 .Private
unconfined_u:object_r:user_home_t:s0 Private/

I'm not sure if the "ecryptfst" instead of "userhome_t" on ~/.Private is an indication of a problem. Could you please run the same command on your system to compare the results? Thks!

blueser ( 2017-08-10 21:23:41 +0000 )edit

no text here

sixpack13 ( 2017-08-11 17:04:23 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Use your votes!

  • Use the 30 daily voting points that you get!
  • Up-vote well framed questions that provide enough information to enable people provide answers.
  • Thank your helpers by up-voting their comments and answers. If a question you asked has been answered, accept the best answer by clicking on the checkbox on the left side of the answer.
  • Down-voting might cost you karma, but you should consider doing so for incorrect or clearly detrimental questions and answers.

Question Tools

Follow
1 follower

Stats

Asked: 2017-08-05 20:02:09 +0000

Seen: 187 times

Last updated: Aug 11