Hi, I'm trying to setup configuration with $HOME of user being encrypted. Using 2.6.37 kernel and ecryptfs-utils 85.
$HOME was migrated using ecryptfs-migrate-home. First problem is "Error attempting to add filename encryption key to user session keyring; rc = [1]". From looking into code: A) ecryptfs_insert_wrapped_passphrase_into_keyring() calls B) ecryptfs_add_passphrase_key_to_keyring(). If B) returns non zero then it is treated as an error but "1" means key already exits. Doesn't this mean that 1 should also be treated as "ok" ? I'm using pam_keyinit.so which adds/revokes keys at start/end of session and I guess this causes error "1". If I drop pam_keyinit, setup everything ecryptfs related then everything works fine (even if I set pam_keyinit back in pam configs). [root@bigarm ~]# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/security/blacklist.sshd onerr=succeed auth include system-auth account required pam_shells.so account required pam_nologin.so account required pam_access.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke debug session include system-auth session optional pam_mail.so [root@bigarm ~]# cat /etc/pam.d/system-auth #%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/security/blacklist onerr=succeed auth required pam_env.so auth required pam_tally.so deny=0 file=/var/log/faillog onerr=succeed auth required pam_unix.so try_first_pass auth optional pam_ecryptfs.so unwrap account required pam_tally.so file=/var/log/faillog onerr=succeed account required pam_time.so account required pam_unix.so # password [success=1 ignore=reset abort=die default=bad] pam_pwgen.so upper=1 digit=1 password required pam_cracklib.so try_first_pass difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password required pam_unix.so try_first_pass sha512 shadow use_authtok password required pam_ecryptfs.so password required pam_exec.so failok seteuid /usr/bin/make -C /var/db # password required pam_exec.so failok seteuid /usr/bin/make -C /var/yp session optional pam_keyinit.so revoke debug session required pam_limits.so change_uid session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ecryptfs.so unwrap -- Arkadiusz MiĆkiewicz PLD/Linux Team arekm / maven.pl http://ftp.pld-linux.org/ _______________________________________________ Mailing list: https://launchpad.net/~ecryptfs-users Post to : [email protected] Unsubscribe : https://launchpad.net/~ecryptfs-users More help : https://help.launchpad.net/ListHelp
