Encrypted /home partition out of the box

Discuss all artwork and development - Suggestions needed

Moderator: Moderators

Postby chickpea » Fri Apr 27, 2007 18:22

Ahah, now I get it. Ok noauto is obviously what we are looking for.

Also, I emailed Mike Halcrow back and forth today. It appears that the ecryptfs-utils in portage is an old version (7 rather than the new 15) that doesn't have the pam module (no wonder I couldn't find it). So Mike cc'd the maintainer at gentoo foundation (chris something?) to update the ebuild. So like next week or two should be an update to the ebuild and we can get the pam module right off of portage.

The reason we always needed to do ecryptfs-manager to "mount -i /secret" is because keyctl clear @u strips the user password OUT of the keyring. :shock: So when the user logs in there is nothing that puts the user password generated keysig into the keyring. So of course it won't automount without doing first an "ecryptfs-manager" to add the password to the keyring, no user key sig was in the keyring before doing so! :roll: In order for the keysig to be added to the keyring automatically we will need to have the pam module installed. Since we only have the old version we don't have the pam_ecryptfs.so in "/lib/security/". We can either build then pam module from source the manual way or wait for the ebuild update in portage. As far as modifying our system-auth files we are on our own. But shouldn't been too tricky, just some tweaks and should work. Still haven't gotten an answer about the bash script though.
chickpea
Sagely Hen
 
Posts: 1084
Joined: Fri Jan 05, 2007 15:08
Location: Washington, DC

Postby dave_p_b » Fri Apr 27, 2007 22:50

Hi

I never used ecryptfs from portage. I installed it from their website so I've got the pam module. It's quite easy to install. Just download from here http://downloads.sourceforge.net/ecrypt ... g_mirror=0

It includes two directories. One is the ecryptfs module and pam module. The second directory contains the user space tools such as ecrypts-manager.
They're both very easy to install.

OK, I got everything installed, including the pam module in the /etc/pam.d/system-auth.
My system-auth file looks like this:
#%PAM-1.0

auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth required pam_ecryptfs.so
auth required pam_deny.so

account required pam_unix.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so

However, when I login with my test account it doesn't open the encrypted folder. It just loads up a fresh install of kde in the /home/testuser directory.

I'll keep playing with it and see what happens. I think that maybe keeping the "sufficient" part of the pam_unix.so line it doesn't bother with the next line that includes pam_ecryptfs.so.
But as we have discussed before, if we change "sufficient" to "required" on the pam_unix.so line then we can't log in to any account.

This might be a difficult one that we need help from the devs with.

I'll post back any successes.
Cheers

Dave
dave_p_b
Old Dear Hen
 
Posts: 607
Joined: Fri Dec 15, 2006 1:39
Location: Exeter, UK

Postby dave_p_b » Fri May 04, 2007 16:38

Hi Chickpea

Have you got any further on this yet? I found out something new today. You probably already figured it out but I'm a bit slow ;)

If I create a new folder /home/testuser and mount it using "mount -t ecryptfs /home/testuser /home/testuser". This seems to work!

I set up the user testuser using "kusers" and then log in to that account with the /home/testuser still mounted.

I then log back out and login using my normal account.

If I issue the command "umount /home/testuser" then that folder immmediatly becomes encrypted.

If I then type the command "mount -i /home/testuser" the folder immediatly becomes un-encrypted.

Wow, I thought before that your encrypted folder and your mount point had to be separate folders. It seems not to be the case. I know it told us this in the README file but I've only just figured it out ;)

Anyway, I still have the same problem as before trying to get the pam_ecryptfs.so module to work. I looked in the /lib/security folder and found it there. It seemed to be the only one that wasn't executable so I changed it to be executable.

However, When I log in as my testuser, the pam_security.so module doesn't seem to be passing the password to the keyctrl file. These means that each time I log in and try to execute the "mount -i /home/testuser" command from the ".bash_profile" file it just errors out saying that it can't find an entry in keyctrl and when I type "keyctrl show" it doesn't seem to be there.

I tried to place "auth required pam_ecryptfs.so" in the /etc/pam.d/system-auth and /etc/pam.d/login and it didn't work in either.

I think I'm missing something silly here.

Cheers

Dave
dave_p_b
Old Dear Hen
 
Posts: 607
Joined: Fri Dec 15, 2006 1:39
Location: Exeter, UK

Postby chickpea » Fri May 04, 2007 19:09

Hey Dave:

Sorry but I haven't had much time to toy around with this. My wife has been going through husband withdrawal so needed to spend more time with her.

Yeah I knew that little trick that the mount point can be the same as the encrypted volume. Cool aint it? :wink:

Yeah I still haven't downloaded and installed the tarball, and portage hasn't been updated with the ecryptfs-utils version 15. So I don't have the pam module on my system yet.

It seems we are VERY close here. It is just a matter now of figuring out the system-auth file and the pam module should get us there. So that the testuser dir will get automounted on login.

Won't be able to play around more for a while, mother-in-law in town from abroad so no computie time for me. :cry: I think we are very close.
chickpea
Sagely Hen
 
Posts: 1084
Joined: Fri Jan 05, 2007 15:08
Location: Washington, DC

Postby dave_p_b » Fri May 04, 2007 21:01

Cool.

Will try to play with it for a bit. With the new Sabayon Kernel the ecryptfs module is built in so no need to compile it.
I hope you survive the next few weeks;) Cya when you get back

All the best

Dave
dave_p_b
Old Dear Hen
 
Posts: 607
Joined: Fri Dec 15, 2006 1:39
Location: Exeter, UK

Postby chickpea » Mon May 07, 2007 23:01

Thanks. Ohh, just got upgraded to Technological Hen. Does that make me look smarter? :lol:

Check back with ya in a couple of weeks on this.

Bryan
chickpea
Sagely Hen
 
Posts: 1084
Joined: Fri Jan 05, 2007 15:08
Location: Washington, DC

Postby dave_p_b » Mon May 07, 2007 23:18

Hi Chickpea.

Ok, I got the pam module working (sort of). I emailed the developer and he sent me this link http://sourceforge.net/mailarchive/foru ... ptfs-users which provided some useful info.

It seem that the pam problem seems to be gentoo specific. In the /etc/pam.d/syst-auth file it does need to be changed from "sufficient" to "required" and the pam_deny line needs to be commented out. My syst-auth file now looks like:
#%PAM-1.0

auth required pam_env.so
auth required pam_unix.so try_first_pass likeauth nullok
auth required /lib/security/pam_ecryptfs.so
#auth required pam_deny.so

account required pam_unix.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so

If changed what is in bold.

Now I can log in as any user I want and if I check the users keyring it contains the password entry. e.g. type "keyctl show" under the user that's just logged in and it will show an entry for the password that the pam module has passed to it. This is a good sign. Haven't quite got it working on my encrypted user's home partition yet but I think I'm close.

Regarding the /etc/pam.d/syst-auth file and the changes I've made, I don't know what the ramifications will be on overall security. I'm hoping that one of the sabayon devs can tell us that.

Another strange thing is that unlike the /etc/pam.d/login file which is only called at login, the /etc/pam.d/syst-auth file is called quite alot. Even when you type in the "su" command in a konsole, so I will have to see if this causes any issues too.

Speek to you soon

Dave
dave_p_b
Old Dear Hen
 
Posts: 607
Joined: Fri Dec 15, 2006 1:39
Location: Exeter, UK

Postby mhalcrow » Wed May 16, 2007 20:46

Here is a script that makes an attempt at automating the process of mounting ~/Confidential on login. If you want to encrypt your home directory, you can try making just .bash_profile (and any other files accessed prior to .bash_profile being executed) plaintext and mounting eCryptfs with plaintext passthrough mode enabled (assuming you don't have any sensitive information in your .bash_profile). Use this script as a source of inspiration for your own box (it makes a bucketload of silly assumptions about paths and what not, so taylor it to your needs). This requires ecryptfs-utils-15 or higher.

Code: Select all
#!/bin/sh

echo
echo "You must run this script as root. Do not use sudo; either log in"
echo "as root or use 'su -'"
echo
echo "This script applies to RHEL 5-based systems only"
echo

whoami | grep "^root$" &> /dev/null
if test $? == 1; then
  echo "Please run this script as root"
  echo
  exit
fi

echo "USAGE:"
echo " # ecryptfs-setup-pam.sh [username] [passphrase]"
echo

if test "x$1" == "x"; then
    echo "Must provide a username"
    echo
    exit
fi

if test "x$2" == "x"; then
    echo "Must provide a login passphrase"
    echo
    exit
fi

echo $2 | grep "[;\"\\]"
if test $? == 0; then
    echo "Warning: Using backslashes, quotes, or semicolons in your passphrase"
    echo "may cause problems."
    echo
    echo "Hit ENTER to continue, CTRL-C to abort..."
    read
fi

echo "Using username [$1]"
echo "Using login passphrase [$2]"
echo
echo "This script will attempt to set up your system to mount eCryptfs"
echo "automatically on login, using your login passphrase."
echo
echo "Hit ENTER to continue, CTRL-C to abort..."
read
echo
echo "This script will now attempt to take the following steps:"
echo " * Insert the ecryptfs kernel module"
echo "  # modprobe ecryptfs"
echo " * Create a Confidential directory in the user's home directory"
echo "  # mkdir /home/$1/Confidential"
echo "  # chown $1:$1 /home/$1/Confidential"
echo "  # chmod 700 /home/$1/Confidential"
echo " * Perform an eCryptfs mount"
echo "  # mount -t ecryptfs /home/$1/Confidential /home/$1/Confidential -o key=passphrase:passwd=\"$2\",cipher=aes,passthrough=n,no_sig_cache"
echo " * Add an entry to /etc/fstab with the the mount parameters"
echo "  # grep ecryptfs_sig /etc/mtab | sed 's/ecryptfs_cipher\=aes,/ecryptfs_cipher\=aes,user,noauto,/' >> /etc/fstab"
echo " * Unmount eCryptfs"
echo "  # umount ecryptfs"
echo " * Change pam_unix from 'sufficient' to 'required' for auth and add pam_ecryptfs to PAM stack"
echo "  # cat /etc/pam.d/system-auth | sed 's/auth\s*sufficient\s*pam_unix\.so nullok try_first_pass/auth        required      pam_unix nullok try_first_pass\nauth        required      pam_ecryptfs.so/' > /tmp/system-auth"
echo "  # cp -f /etc/pam.d/system-auth /etc/pam.d/.system-auth-before-pam_ecryptfs"
echo "  # mv -f /tmp/system-auth /etc/pam.d/system-auth"
echo " * Add eCryptfs mount commands to /home/$1/.bash_profile"
echo "  # cp -f /home/$1/.bash_profile /home/$1/.bash_profile-before-pam_ecryptfs"
echo "  # echo \"if test -e \$HOME/.ecryptfs/auto-mount; then\" >> /home/$1/.bash_profile"
echo "  # echo \"  mount | grep \\\"\$HOME/Confidential type ecryptfs\\\"\" >> /home/$1/.bash_profile"
echo "  # echo \"  if test \$? != 0; then\" >> /home/$1/.bash_profile"
echo "  # echo \"    mount -i \$HOME/Confidential\" >> /home/$1/.bash_profile"
echo "  # echo \"  fi\" >> /home/$1/.bash_profile"
echo "  # echo \"fi\" >> /home/$1/.bash_profile"
echo " * Turn on automount for the user"
echo "  # mkdir -p /home/$1/.ecryptfs"
echo "  # touch /home/$1/.ecryptfs/auto-mount"
echo
echo "If something goes wrong, or if you notice that an operation "
echo "listed above will not work on your system, than you will need "
echo "to take these steps manually."
echo
echo "Hit ENTER to continue, CTRL-C to abort..."
read
modprobe ecryptfs
mkdir /home/$1/Confidential
chown $1:$1 /home/$1/Confidential
chmod 700 /home/$1/Confidential
mount -t ecryptfs /home/$1/Confidential /home/$1/Confidential -o key=passphrase:passwd="$2",cipher=aes,passthrough=n,no_sig_cache
grep ecryptfs_sig /etc/mtab | sed 's/ecryptfs_cipher\=aes,/ecryptfs_cipher\=aes,user,noauto,/' >> /etc/fstab
umount /home/$1/Confidential
cat /etc/pam.d/system-auth | sed 's/auth\s*sufficient\s*pam_unix\.so nullok try_first_pass/auth        required      pam_unix.so nullok try_first_pass\nauth        required      pam_ecryptfs.so/' > /tmp/system-auth
cp -f /etc/pam.d/system-auth /etc/pam.d/.system-auth-before-pam_ecryptfs
cat /tmp/system-auth | grep -v "auth        required      pam_deny.so" > /etc/pam.d/system-auth
rm -f /tmp/system-auth
cp -f /home/$1/.bash_profile /home/$1/.bash_profile-before-pam_ecryptfs
echo "if test -e \$HOME/.ecryptfs/auto-mount; then" >> /home/$1/.bash_profile
echo "  mount | grep \"\$HOME/Confidential type ecryptfs\"" >> /home/$1/.bash_profile
echo "  if test \$? != 0; then" >> /home/$1/.bash_profile
echo "    mount -i \$HOME/Confidential" >> /home/$1/.bash_profile
echo "  fi" >> /home/$1/.bash_profile
echo "fi" >> /home/$1/.bash_profile
mkdir -p /home/$1/.ecryptfs
chown $1:$1 /home/$1/.ecryptfs
touch /home/$1/.ecryptfs/auto-mount
chown $1:$1 /home/$1/.ecryptfs/auto-mount
mhalcrow
Baby Hen
 
Posts: 1
Joined: Wed May 16, 2007 20:29

Postby chickpea » Thu May 24, 2007 18:23

Dave:

Looks like you've had a major breakthrough.

@mike halcrow

Thanks for the script Mike. I spoke with you earlier about these issues and it seems like we are close to getting a working solution. You have been more than helpful getting us up and running.

I am still with wife and mother in law so no time for fooling around (also am pulling 12 hour days at work ugh!) with my box. I thought we would have to have the pam module set to require. I am not so sure that calling the system-auth file creates any real security issues as it is part of the pam system, which is a fairly robust and secure system for user authentication and automated logins.
chickpea
Sagely Hen
 
Posts: 1084
Joined: Fri Jan 05, 2007 15:08
Location: Washington, DC

Previous

Return to Artwork and Development Suggestions

Who is online

Users browsing this forum: No registered users and 2 guests