Od kilku dni męczę się z szyfrowaniem $home dla nowych użytkowników logujących się w systemie.
Po kolei:
- Na serwerze mam zainstalowane oprogramowanie ldap.
- Autoryzuję użytkowników przez sssd (prawidłowo skonfigurowany pam.d).
- Chcę aby nowy użytkownik w momencie logowanie miał stworzony katalog domowy zaszyfrowany ecryptfs.
I wszystko jest dobrze, użytkownik loguje się, tworzy się katalog $home, montują się ecrypt
ale po wylogowaniu i próbie ponownego logowanie nie chce się montować ecrypt.
tworzenie katalogu $home
Kod: Zaznacz cały
cat /etc/security/ecryptfs
#!/bin/bash
home=`eval echo ~$PAM_USER`
ecryptfs=/home/.ecryptfs/$PAM_USER/.ecryptfs
read password
if [ -d $ecryptfs ]; then
# ecryptfs is set
echo "Ecryptfs is already configured"
exit 0
elif [ `id -u` == 0 ]; then
# Setup ecryptfs and make home
umask 077
mkdir -p $home
group=`id -gn $PAM_USER`
chown $PAM_RUSER:$group $home
ecryptfs-setup-private -u $PAM_USER -l "$password" -b --nopwcheck
exit 0
else
# NOT ROOT
echo "Cannot login with 'su' for the first time"
exit 1
fi
pliki pam.d
Kod: Zaznacz cały
cat /etc/pam.d/common-account /etc/pam.d/common-auth /etc/pam.d/common-password /etc/pam.d/common-session /etc/pam.d/kdm
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
#
# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
#
Kod: Zaznacz cały
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
#auth optional pam_mount.so
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth required pam_exec.so expose_authtok /etc/security/ecryptfs
# and here are more per-package modules (the "Additional" block)
#auth required pam_exec.so expose_authtok /etc/security/ecryptfs
#auth optional pam_ecryptfs.so unwrap
#auth required pam_ecryptfs.so unwrap
# end of pam-auth-update config
#####auth optional pam_ecryptfs.so unwrap
Kod: Zaznacz cały
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.
# Explanation of pam_unix options:
#
# The "sha512" option enables salted SHA512 passwords. Without this option,
# the default is Unix crypt. Prior releases used the option "md5".
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# See the pam_unix manpage for other options.
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
#password optional pam_mount.so
password optional pam_ecryptfs.so
password [success=2 default=ignore] pam_unix.so obscure sha512
password sufficient pam_sss.so
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
#password optional pam_ecryptfs.so
# end of pam-auth-update config
#
Kod: Zaznacz cały
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
#session optional pam_mount.so
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_sss.so
session required pam_python.so /usr/lib/libpam-mklocaluser/pam-python.py
session optional pam_ecryptfs.so unwrap
session optional pam_exec.so seteuid /etc/security/mkhome
# end of pam-auth-update config
Kod: Zaznacz cały
#
# /etc/pam.d/kdm - specify the PAM behaviour of kdm
#
auth required pam_nologin.so
auth optional pam_ecryptfs.so unwrap
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
session required pam_limits.so
@include common-account
@include common-password
@include common-session
I jeszcze:
Kod: Zaznacz cały
cat /etc/skel/.bash_logout
# ~/.bash_logout: executed by bash(1) when login shell exits.
# when leaving the console clear the screen to increase privacy
if [ "$SHLVL" = 1 ]; then
[ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q
fi
luka@tqdesk7:~$ cat /etc/skel/.bash_
.bash_logout .bash_profile
luka@tqdesk7:~$ cat /etc/skel/.bash_profile
if test -e $HOME/.ecryptfs/auto-mount; then
mount | grep "$HOME/Private type ecryptfs"
if test $? != 0; then
mount -i $HOME/Private
fi
fi
Kod: Zaznacz cały
Feb 13 21:01:50 tqdesk7 kdm_greet[4878]: Cannot load /usr/share/kde4/apps/kdm/faces/.default.face: Nie ma takiego pliku ani katalogu
Feb 13 21:01:54 tqdesk7 kdm: :1[4877]: Error attempting to parse .ecryptfsrc file; rc = [-13]
Feb 13 21:01:54 tqdesk7 kdm: :1[4892]: pam_ecryptfs: NULL passphrase; aborting
Feb 13 21:01:54 tqdesk7 kdm: :1[4877]: Error attempting to parse .ecryptfsrc file; rc = [-13]
Feb 13 21:01:54 tqdesk7 kdm: :1[4893]: pam_ecryptfs: Passphrase file wrapped
Feb 13 21:01:55 tqdesk7 kdm: :1[4893]: Error attempting to open [/home/lukasz/.ecryptfs/wrapped-passphrase] for reading
Feb 13 21:01:55 tqdesk7 kdm: :1[4893]: Error attempting to unwrap passphrase from file [/home/lukasz/.ecryptfs/wrapped-passphrase]; rc = [-5]
Feb 13 21:01:55 tqdesk7 kdm: :1[4893]: pam_ecryptfs: Error adding passphrase key token to user session keyring; rc = [-5]
Feb 13 21:01:57 tqdesk7 kdm: :1 '[4910]: Cannot update authorization file in home dir /home/lukasz
Feb 13 21:01:57 tqdesk7 kdm: :1 '[4910]: Session log file according to .xsession-errors-%d cannot be created: Permission denied
Feb 13 21:02:01 tqdesk7 kdm: :1[4981]: Cannot update authorization file in home dir /home/lukasz
LL