Bug 432961
| Summary: | passfile option for key=openssl doesn't work | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Jan Tluka <jtluka> |
| Component: | ecryptfs-utils | Assignee: | Karsten Hopp <karsten> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.2 | CC: | mhalcrow, mnowak |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | RHEA-2008-0430 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-05-21 17:33:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jan Tluka
2008-02-15 13:45:04 UTC
Note that only keyfiles generated by the eCryptfs key module via the ecryptfs-manager utility are currently supported. The correct OpenSSL key module parameter for specifying a file containing a keyfile passphrase is "passwd_file". If this is documented incorrectly in the man pages, this needs to be corrected. The passwd_file option for the openssl key module is not implemented in release 38. It is implemented in release 40, which is currently in Fedora devel. Mike Reopening just to let Karsten decide if he wants to pull this into RHEL5, since that's what the bug was opened against... Thanks, -Eric Latest packages for RHEL-5.2 already are based on ecryptfs-utils-40 so they already contain the fix. Just flagged the bug appropriately and will close it as soon as we ship the errata. Read ya, Phil Confirming it works in 40 and is failing in 38. -- NEW: ---- dhcp-lab-198 mounting # rpmquery ecryptfs-utils ecryptfs-utils-40-1.el5 dhcp-lab-198 mounting # mount.ecryptfs .secret/ .secret/ -o key=openssl:keyfile=mykey.pem:passwd_file=passfile.txt,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,verbosity=0 Attempting to mount with the following options: ecryptfs_key_bytes=16 ecryptfs_cipher=aes ecryptfs_sig=b2230a51354c73d2 Mounted eCryptfs OLD: ---- dhcp-lab-198 mounting # rpmquery ecryptfs-utils ecryptfs-utils-38-1.el5 dhcp-lab-198 mounting # umount .secret/ dhcp-lab-198 mounting # umount .secret/ umount: .secret/: not mounted dhcp-lab-198 mounting # mount.ecryptfs .secret/ .secret/ -o key=openssl:keyfile=mykey.pem:passwd_file=passfile.txt,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,verbosity=0 Attempting to mount with the following options: ecryptfs_key_bytes=16 ecryptfs_cipher=aes Error mounting eCryptfs; rc = [-22]; strerr = [Invalid argument]. Check your system logs; visit <http://ecryptfs.sourceforge.net/ecryptfs-faq.html>. dhcp-lab-198 mounting # mount | grep secret -- I believe it's worth fixing it. dhcp-lab-198 openssl-keyfile # mkdir secret
dhcp-lab-198 openssl-keyfile # ecryptfs-manager
eCryptfs key management menu
-------------------------------
1. Add passphrase key to keyring
2. Add public key to keyring
3. Generate new public/private keypair
4. Exit
Make selection: 3
Select key type to use for newly created files:
1) openssl
Selection: 1
SSL key file path [/root/.ecryptfs/pki/openssl/key.pem]: mykey.pem
Passphrase:
Returning to main menu
eCryptfs key management menu
-------------------------------
1. Add passphrase key to keyring
2. Add public key to keyring
3. Generate new public/private keypair
4. Exit
Make selection: 4
dhcp-lab-198 openssl-keyfile # ls -l mykey.pem
-rw-r--r-- 1 root root 986 Feb 26 08:32 mykey.pem
dhcp-lab-198 openssl-keyfile # mount.ecryptfs secret/ secret/ -o
key=openssl:keyfile=mykey.pem:passwd_file=passfile.txt,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,verbosity=0
Attempting to mount with the following options:
ecryptfs_key_bytes=16
ecryptfs_cipher=aes
ecryptfs_sig=cc8a94c1c8630ad3
Mounted eCryptfs
dhcp-lab-198 openssl-keyfile # echo "secrettext" > secret/stf.txt
-bash: secret/stf.txt: Transport endpoint is not connected
dhcp-lab-198 openssl-keyfile # ls -l secret/
total 4
-rw-r--r-- 1 root root 0 Feb 26 08:34 stf.txt
dhcp-lab-198 openssl-keyfile # echo "secrettext" > secret/stf.txt
-bash: secret/stf.txt: Input/output error
--
dhcp-lab-198 newman # Feb 26 08:49:23 dhcp-lab-198 kernel:
ecryptfs_send_message: User [0] does not have a daemon registered
Feb 26 08:49:23 dhcp-lab-198 kernel: pki_encrypt_session_key: Error sending
netlink message
Feb 26 08:49:23 dhcp-lab-198 kernel: write_tag_1_packet: Failed to encrypt
session key via a pki<4>ecryptfs_generate_key_packet_set: Error writing tag 1 packet
Feb 26 08:49:23 dhcp-lab-198 kernel: ecryptfs_write_headers_virt: Error
generating key packet set; rc = [-107]
Feb 26 08:49:23 dhcp-lab-198 kernel: ecryptfs_write_metadata: Error whilst
writing headers
Feb 26 08:49:23 dhcp-lab-198 kernel: Error writing headers; rc = [-107]
Feb 26 08:49:23 dhcp-lab-198 kernel: Error attempting to read the
[user.ecryptfs] xattr from the lower file; return value = [4294967235]
Feb 26 08:49:23 dhcp-lab-198 kernel: Attempt to read file that is not in a valid
eCryptfs format, and plaintext passthrough mode is not enabled; returning -EIO
--
> ecryptfs_send_message: User [0] does not have a daemon registered
When using a non-passphrase key module, the user accessing the eCryptfs mount
point needs to have the ecryptfsd daemon running.
Mike
Thanks Mike, got it. Works OK then. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2008-0430.html |