Bug 486152

Summary: RFE: authconfig should support pam_ecryptfs
Product: [Fedora] Fedora Reporter: Piergiorgio Sartor <piergiorgio.sartor>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: ascii79, dwmw2, mhlavink, pbonzini, pmrpla, psplicha, tmraz
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: authconfig-6.1.13-1.fc15 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 665059 665060 665061 665062 665063 (view as bug list) Environment:
Last Closed: 2011-02-08 21:15:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 665059, 665060, 665061, 665062, 665063    
Bug Blocks: 487088, 516996, 617282    
Attachments:
Description Flags
patch to authconfig 6.1.11
none
authconfig patch
none
authconfig.spec patch
none
RFC patches for other packages
none
authconfig patch v2
none
authconfig.spec patch v2
pbonzini: review?
the two authconfig commits that fix the bug pbonzini: review?

Description Piergiorgio Sartor 2009-02-18 17:11:34 UTC
Description of problem:
In order to use the automount feature of ecryptfs, for the ~/Private folder, some modifications to /etc/pam.d/system-auth are required.
Specifically, it is needed to add some directives with pam_ecryptfs.so in a proper order.
The problem is that /etc/pam.d/system-auth is changed whenever authconfig is used and "user changes will be destroyed"...

It would be good to integrate into authoconfig the pam_ecryptfs.so awarness, so that it (pam_ecryptfs.so) could be even configured from within authconfig.

Version-Release number of selected component (if applicable):
authconfig-5.4.4-1.fc10
authconfig-gtk-5.4.4-1.fc10

Thanks,

piergiorgio

Comment 2 Piergiorgio Sartor 2010-06-17 14:41:24 UTC
Hi,

just curious to know how is going with this, since in the koji, looking at the changelog, I did not find any reference to this entry.

Thanks,

bye,

pg

Comment 3 Tomas Mraz 2010-06-17 17:49:46 UTC
This is still not implemented. Patches welcome. I'd prefer for start to have it implemented in the command line ui. I'd like to keep the GUI as simple as possible.

In the %post of pam_ecryptfs it would be then possible to enable the module with the call to the authconfig.

Comment 4 Paolo Bonzini 2010-11-18 17:41:00 UTC
Created attachment 461342 [details]
patch to authconfig 6.1.11

The attached patch against Fedora 14's authconfig git repo takes care of adding a USEECRYPTFS key to /etc/sysconfig/authconfig and does parsing+regeneration of pam_ecryptfs entries in /etc/pam.d/system-auth.

The only quirk is that, since PAM files are read after sysconfig files, it is impossible to disable ecryptfs with

   USE_ECRYPTFS=no

followed by "authconfig --updateall --update", because the pam_ecryptfs entry in system-auth trumps the USE_ECRYPTFS setting.  I don't know if this is due to a mistake or is by design.  I was simply copying what is done for fprintd. :)

Comment 5 Tomas Mraz 2010-11-18 20:48:37 UTC
This is by design. I will add the patch to the upstream repository and it will be included in the next authconfig release. Thank you.

Comment 6 Tomas Mraz 2010-11-19 08:08:42 UTC
Unfortunately the patch is not sufficient. First (simple) problem is that not only system-auth, but also password-auth files should be modified. However the bigger problem is with the way the module has to be inserted into the PAM auth and password stacks. The module has to be called after the primary authentication modules (pam_unix, pam_krb5, pam_sss, pam_ldap) but these modules are "sufficient" in the current configuration as authconfig generates it. This means substantial changes are needed, these modules cannot be "sufficient" and sophisticated configuration with jumps will have to be used. The other option would be to add a new file which would be called as a 'substack' that would contain just the above mentioned modules.

Comment 7 Paolo Bonzini 2010-11-19 10:04:22 UTC
You're right.  This works for me:

=== /etc/pam.d/system-auth-chk:
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

=== /etc/pam.d/system-auth:
auth        required      pam_env.so
auth        substack      system-auth-chk
auth        optional      pam_ecryptfs.so unwrap

Comment 8 Paolo Bonzini 2010-11-19 11:31:20 UTC
I think it's better to do it the other way round, i.e. by adding a postlogin configuration file in PAM and calling it whenever appropriate.  You definitely do not want to mount ecryptfs when doing "chfn" for example...  And in any case the above will not work for graphical login.  I have a patch but I still have to finish the PAM side.

Comment 9 Paolo Bonzini 2010-11-19 13:57:43 UTC
Created attachment 461547 [details]
authconfig patch

This is an updated version of the patch that puts the "auth" and "session" pieces in a separate file /etc/pam.d/postlogin.  I'll shortly upload the other missing pieces.

Comment 10 Paolo Bonzini 2010-11-19 13:58:09 UTC
Created attachment 461548 [details]
authconfig.spec patch

This is the authconfig.spec part of the feature.

Comment 11 Paolo Bonzini 2010-11-19 14:08:05 UTC
Created attachment 461551 [details]
RFC patches for other packages

Other affected packages luckily require no upstream changes; PAM files are included directly in the Fedora RPMs.  For this reason, this attachment includes as an RFC all the changes to affected packages: pam, util-linux-ng and gdm.  I am not including /etc/pam.d/sshd and /etc/pam.d/remote.

If a package is missing, the only result is that ecryptfs will not be mounted when logging in via that service.  It does not have any effect on the ability to use the service.  The changes only ensure that *-auth is called as "auth substack" rather than "auth include", and add

    auth include postlogin
    session include postlogin

to the affected files.

If this approach is considered acceptable, I can clone the BZ for all affected packages.  Maybe this should also be added to the F15 features page.  Tomas, what do you think?

Comment 12 Paolo Bonzini 2010-12-22 16:43:03 UTC
Created attachment 470252 [details]
authconfig patch v2

updated to add "password optional pam_ecryptfs.so unwrap" to postlogin instead of system-auth.  See also bug 665063.

Comment 13 Paolo Bonzini 2011-02-01 16:09:58 UTC
Created attachment 476434 [details]
authconfig.spec patch v2

Patch used to build http://koji.fedoraproject.org//koji/taskinfo?taskID=2754782

Comment 14 Paolo Bonzini 2011-02-01 16:10:52 UTC
Created attachment 476435 [details]
the two authconfig commits that fix the bug