Red Hat Bugzilla – Full Text Bug Listing
|Summary:||RFE: authconfig should support pam_ecryptfs|
|Product:||[Fedora] Fedora||Reporter:||Piergiorgio Sartor <piergiorgio.sartor>|
|Component:||authconfig||Assignee:||Tomas Mraz <tmraz>|
|Status:||CLOSED RAWHIDE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||ascii79, dwmw2, mhlavink, pbonzini, pmrpla, psplicha, tmraz|
|Fixed In Version:||authconfig-6.1.13-1.fc15||Doc Type:||Enhancement|
|Doc Text:||Story Points:||---|
|:||665059 665060 665061 665062 665063 (view as bug list)||Environment:|
|Last Closed:||2011-02-08 16:15:17 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||665059, 665060, 665061, 665062, 665063|
|Bug Blocks:||487088, 516996, 617282|
Description Piergiorgio Sartor 2009-02-18 12:11:34 EST
Description of problem: In order to use the automount feature of ecryptfs, for the ~/Private folder, some modifications to /etc/pam.d/system-auth are required. Specifically, it is needed to add some directives with pam_ecryptfs.so in a proper order. The problem is that /etc/pam.d/system-auth is changed whenever authconfig is used and "user changes will be destroyed"... It would be good to integrate into authoconfig the pam_ecryptfs.so awarness, so that it (pam_ecryptfs.so) could be even configured from within authconfig. Version-Release number of selected component (if applicable): authconfig-5.4.4-1.fc10 authconfig-gtk-5.4.4-1.fc10 Thanks, piergiorgio
Comment 2 Piergiorgio Sartor 2010-06-17 10:41:24 EDT
Hi, just curious to know how is going with this, since in the koji, looking at the changelog, I did not find any reference to this entry. Thanks, bye, pg
Comment 3 Tomas Mraz 2010-06-17 13:49:46 EDT
This is still not implemented. Patches welcome. I'd prefer for start to have it implemented in the command line ui. I'd like to keep the GUI as simple as possible. In the %post of pam_ecryptfs it would be then possible to enable the module with the call to the authconfig.
Comment 4 Paolo Bonzini 2010-11-18 12:41:00 EST
Created attachment 461342 [details] patch to authconfig 6.1.11 The attached patch against Fedora 14's authconfig git repo takes care of adding a USEECRYPTFS key to /etc/sysconfig/authconfig and does parsing+regeneration of pam_ecryptfs entries in /etc/pam.d/system-auth. The only quirk is that, since PAM files are read after sysconfig files, it is impossible to disable ecryptfs with USE_ECRYPTFS=no followed by "authconfig --updateall --update", because the pam_ecryptfs entry in system-auth trumps the USE_ECRYPTFS setting. I don't know if this is due to a mistake or is by design. I was simply copying what is done for fprintd. :)
Comment 5 Tomas Mraz 2010-11-18 15:48:37 EST
This is by design. I will add the patch to the upstream repository and it will be included in the next authconfig release. Thank you.
Comment 6 Tomas Mraz 2010-11-19 03:08:42 EST
Unfortunately the patch is not sufficient. First (simple) problem is that not only system-auth, but also password-auth files should be modified. However the bigger problem is with the way the module has to be inserted into the PAM auth and password stacks. The module has to be called after the primary authentication modules (pam_unix, pam_krb5, pam_sss, pam_ldap) but these modules are "sufficient" in the current configuration as authconfig generates it. This means substantial changes are needed, these modules cannot be "sufficient" and sophisticated configuration with jumps will have to be used. The other option would be to add a new file which would be called as a 'substack' that would contain just the above mentioned modules.
Comment 7 Paolo Bonzini 2010-11-19 05:04:22 EST
You're right. This works for me: === /etc/pam.d/system-auth-chk: auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so === /etc/pam.d/system-auth: auth required pam_env.so auth substack system-auth-chk auth optional pam_ecryptfs.so unwrap
Comment 8 Paolo Bonzini 2010-11-19 06:31:20 EST
I think it's better to do it the other way round, i.e. by adding a postlogin configuration file in PAM and calling it whenever appropriate. You definitely do not want to mount ecryptfs when doing "chfn" for example... And in any case the above will not work for graphical login. I have a patch but I still have to finish the PAM side.
Comment 9 Paolo Bonzini 2010-11-19 08:57:43 EST
Created attachment 461547 [details] authconfig patch This is an updated version of the patch that puts the "auth" and "session" pieces in a separate file /etc/pam.d/postlogin. I'll shortly upload the other missing pieces.
Comment 10 Paolo Bonzini 2010-11-19 08:58:09 EST
Created attachment 461548 [details] authconfig.spec patch This is the authconfig.spec part of the feature.
Comment 11 Paolo Bonzini 2010-11-19 09:08:05 EST
Created attachment 461551 [details] RFC patches for other packages Other affected packages luckily require no upstream changes; PAM files are included directly in the Fedora RPMs. For this reason, this attachment includes as an RFC all the changes to affected packages: pam, util-linux-ng and gdm. I am not including /etc/pam.d/sshd and /etc/pam.d/remote. If a package is missing, the only result is that ecryptfs will not be mounted when logging in via that service. It does not have any effect on the ability to use the service. The changes only ensure that *-auth is called as "auth substack" rather than "auth include", and add auth include postlogin session include postlogin to the affected files. If this approach is considered acceptable, I can clone the BZ for all affected packages. Maybe this should also be added to the F15 features page. Tomas, what do you think?
Comment 12 Paolo Bonzini 2010-12-22 11:43:03 EST
Created attachment 470252 [details] authconfig patch v2 updated to add "password optional pam_ecryptfs.so unwrap" to postlogin instead of system-auth. See also bug 665063.
Comment 13 Paolo Bonzini 2011-02-01 11:09:58 EST
Created attachment 476434 [details] authconfig.spec patch v2 Patch used to build http://koji.fedoraproject.org//koji/taskinfo?taskID=2754782