RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1564603 - Systemctl demands LUKS passphrase when it shouldn't
Summary: Systemctl demands LUKS passphrase when it shouldn't
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: systemd
Version: 7.4
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: systemd-maint
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-06 18:01 UTC by Megan Towey
Modified: 2021-06-10 15:42 UTC (History)
5 users (show)

Fixed In Version: systemd-219-63.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-28 06:27:02 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3402471 0 None None None 2018-04-16 14:19:14 UTC

Description Megan Towey 2018-04-06 18:01:09 UTC
Description of problem:
Systemd prompts for a passphrase for (an already open) device if the crypttab/fstab listing do not match the existing mapping on the system. 

Version-Release number of selected component (if applicable):
systemd-219-42.el7_4.6.x86_64
cryptsetup-1.7.4-3.el7_4.1.x86_64
  * Also seen in earlier versions of RHEL/systemd

How Reproducible:
Always

Steps to Reproduce:
1.Have an entry in /etc/crypttab:
    luks-a65b15b1-0590-4c6a-9360-ee50848f9e51 UUID=a65b15b1-0590-4c6a-9360-ee50848f9e51 /root/passfile.txt
2. Have an entry in /etc/fstab:
    /dev/mapper/luks-a65b15b1-0590-4c6a-9360-ee50848f9e51 /luks-mnt2 ext4 defaults 0 0
3. Manually decrypt this device with a different mapping:
    # cryptsetup luksClose /dev/mapper/luks-a65b15b1-0590-4c6a-9360-ee50848f9e51
    # cryptsetup luksOpen /dev/sdb luks-sdb -d /root/passfile.txt


Actual results:
[root@localhost ~]# cryptsetup luksOpen /dev/sdb luks-sdb -d /root/passfile.txt 
[root@localhost ~]# 
Broadcast message from root (Fri 2018-04-06 12:39:42 EDT):

Password entry required for 'Please enter passphrase for disk QEMU_HARDDISK (luks-a65b15b1-0590-4c6a-9360-ee50848f9e51) on /luks-mnt2!' (PID 1585).
Please enter password with the systemd-tty-ask-password-agent tool!

# tail -n20 /var/log/messages
Apr  6 12:39:16 localhost systemd: Stopping Encrypted Volumes.
Apr  6 12:39:16 localhost systemd: Stopping Cryptography Setup for luks-a65b15b1-0590-4c6a-9360-ee50848f9e51...
Apr  6 12:39:16 localhost systemd-cryptsetup: crypt_init() failed: No such device
Apr  6 12:39:16 localhost systemd: systemd-cryptsetup@luks\x2da65b15b1\x2d0590\x2d4c6a\x2d9360\x2dee50848f9e51.service: control process exited, code=exited status=1
Apr  6 12:39:16 localhost systemd: Stopped Cryptography Setup for luks-a65b15b1-0590-4c6a-9360-ee50848f9e51.
Apr  6 12:39:16 localhost systemd: Unit systemd-cryptsetup@luks\x2da65b15b1\x2d0590\x2d4c6a\x2d9360\x2dee50848f9e51.service entered failed state.
Apr  6 12:39:16 localhost systemd: systemd-cryptsetup@luks\x2da65b15b1\x2d0590\x2d4c6a\x2d9360\x2dee50848f9e51.service failed.
Apr  6 12:39:40 localhost systemd: Mounting /luks-mnt2...
Apr  6 12:39:40 localhost systemd: Starting Cryptography Setup for luks-a65b15b1-0590-4c6a-9360-ee50848f9e51...
Apr  6 12:39:41 localhost mount: mount: special device /dev/mapper/luks-a65b15b1-0590-4c6a-9360-ee50848f9e51 does not exist
Apr  6 12:39:41 localhost systemd: luks\x2dmnt2.mount mount process exited, code=exited status=32
Apr  6 12:39:41 localhost systemd: Failed to mount /luks-mnt2.
Apr  6 12:39:41 localhost systemd: Unit luks\x2dmnt2.mount entered failed state.
Apr  6 12:39:41 localhost systemd-cryptsetup: Key file /root/passfile.txt is world-readable. This is not a good idea!
Apr  6 12:39:41 localhost systemd-cryptsetup: Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/disk/by-uuid/a65b15b1-0590-4c6a-9360-ee50848f9e51.
Apr  6 12:39:42 localhost systemd-cryptsetup: Failed to activate with key file '/root/passfile.txt': Device or resource busy
Apr  6 12:39:42 localhost systemd: Starting Forward Password Requests to Wall...
Apr  6 12:39:42 localhost systemd: Stopped Forward Password Requests to Plymouth Directory Watch.
Apr  6 12:39:42 localhost systemd: Stopping Forward Password Requests to Plymouth Directory Watch.
Apr  6 12:39:42 localhost systemd: Started Forward Password Requests to Wall.
Apr  6 12:40:01 localhost chronyd[1051]: Source 38.229.71.1 replaced with 64.6.144.6


Expected results:
No prompt for password

Additional info:
We also see prompts when we reload/restart certain services. 
[root@localhost ~]# systemctl restart network
Please enter passphrase for disk QEMU_HARDDISK (luks-a65b15b1-0590-4c6a-9360-ee50848f9e51) on /luks-mnt2!


If we have the mapping the same, there is no issue when restarting any services
This may also belong to cryptsetup.

Comment 1 David Tardon 2019-01-25 18:39:58 UTC
I can reproduce the scenario on 7.3 and 7.4, but not on 7.5.

Comment 2 Jan Synacek 2019-01-28 06:27:02 UTC
Not reproducible anymore. Customer case closed.


Note You need to log in before you can comment on or make changes to this bug.