Bug 1564603 - Systemctl demands LUKS passphrase when it shouldn't
Summary: Systemctl demands LUKS passphrase when it shouldn't
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: systemd
Version: 7.4
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: systemd-maint
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-06 18:01 UTC by Megan Towey
Modified: 2019-01-28 06:27 UTC (History)
5 users (show)

Fixed In Version: systemd-219-63.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-28 06:27:02 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3402471 0 None None None 2018-04-16 14:19:14 UTC

Description Megan Towey 2018-04-06 18:01:09 UTC
Description of problem:
Systemd prompts for a passphrase for (an already open) device if the crypttab/fstab listing do not match the existing mapping on the system. 

Version-Release number of selected component (if applicable):
systemd-219-42.el7_4.6.x86_64
cryptsetup-1.7.4-3.el7_4.1.x86_64
  * Also seen in earlier versions of RHEL/systemd

How Reproducible:
Always

Steps to Reproduce:
1.Have an entry in /etc/crypttab:
    luks-a65b15b1-0590-4c6a-9360-ee50848f9e51 UUID=a65b15b1-0590-4c6a-9360-ee50848f9e51 /root/passfile.txt
2. Have an entry in /etc/fstab:
    /dev/mapper/luks-a65b15b1-0590-4c6a-9360-ee50848f9e51 /luks-mnt2 ext4 defaults 0 0
3. Manually decrypt this device with a different mapping:
    # cryptsetup luksClose /dev/mapper/luks-a65b15b1-0590-4c6a-9360-ee50848f9e51
    # cryptsetup luksOpen /dev/sdb luks-sdb -d /root/passfile.txt


Actual results:
[root@localhost ~]# cryptsetup luksOpen /dev/sdb luks-sdb -d /root/passfile.txt 
[root@localhost ~]# 
Broadcast message from root@localhost.localdomain (Fri 2018-04-06 12:39:42 EDT):

Password entry required for 'Please enter passphrase for disk QEMU_HARDDISK (luks-a65b15b1-0590-4c6a-9360-ee50848f9e51) on /luks-mnt2!' (PID 1585).
Please enter password with the systemd-tty-ask-password-agent tool!

# tail -n20 /var/log/messages
Apr  6 12:39:16 localhost systemd: Stopping Encrypted Volumes.
Apr  6 12:39:16 localhost systemd: Stopping Cryptography Setup for luks-a65b15b1-0590-4c6a-9360-ee50848f9e51...
Apr  6 12:39:16 localhost systemd-cryptsetup: crypt_init() failed: No such device
Apr  6 12:39:16 localhost systemd: systemd-cryptsetup@luks\x2da65b15b1\x2d0590\x2d4c6a\x2d9360\x2dee50848f9e51.service: control process exited, code=exited status=1
Apr  6 12:39:16 localhost systemd: Stopped Cryptography Setup for luks-a65b15b1-0590-4c6a-9360-ee50848f9e51.
Apr  6 12:39:16 localhost systemd: Unit systemd-cryptsetup@luks\x2da65b15b1\x2d0590\x2d4c6a\x2d9360\x2dee50848f9e51.service entered failed state.
Apr  6 12:39:16 localhost systemd: systemd-cryptsetup@luks\x2da65b15b1\x2d0590\x2d4c6a\x2d9360\x2dee50848f9e51.service failed.
Apr  6 12:39:40 localhost systemd: Mounting /luks-mnt2...
Apr  6 12:39:40 localhost systemd: Starting Cryptography Setup for luks-a65b15b1-0590-4c6a-9360-ee50848f9e51...
Apr  6 12:39:41 localhost mount: mount: special device /dev/mapper/luks-a65b15b1-0590-4c6a-9360-ee50848f9e51 does not exist
Apr  6 12:39:41 localhost systemd: luks\x2dmnt2.mount mount process exited, code=exited status=32
Apr  6 12:39:41 localhost systemd: Failed to mount /luks-mnt2.
Apr  6 12:39:41 localhost systemd: Unit luks\x2dmnt2.mount entered failed state.
Apr  6 12:39:41 localhost systemd-cryptsetup: Key file /root/passfile.txt is world-readable. This is not a good idea!
Apr  6 12:39:41 localhost systemd-cryptsetup: Set cipher aes, mode xts-plain64, key size 256 bits for device /dev/disk/by-uuid/a65b15b1-0590-4c6a-9360-ee50848f9e51.
Apr  6 12:39:42 localhost systemd-cryptsetup: Failed to activate with key file '/root/passfile.txt': Device or resource busy
Apr  6 12:39:42 localhost systemd: Starting Forward Password Requests to Wall...
Apr  6 12:39:42 localhost systemd: Stopped Forward Password Requests to Plymouth Directory Watch.
Apr  6 12:39:42 localhost systemd: Stopping Forward Password Requests to Plymouth Directory Watch.
Apr  6 12:39:42 localhost systemd: Started Forward Password Requests to Wall.
Apr  6 12:40:01 localhost chronyd[1051]: Source 38.229.71.1 replaced with 64.6.144.6


Expected results:
No prompt for password

Additional info:
We also see prompts when we reload/restart certain services. 
[root@localhost ~]# systemctl restart network
Please enter passphrase for disk QEMU_HARDDISK (luks-a65b15b1-0590-4c6a-9360-ee50848f9e51) on /luks-mnt2!


If we have the mapping the same, there is no issue when restarting any services
This may also belong to cryptsetup.

Comment 1 David Tardon 2019-01-25 18:39:58 UTC
I can reproduce the scenario on 7.3 and 7.4, but not on 7.5.

Comment 2 Jan Synacek 2019-01-28 06:27:02 UTC
Not reproducible anymore. Customer case closed.


Note You need to log in before you can comment on or make changes to this bug.