Bug 432961 - passfile option for key=openssl doesn't work
passfile option for key=openssl doesn't work
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ecryptfs-utils (Show other bugs)
5.2
All Linux
low Severity medium
: rc
: ---
Assigned To: Karsten Hopp
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-15 08:45 EST by Jan Tluka
Modified: 2008-05-21 13:33 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHEA-2008-0430
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 13:33:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Tluka 2008-02-15 08:45:04 EST
Description of problem:
When I try to mount filesystem using key=openssl option and passfile option,
mount helper fails and reports error.


Version-Release number of selected component (if applicable):
ecryptfs-utils-38-1.el5
linux kernel 2.6.18-79.el5


How reproducible:
100% running mount.ecryptfs with appropriate options


Steps to Reproduce:
as root do following:
1. create openssl key
openssl genrsa -out mykey.pem -des3 -passout pass:secret

2. prepare file containing passphrase
echo "passwd=secret" > passfile.txt

3. create mount point and mount filesystem
mkdir .secret
mount.ecryptfs .secret/ .secret/ -o \
key=openssl:keyfile=mykey.pem:passfile=passfile.txt,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,verbosity=0


Actual results:
mount.ecryptfs fails with error and filesystem is not mounted.

-mount.ecryptfs output:
Attempting to mount with the following options:
Error mounting eCryptfs; rc = [-22]; strerr = [Invalid argument]. Check your
system logs; visit <http://ecryptfs.sourceforge.net/ecryptfs-faq.html>.

-dmesg says:
ecryptfs_parse_options: eCryptfs: unrecognized option 'verbosity=0'
ecryptfs_parse_options: You must supply at least one valid auth tok signature as
a mount parameter; see the eCryptfs README
Error parsing options; rc = [-22]


Expected results:
Filesystem is mounted without errors.


Additional info:
If I use 'passwd=secret' instead of 'passfile=passfile.txt' filesystem is
mounted without errors.
Comment 1 Michael Halcrow 2008-02-18 17:09:32 EST
Note that only keyfiles generated by the eCryptfs key module via the
ecryptfs-manager utility are currently supported.

The correct OpenSSL key module parameter for specifying a file containing a
keyfile passphrase is "passwd_file". If this is documented incorrectly in the
man pages, this needs to be corrected.

The passwd_file option for the openssl key module is not implemented in release
38. It is implemented in release 40, which is currently in Fedora devel.

Mike
Comment 2 Eric Sandeen 2008-02-18 17:33:04 EST
Reopening just to let Karsten decide if he wants to pull this into RHEL5, since
that's what the bug was opened against...

Thanks,
-Eric
Comment 3 Phil Knirsch 2008-02-20 07:43:25 EST
Latest packages for RHEL-5.2 already are based on ecryptfs-utils-40 so they
already contain the fix.

Just flagged the bug appropriately and will close it as soon as we ship the errata.

Read ya, Phil
Comment 5 Michal Nowak 2008-02-20 12:18:06 EST
Confirming it works in 40 and is failing in 38.
--

NEW:
----

dhcp-lab-198 mounting # rpmquery ecryptfs-utils
ecryptfs-utils-40-1.el5

dhcp-lab-198 mounting # mount.ecryptfs .secret/ .secret/ -o
key=openssl:keyfile=mykey.pem:passwd_file=passfile.txt,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,verbosity=0
Attempting to mount with the following options:
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=b2230a51354c73d2
Mounted eCryptfs


OLD:
----

dhcp-lab-198 mounting # rpmquery ecryptfs-utils
ecryptfs-utils-38-1.el5

dhcp-lab-198 mounting # umount .secret/
dhcp-lab-198 mounting # umount .secret/
umount: .secret/: not mounted

dhcp-lab-198 mounting # mount.ecryptfs .secret/ .secret/ -o
key=openssl:keyfile=mykey.pem:passwd_file=passfile.txt,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,verbosity=0
Attempting to mount with the following options:
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
Error mounting eCryptfs; rc = [-22]; strerr = [Invalid argument]. Check your
system logs; visit <http://ecryptfs.sourceforge.net/ecryptfs-faq.html>.
dhcp-lab-198 mounting # mount | grep secret
--

I believe it's worth fixing it.
Comment 8 Michal Nowak 2008-02-26 03:04:02 EST
dhcp-lab-198 openssl-keyfile # mkdir secret

dhcp-lab-198 openssl-keyfile # ecryptfs-manager 

eCryptfs key management menu
-------------------------------
        1. Add passphrase key to keyring
        2. Add public key to keyring
        3. Generate new public/private keypair
        4. Exit

Make selection: 3
Select key type to use for newly created files: 
 1) openssl
Selection: 1
SSL key file path [/root/.ecryptfs/pki/openssl/key.pem]: mykey.pem
Passphrase: 
Returning to main menu

eCryptfs key management menu
-------------------------------
        1. Add passphrase key to keyring
        2. Add public key to keyring
        3. Generate new public/private keypair
        4. Exit

Make selection: 4

dhcp-lab-198 openssl-keyfile # ls -l mykey.pem 
-rw-r--r-- 1 root root 986 Feb 26 08:32 mykey.pem

dhcp-lab-198 openssl-keyfile # mount.ecryptfs secret/ secret/ -o
key=openssl:keyfile=mykey.pem:passwd_file=passfile.txt,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,verbosity=0
Attempting to mount with the following options:
  ecryptfs_key_bytes=16
  ecryptfs_cipher=aes
  ecryptfs_sig=cc8a94c1c8630ad3
Mounted eCryptfs

dhcp-lab-198 openssl-keyfile # echo "secrettext" > secret/stf.txt
-bash: secret/stf.txt: Transport endpoint is not connected

dhcp-lab-198 openssl-keyfile # ls -l secret/
total 4
-rw-r--r-- 1 root root 0 Feb 26 08:34 stf.txt

dhcp-lab-198 openssl-keyfile # echo "secrettext" > secret/stf.txt
-bash: secret/stf.txt: Input/output error
--

dhcp-lab-198 newman # Feb 26 08:49:23 dhcp-lab-198 kernel:
ecryptfs_send_message: User [0] does not have a daemon registered
Feb 26 08:49:23 dhcp-lab-198 kernel: pki_encrypt_session_key: Error sending
netlink message
Feb 26 08:49:23 dhcp-lab-198 kernel: write_tag_1_packet: Failed to encrypt
session key via a pki<4>ecryptfs_generate_key_packet_set: Error writing tag 1 packet
Feb 26 08:49:23 dhcp-lab-198 kernel: ecryptfs_write_headers_virt: Error
generating key packet set; rc = [-107]
Feb 26 08:49:23 dhcp-lab-198 kernel: ecryptfs_write_metadata: Error whilst
writing headers
Feb 26 08:49:23 dhcp-lab-198 kernel: Error writing headers; rc = [-107]
Feb 26 08:49:23 dhcp-lab-198 kernel: Error attempting to read the
[user.ecryptfs] xattr from the lower file; return value = [4294967235]
Feb 26 08:49:23 dhcp-lab-198 kernel: Attempt to read file that is not in a valid
eCryptfs format, and plaintext passthrough mode is not enabled; returning -EIO
--
Comment 9 Michael Halcrow 2008-02-26 10:06:41 EST
> ecryptfs_send_message: User [0] does not have a daemon registered

When using a non-passphrase key module, the user accessing the eCryptfs mount
point needs to have the ecryptfsd daemon running.

Mike
Comment 10 Michal Nowak 2008-02-27 10:02:31 EST
Thanks Mike, got it. Works OK then.
Comment 13 errata-xmlrpc 2008-05-21 13:33:28 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2008-0430.html

Note You need to log in before you can comment on or make changes to this bug.