Bug 441494 - passwd_file does not work for key=passphrase
passwd_file does not work for key=passphrase
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: ecryptfs-utils (Show other bugs)
All Linux
low Severity low
: rc
: ---
Assigned To: Karsten Hopp
Depends On:
  Show dependency treegraph
Reported: 2008-04-08 09:36 EDT by Jan Tluka
Modified: 2009-01-20 16:59 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-20 16:59:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Tluka 2008-04-08 09:36:53 EDT
Description of problem:
This bug is related to bug #432961.
Man pages for ecryptfs were updated and claim that 'passwd_file' key option is
used to specify file that contains passphrase.
When I want to use 'passwd_file' with 'key=passphrase' I get error when parsing
options. When I use 'passfile' instead of 'passwd_file' it works fine.
We need to have either one common option for the password file or man pages
should note that different option is used for different key types. I'd prefer
first approach.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
as root:
1. Look at the documentation
 man ecryptfs # and look for passwd_file in 'KEY OPTIONS'
2. prepare password file
 cd ~
 echo "secret_password" > .my_password
 mkdir .secret
3. mount directory
mount -t ecryptfs .secret .secret -o
Actual results:
from mount:
Error mounting eCryptfs; rc = [-22]; strerr = [Invalid argument]. Check your
system logs

from system log:
ecryptfs_parse_options: You must supply at least one valid auth tok signature as
a mount parameter; see the eCryptfs README
Error parsing options; rc = [-22]

Expected results:
Filesystem is mounted without errors.

Additional info:
The same should be done for passwd_fd key option.
Comment 1 Jan Tluka 2008-04-08 10:30:19 EDT
There is also difference between content of password files.

In case of passfile the content has to be:
#cat .my_password

In case of passwd_file the content has to be:
# cat .my_password
Comment 2 Jan Tluka 2008-04-08 11:46:18 EDT
Please ignore my comment #1.
The password file in both cases has to be:
# cat .my_password
Comment 3 Phil Knirsch 2008-04-28 08:47:46 EDT
Looks like a simple fix.

Proposing for RHEL-5.3 and granting Devel ACK.

Read ya, Phil
Comment 4 Phil Knirsch 2008-05-14 10:00:06 EDT
Proposing bug for RHEL-5.3 FasTrack.

Read ya, Phil
Comment 7 Karsten Hopp 2008-06-05 04:41:23 EDT
Upstream answer:
passfile and passwd_file are two separate and distinct parameters that
apply to two different key modules (passphrase and openssl,

There is an obvious namespace problem with the key modules that I
would like to fix for RHEL 5.3. My original approach was to qualify
module parameters by evaluating them in module parameter list
context. Given that parameters can be given in any order in a
configuration file, that does not work out very well. It would
probably make more sense to explicitly indicate which key modules
which parameters apply to by prefixing the parameter with the key
module alias (i.e., "openssl_passwd_file" and

Any objections to making this change for RHEL 5.3?
Comment 8 Kevin Krafthefer 2008-06-06 13:34:31 EDT
approved comp, clearing fast flag
Comment 9 Karsten Hopp 2008-08-14 08:21:43 EDT
Version 56 has upstream fixes for the namespace problems.

The testcase in the description now needs to be written as:
mount -t ecryptfs .secret .secret -o key=passphrase:passphrase_passwd_file=/root/.my_password,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,verbosity=0
Comment 16 errata-xmlrpc 2009-01-20 16:59:57 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.