Red Hat Bugzilla – Bug 486152
RFE: authconfig should support pam_ecryptfs
Last modified: 2011-02-08 16:15:17 EST
Description of problem:
In order to use the automount feature of ecryptfs, for the ~/Private folder, some modifications to /etc/pam.d/system-auth are required.
Specifically, it is needed to add some directives with pam_ecryptfs.so in a proper order.
The problem is that /etc/pam.d/system-auth is changed whenever authconfig is used and "user changes will be destroyed"...
It would be good to integrate into authoconfig the pam_ecryptfs.so awarness, so that it (pam_ecryptfs.so) could be even configured from within authconfig.
Version-Release number of selected component (if applicable):
just curious to know how is going with this, since in the koji, looking at the changelog, I did not find any reference to this entry.
This is still not implemented. Patches welcome. I'd prefer for start to have it implemented in the command line ui. I'd like to keep the GUI as simple as possible.
In the %post of pam_ecryptfs it would be then possible to enable the module with the call to the authconfig.
Created attachment 461342 [details]
patch to authconfig 6.1.11
The attached patch against Fedora 14's authconfig git repo takes care of adding a USEECRYPTFS key to /etc/sysconfig/authconfig and does parsing+regeneration of pam_ecryptfs entries in /etc/pam.d/system-auth.
The only quirk is that, since PAM files are read after sysconfig files, it is impossible to disable ecryptfs with
followed by "authconfig --updateall --update", because the pam_ecryptfs entry in system-auth trumps the USE_ECRYPTFS setting. I don't know if this is due to a mistake or is by design. I was simply copying what is done for fprintd. :)
This is by design. I will add the patch to the upstream repository and it will be included in the next authconfig release. Thank you.
Unfortunately the patch is not sufficient. First (simple) problem is that not only system-auth, but also password-auth files should be modified. However the bigger problem is with the way the module has to be inserted into the PAM auth and password stacks. The module has to be called after the primary authentication modules (pam_unix, pam_krb5, pam_sss, pam_ldap) but these modules are "sufficient" in the current configuration as authconfig generates it. This means substantial changes are needed, these modules cannot be "sufficient" and sophisticated configuration with jumps will have to be used. The other option would be to add a new file which would be called as a 'substack' that would contain just the above mentioned modules.
You're right. This works for me:
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
auth required pam_env.so
auth substack system-auth-chk
auth optional pam_ecryptfs.so unwrap
I think it's better to do it the other way round, i.e. by adding a postlogin configuration file in PAM and calling it whenever appropriate. You definitely do not want to mount ecryptfs when doing "chfn" for example... And in any case the above will not work for graphical login. I have a patch but I still have to finish the PAM side.
Created attachment 461547 [details]
This is an updated version of the patch that puts the "auth" and "session" pieces in a separate file /etc/pam.d/postlogin. I'll shortly upload the other missing pieces.
Created attachment 461548 [details]
This is the authconfig.spec part of the feature.
Created attachment 461551 [details]
RFC patches for other packages
Other affected packages luckily require no upstream changes; PAM files are included directly in the Fedora RPMs. For this reason, this attachment includes as an RFC all the changes to affected packages: pam, util-linux-ng and gdm. I am not including /etc/pam.d/sshd and /etc/pam.d/remote.
If a package is missing, the only result is that ecryptfs will not be mounted when logging in via that service. It does not have any effect on the ability to use the service. The changes only ensure that *-auth is called as "auth substack" rather than "auth include", and add
auth include postlogin
session include postlogin
to the affected files.
If this approach is considered acceptable, I can clone the BZ for all affected packages. Maybe this should also be added to the F15 features page. Tomas, what do you think?
Created attachment 470252 [details]
authconfig patch v2
updated to add "password optional pam_ecryptfs.so unwrap" to postlogin instead of system-auth. See also bug 665063.
Created attachment 476434 [details]
authconfig.spec patch v2
Patch used to build http://koji.fedoraproject.org//koji/taskinfo?taskID=2754782
Created attachment 476435 [details]
the two authconfig commits that fix the bug