PAM updates for mounting an encrypted user's home at login

mitch_murder · March 21, 2023, 1:25am

I would like to decrypt my LUKS encrypted /home directory at login on Rocky Linux 9.1. I have been trying to adapt this Arch Linux guide (dm-crypt/Mounting at login - ArchWiki) and this GitHub repo (GitHub - fumiyas/linux-crypthome: Mount/Unmount an encrypted user's home directory at login/logout) for Rocky 9.1. /etc/pam.d/system-login does not exist for Rocky, so I have update /etc/postlogin and /etc/system-auth with pam_exec.so calls to a custom script (/usr/local/sbin/pam_cryptsetup.sh) that will decrypt and mount my encrypted /home directory. The updates I made to postlogin and system-auth allow me to ssh into my machine but login from the GNOME login screen fails. If I am already logged in from ssh and then login from the GNOME login screen, that will work. Does anyone know how to update the scripts in /etc/pam.d/ to enable GNOME screen login or have any bright ideas?

# cat /etc/pam.d/postlogin
session     optional                   pam_umask.so silent
session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]                pam_lastlog.so nowtmp silent
session     optional                   pam_lastlog.so silent noupdate showfailed
auth	    optional		  	       pam_exec.so debug expose_authtok log=/tmp/pam_cryptsetup.log /usr/local/sbin/pam_cryptsetup.sh
session	    optional		      	   pam_exec.so /usr/local/sbin/pam_cryptsetup.sh

# cat /etc/pam.d/system-auth
auth	    optional									 pam_exec.so debug expose_authtok log=/tmp/pam_cryptsetup.log /usr/local/sbin/pam_cryptsetup.sh
auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_fprintd.so
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so
auth	    optional					 				 pam_mount.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so
password    optional					 				 pam_mount.so

session	    optional					 				 pam_exec.so debug /usr/local/sbin/pam_cryptsetup.sh
session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so
session     optional					 				 pam_mount.so

# cat /usr/local/sbin/pam_cryptsetup.sh
#!/bin/sh

CRYPT_USER="user"
PARTITION="/dev/vg_alnair/crypthome.$CRYPT_USER"
NAME="decrypthome.$CRYPT_USER"
# PW=$(cat /dev/stdin)
# echo $PW > /tmp/pw.$PAM_USER

if [ "$PAM_USER" = "$CRYPT_USER" ] && [ ! -e "/dev/mapper/$NAME" ]; then
    logger "$(basename $0): $PAM_USER: decrypting /dev/mapper/$NAME"
    /usr/sbin/cryptsetup open "$PARTITION" "$NAME"
    status=$?
    if [ $status -eq 0 ]; then
	logger "$(basename $0): cryptsetup success for $PAM_USER!: $status"
    else
	logger "$(basename $0): cryptsetup failed for $PAM_USER!: $status"
    fi
else
    logger "$(basename $0): $PAM_USER: not decrypting anything!"
fi

Here are some outputs from journalctl after failing to login from the GNOME login screen:

# journalctl -r -t gdm-password]
Mar 20 17:46:59 alnair gdm-password][1851]: pam_unix(gdm-password:session): session closed for user user
Mar 20 17:46:56 alnair gdm-password][1851]: pam_exec(gdm-password:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:46:56 alnair gdm-password][1894]: pam_exec(gdm-password:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:46:56 alnair gdm-password][1851]: gkr-pam: gnome-keyring-daemon started properly
Mar 20 17:46:56 alnair gdm-password][1851]: gkr-pam: unable to locate daemon control file
Mar 20 17:46:56 alnair gdm-password][1851]: pam_unix(gdm-password:session): session opened for user user(uid=1000) by (uid=0)
Mar 20 17:46:56 alnair gdm-password][1851]: pam_systemd(gdm-password:session): Failed to create session: Job 2126 for unit 'session-4.scope' failed with 'dependency'
Mar 20 17:45:26 alnair gdm-password][1860]: pam_exec(gdm-password:auth): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:45:26 alnair gdm-password][1851]: pam_exec(gdm-password:auth): send password to child

# journalctl -r -t sshd
Mar 20 17:45:18 alnair sshd[1781]: pam_exec(sshd:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:45:18 alnair sshd[1814]: pam_exec(sshd:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:45:18 alnair sshd[1781]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar 20 17:45:18 alnair sshd[1781]: Accepted password for root from 192.168.1.66 port 60590 ssh2
Mar 20 17:45:18 alnair sshd[1784]: pam_exec(sshd:auth): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:45:18 alnair sshd[1781]: pam_exec(sshd:auth): send password to child
Mar 20 17:44:49 alnair sshd[875]: Server listening on :: port 22.
Mar 20 17:44:49 alnair sshd[875]: Server listening on 0.0.0.0 port 22.

# journalctl -r | grep pam_cryptsetup.sh
Mar 20 17:47:01 alnair root[1945]: pam_cryptsetup.sh: cryptsetup failed for user!: 4
Mar 20 17:46:59 alnair root[1942]: pam_cryptsetup.sh: user: decrypting /dev/mapper/decrypthome.user
Mar 20 17:46:56 alnair gdm-password][1851]: pam_exec(gdm-password:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:46:56 alnair gdm-password][1894]: pam_exec(gdm-password:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:45:26 alnair root[1865]: pam_cryptsetup.sh: cryptsetup failed for user!: 4
Mar 20 17:45:26 alnair root[1862]: pam_cryptsetup.sh: user: decrypting /dev/mapper/decrypthome.user
Mar 20 17:45:26 alnair gdm-password][1860]: pam_exec(gdm-password:auth): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:45:18 alnair sshd[1781]: pam_exec(sshd:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:45:18 alnair sshd[1814]: pam_exec(sshd:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:45:18 alnair systemd[1791]: pam_exec(systemd-user:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:45:18 alnair systemd[1799]: pam_exec(systemd-user:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:45:18 alnair systemd[1799]: pam_exec(systemd-user:session): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:45:18 alnair root[1786]: pam_cryptsetup.sh: root: not decrypting anything!
Mar 20 17:45:18 alnair sshd[1784]: pam_exec(sshd:auth): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:45:02 alnair root[1371]: pam_cryptsetup.sh: gdm: not decrypting anything!
Mar 20 17:45:01 alnair systemd[1358]: pam_exec(systemd-user:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:45:01 alnair systemd[1360]: pam_exec(systemd-user:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:45:01 alnair systemd[1360]: pam_exec(systemd-user:session): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:45:01 alnair root[1356]: pam_cryptsetup.sh: gdm: not decrypting anything!
Mar 20 17:45:01 alnair gdm-launch-environment][1354]: pam_exec(gdm-launch-environment:session): Calling /usr/local/sbin/pam_cryptsetup.sh ...

After a successful ssh login as ‘user’:

$ journalctl -r -t sshd
Mar 20 17:51:01 alnair sshd[1990]: pam_exec(sshd:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:51:01 alnair sshd[2074]: pam_exec(sshd:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:51:00 alnair sshd[1990]: pam_unix(sshd:session): session opened for user user(uid=1000) by (uid=0)
Mar 20 17:51:00 alnair sshd[1990]: Accepted password for user from 192.168.1.66 port 55326 ssh2
Mar 20 17:50:56 alnair sshd[1993]: pam_exec(sshd:auth): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:50:56 alnair sshd[1990]: pam_exec(sshd:auth): send password to child
Mar 20 17:50:31 alnair sshd[869]: Server listening on :: port 22.
Mar 20 17:50:31 alnair sshd[869]: Server listening on 0.0.0.0 port 22.

$ journalctl -r | grep pam_cryptsetup.sh
Mar 20 17:51:01 alnair sshd[1990]: pam_exec(sshd:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:51:01 alnair sshd[2074]: pam_exec(sshd:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:50:59 alnair systemd[2060]: pam_exec(systemd-user:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:50:59 alnair systemd[2062]: pam_exec(systemd-user:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:50:59 alnair systemd[2062]: pam_exec(systemd-user:session): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:50:58 alnair root[2052]: pam_cryptsetup.sh: cryptsetup success for user!: 0
Mar 20 17:50:56 alnair root[1995]: pam_cryptsetup.sh: user: decrypting /dev/mapper/decrypthome.user
Mar 20 17:50:56 alnair sshd[1993]: pam_exec(sshd:auth): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:50:44 alnair root[1573]: pam_cryptsetup.sh: gdm: not decrypting anything!
Mar 20 17:50:43 alnair systemd[1560]: pam_exec(systemd-user:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:50:43 alnair systemd[1562]: pam_exec(systemd-user:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:50:43 alnair systemd[1562]: pam_exec(systemd-user:session): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:50:43 alnair root[1558]: pam_cryptsetup.sh: gdm: not decrypting anything!
Mar 20 17:50:43 alnair gdm-launch-environment][1556]: pam_exec(gdm-launch-environment:session): Calling /usr/local/sbin/pam_cryptsetup.sh ...

I feel like the ‘session’ lines added to the pam scripts aren’t really necessary as the login password isn’t even passed to pam_decrypt.sh.

Topic		Replies	Views
Decrypt LUKS encrypted /home directory at login Rocky Linux General	1	394	August 25, 2023
System reboot will be hang if I use tang/clevis Rocky Linux General	0	176	July 4, 2023
Systemd-cryptsetup, luks, and passphrase entry (failed to activate) Rocky Linux General	1	1063	August 25, 2023
Encrypted Disk and automatic setting of the password Rocky Linux General	3	1335	August 25, 2023
Can't login via ssh using password after migration Rocky Linux General	3	731	August 25, 2023

PAM updates for mounting an encrypted user's home at login

Related Topics