I would like to decrypt my LUKS encrypted /home
directory at login on Rocky Linux 9.1. I have been trying to adapt this Arch Linux guide (dm-crypt/Mounting at login - ArchWiki) and this GitHub repo (GitHub - fumiyas/linux-crypthome: Mount/Unmount an encrypted user's home directory at login/logout) for Rocky 9.1. /etc/pam.d/system-login
does not exist for Rocky, so I have update /etc/postlogin
and /etc/system-auth
with pam_exec.so
calls to a custom script (/usr/local/sbin/pam_cryptsetup.sh
) that will decrypt and mount my encrypted /home
directory. The updates I made to postlogin
and system-auth
allow me to ssh into my machine but login from the GNOME login screen fails. If I am already logged in from ssh
and then login from the GNOME login screen, that will work. Does anyone know how to update the scripts in /etc/pam.d/
to enable GNOME screen login or have any bright ideas?
# cat /etc/pam.d/postlogin
session optional pam_umask.so silent
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp silent
session optional pam_lastlog.so silent noupdate showfailed
auth optional pam_exec.so debug expose_authtok log=/tmp/pam_cryptsetup.log /usr/local/sbin/pam_cryptsetup.sh
session optional pam_exec.so /usr/local/sbin/pam_cryptsetup.sh
# cat /etc/pam.d/system-auth
auth optional pam_exec.so debug expose_authtok log=/tmp/pam_cryptsetup.log /usr/local/sbin/pam_cryptsetup.sh
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
auth optional pam_mount.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
password optional pam_mount.so
session optional pam_exec.so debug /usr/local/sbin/pam_cryptsetup.sh
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_mount.so
# cat /usr/local/sbin/pam_cryptsetup.sh
#!/bin/sh
CRYPT_USER="user"
PARTITION="/dev/vg_alnair/crypthome.$CRYPT_USER"
NAME="decrypthome.$CRYPT_USER"
# PW=$(cat /dev/stdin)
# echo $PW > /tmp/pw.$PAM_USER
if [ "$PAM_USER" = "$CRYPT_USER" ] && [ ! -e "/dev/mapper/$NAME" ]; then
logger "$(basename $0): $PAM_USER: decrypting /dev/mapper/$NAME"
/usr/sbin/cryptsetup open "$PARTITION" "$NAME"
status=$?
if [ $status -eq 0 ]; then
logger "$(basename $0): cryptsetup success for $PAM_USER!: $status"
else
logger "$(basename $0): cryptsetup failed for $PAM_USER!: $status"
fi
else
logger "$(basename $0): $PAM_USER: not decrypting anything!"
fi
Here are some outputs from journalctl after failing to login from the GNOME login screen:
# journalctl -r -t gdm-password]
Mar 20 17:46:59 alnair gdm-password][1851]: pam_unix(gdm-password:session): session closed for user user
Mar 20 17:46:56 alnair gdm-password][1851]: pam_exec(gdm-password:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:46:56 alnair gdm-password][1894]: pam_exec(gdm-password:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:46:56 alnair gdm-password][1851]: gkr-pam: gnome-keyring-daemon started properly
Mar 20 17:46:56 alnair gdm-password][1851]: gkr-pam: unable to locate daemon control file
Mar 20 17:46:56 alnair gdm-password][1851]: pam_unix(gdm-password:session): session opened for user user(uid=1000) by (uid=0)
Mar 20 17:46:56 alnair gdm-password][1851]: pam_systemd(gdm-password:session): Failed to create session: Job 2126 for unit 'session-4.scope' failed with 'dependency'
Mar 20 17:45:26 alnair gdm-password][1860]: pam_exec(gdm-password:auth): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:45:26 alnair gdm-password][1851]: pam_exec(gdm-password:auth): send password to child
# journalctl -r -t sshd
Mar 20 17:45:18 alnair sshd[1781]: pam_exec(sshd:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:45:18 alnair sshd[1814]: pam_exec(sshd:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:45:18 alnair sshd[1781]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)
Mar 20 17:45:18 alnair sshd[1781]: Accepted password for root from 192.168.1.66 port 60590 ssh2
Mar 20 17:45:18 alnair sshd[1784]: pam_exec(sshd:auth): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:45:18 alnair sshd[1781]: pam_exec(sshd:auth): send password to child
Mar 20 17:44:49 alnair sshd[875]: Server listening on :: port 22.
Mar 20 17:44:49 alnair sshd[875]: Server listening on 0.0.0.0 port 22.
# journalctl -r | grep pam_cryptsetup.sh
Mar 20 17:47:01 alnair root[1945]: pam_cryptsetup.sh: cryptsetup failed for user!: 4
Mar 20 17:46:59 alnair root[1942]: pam_cryptsetup.sh: user: decrypting /dev/mapper/decrypthome.user
Mar 20 17:46:56 alnair gdm-password][1851]: pam_exec(gdm-password:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:46:56 alnair gdm-password][1894]: pam_exec(gdm-password:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:45:26 alnair root[1865]: pam_cryptsetup.sh: cryptsetup failed for user!: 4
Mar 20 17:45:26 alnair root[1862]: pam_cryptsetup.sh: user: decrypting /dev/mapper/decrypthome.user
Mar 20 17:45:26 alnair gdm-password][1860]: pam_exec(gdm-password:auth): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:45:18 alnair sshd[1781]: pam_exec(sshd:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:45:18 alnair sshd[1814]: pam_exec(sshd:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:45:18 alnair systemd[1791]: pam_exec(systemd-user:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:45:18 alnair systemd[1799]: pam_exec(systemd-user:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:45:18 alnair systemd[1799]: pam_exec(systemd-user:session): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:45:18 alnair root[1786]: pam_cryptsetup.sh: root: not decrypting anything!
Mar 20 17:45:18 alnair sshd[1784]: pam_exec(sshd:auth): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:45:02 alnair root[1371]: pam_cryptsetup.sh: gdm: not decrypting anything!
Mar 20 17:45:01 alnair systemd[1358]: pam_exec(systemd-user:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:45:01 alnair systemd[1360]: pam_exec(systemd-user:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:45:01 alnair systemd[1360]: pam_exec(systemd-user:session): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:45:01 alnair root[1356]: pam_cryptsetup.sh: gdm: not decrypting anything!
Mar 20 17:45:01 alnair gdm-launch-environment][1354]: pam_exec(gdm-launch-environment:session): Calling /usr/local/sbin/pam_cryptsetup.sh ...
After a successful ssh login as ‘user’:
$ journalctl -r -t sshd
Mar 20 17:51:01 alnair sshd[1990]: pam_exec(sshd:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:51:01 alnair sshd[2074]: pam_exec(sshd:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:51:00 alnair sshd[1990]: pam_unix(sshd:session): session opened for user user(uid=1000) by (uid=0)
Mar 20 17:51:00 alnair sshd[1990]: Accepted password for user from 192.168.1.66 port 55326 ssh2
Mar 20 17:50:56 alnair sshd[1993]: pam_exec(sshd:auth): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:50:56 alnair sshd[1990]: pam_exec(sshd:auth): send password to child
Mar 20 17:50:31 alnair sshd[869]: Server listening on :: port 22.
Mar 20 17:50:31 alnair sshd[869]: Server listening on 0.0.0.0 port 22.
$ journalctl -r | grep pam_cryptsetup.sh
Mar 20 17:51:01 alnair sshd[1990]: pam_exec(sshd:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:51:01 alnair sshd[2074]: pam_exec(sshd:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:50:59 alnair systemd[2060]: pam_exec(systemd-user:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:50:59 alnair systemd[2062]: pam_exec(systemd-user:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:50:59 alnair systemd[2062]: pam_exec(systemd-user:session): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:50:58 alnair root[2052]: pam_cryptsetup.sh: cryptsetup success for user!: 0
Mar 20 17:50:56 alnair root[1995]: pam_cryptsetup.sh: user: decrypting /dev/mapper/decrypthome.user
Mar 20 17:50:56 alnair sshd[1993]: pam_exec(sshd:auth): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:50:44 alnair root[1573]: pam_cryptsetup.sh: gdm: not decrypting anything!
Mar 20 17:50:43 alnair systemd[1560]: pam_exec(systemd-user:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:50:43 alnair systemd[1562]: pam_exec(systemd-user:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:50:43 alnair systemd[1562]: pam_exec(systemd-user:session): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:50:43 alnair root[1558]: pam_cryptsetup.sh: gdm: not decrypting anything!
Mar 20 17:50:43 alnair gdm-launch-environment][1556]: pam_exec(gdm-launch-environment:session): Calling /usr/local/sbin/pam_cryptsetup.sh ...
I feel like the ‘session’ lines added to the pam scripts aren’t really necessary as the login password isn’t even passed to pam_decrypt.sh.