any libpam-gocryptfs

[jsalatiel]

Is there any pam module to automount after login just like libpam-encfs ?

[guedressel]

Could this be an alternative to pam triggered mounts?
https://www.freedesktop.org/software/systemd/man/systemd.automount.html

[rfjakob]

@guedressel I don't know, I think the point of doing it in PAM is that you can get a password from the user.

@jsalatiel There is no PAM module written specifically for gocryptfs, but I think this should be possible with pam-mount. If you find out how to do it i'd be happy to add it to the gocryptfs documentation.

[jsalatiel]

@rfjakob, couldn't you extend the libpam-encfs to support gocrypt ? or copy it changing what needs to be changed. ( i think it is gpl )

[jsalatiel]

from what i see, if gocryptfs supports password from stdin ( -S ) , libpam-encfs would work just fine if i rename "gocryptfs" to "encfs"

[jsalatiel]

@rfjakob, would it be possible to add support to fuse "alow-root" and "nonempty" ?
These are need to allow a customized pam_encfs to mount gocryptfs from gdm/lightdm

[rfjakob]

You can use the -allow_other option, this implies allow_root. Do you actually need "nonempty"? Why would you want to mount over a non-empty directory?

[jsalatiel]

@rfjakob , when trying to automount using a customized pam_encfs or even pam_mount it will never mount because of the damn .cache folder in home directory. I dont know who create this folder, but even if i delete, it will be recreated before the gocryptfs mount the actual directory, so it will fail.
The same applies to encfs, if i dont use the -- -o nonempty it will fail too.

It would be nice if you could accept the extra fuse parameters like encfs.

About the allow_other, i would prefer allow_root because its safer for non IT users.

[rfjakob]

Haha, the cache directory, I see. Will add a nonempty option.

allow_root is for the xauthority file?

[jsalatiel]

allow_root is also for the xauthority. =)
Would it be too much trouble to add -- -o fuse_options_here ? =)

[jsalatiel]

@rfjakob if you can make gocryptfs work like encfs concerning mounting parameters, gocryptfs will work with pam_mount fuse without no changes to the pam_mount code.
See this:
# mount.fuse encfs#/tmp/a /tmp/b -- -o allow_root,nonempty && echo OK || echo ERROR
EncFS Password:
OK

# mount.fuse gocryptfs#/tmp/a /tmp/b -- -o allow_root,nonempty && echo OK || echo ERROR
Usage: gocryptfs [OPTIONS] CIPHERDIR MOUNTPOINT
ERROR

This is the call that pam_mount make to mount fuse directories.

[rfjakob]

I think this command line fails because of two issues:

1. It passes the option "-o" AFTER passing the "do not process any more options" marker, "--". Huh?

2. allow_root is not supported by gocryptfs. This seems to be something that is implemented in the libfuse C library, because it is NOT understood by the kernel. The kernel only understands allow_other: http://lxr.free-electrons.com/source/Documentation/filesystems/fuse.txt .

For now I'd recommend to:

• Delete the "--"
• Use the "-allow_other" option instead of "-o allow_root"

And once I have it implemented, add the "-nonempty" option

[jsalatiel]

# mount.fuse gocryptfs#/tmp/a /tmp/b -o allow_other && echo OK || echo ERROR
Usage: gocryptfs [OPTIONS] CIPHERDIR MOUNTPOINT
ERROR

# mount.fuse gocryptfs#/tmp/a /tmp/b -allow_other && echo OK || echo ERROR
Usage: gocryptfs [OPTIONS] CIPHERDIR MOUNTPOINT
ERROR

#mount.fuse encfs#/tmp/a /tmp/b -o allow_other && echo OK || echo ERROR
EncFS Password:
OK

Apparently the -o is mandatory to pass fuse options to command line, and gocrypt wont allow the '-o' and even require parameters to be set before the paths.

# mount.fuse
usage: mount.fuse type#[source] destination [-t type] [-o opt[,opts...]]

[rfjakob]

gocryptfs -allow_other /tmp/a /tmp/b

[jsalatiel]

@rfjakob i understant that this way it will work. What i mean is that using options before the paths will force changes to the source code of pam_mount to allow support for gocrypt. By default, pam_mount support fuse type and internally will call

#mount.fuse EXECUTABLE#SOURCE DST -o FUSE_OPTIONS

anyway, i only say that it would be easier to change gocryptfs to support the 'generic fuse mounter' of pam_mount than the other way around.

but i will be very happy with the nonempty option because i can change the pam_encfs to work with this.

[rfjakob]

Ah ok now i get it! Using pam_mount as-is would be nice. Can you share the config to get it to call gocryptfs? Will take a look in the evening.

[jsalatiel]

When i get home i will send you. I am on GMT-3, so maybe you can only see it tomorrow! Whats your TZ ?

[jsalatiel]

enable debug with:

<debug enable="1" />

and add in volume definitions:

<volume user="testuser" fstype="fuse" path="gocryptfs#/encrypted/testuser" mountpoint="/somedirectory" />
This is the most basic thing that should work for mount drectories ( no home ).

<volume user="testuser" fstype="fuse" path="gocryptfs#/encrypted/testuser" mountpoint="~" option="allow_other,nonempty"/>

and this is the requirement for home mounting =)

[rfjakob]

I didn't get very far, but, I found out that you can set the mount command line using <lclmount>. Also, we need to set noroot="1" so gocryptfs is executed as the right user:

<lclmount>gocryptfs %(VOLUME) %(MNTPT)</lclmount>
<volume user="testuser" path="/tmp/a" mountpoint="/tmp/b" noroot="1" />

This solves the parameter order problem, which is difficult to solve otherwise, because Flag parsing stops just before the first non-flag argument. In other words, options must precede other arguments with the default Go cli parser.

So gocryptfs seems to be called with the right command line, but then on my Fedora 24 machine things exploded into a torrent of SELinux errors and the login with testuser hangs. That's all for today, good night ;) I'm at GMT+2.

[jsalatiel]

About the noroot=1 , it is not needed when using type 'fuse'

Change the lclmount option will break all other mount entries of pam_mount.
Please implement the nonempty option, i will try to findout a way to pam_mount work.

[rfjakob]

An alternative is to use a bash wrapper script that reorders the command line parameters

[jsalatiel]

Please implement the nonempty option and i will find a way to make it work.
If not using pam_mount, creating a libpam-gocryptfs based on libpam-encfs

[rfjakob]

Option added as -nonempty in 434ce50 !

[jsalatiel]

how can i download it ? Sorry, i only know how to download from releases =)

[rfjakob]

Oh I see, no problem, here is the binary: gocryptfs_v1.1-beta1-22-g45dfc90_fedora24_amd64.tar.gz

[jsalatiel]

Hi @rfjakob , well , first i am trying to make it work with pam_encfs module. It works fine in ubuntu/mint but it fails strangely on CentOS. In CentOS the directory gets mounted and appear in /proc/mounts, but the gocryptfs daemon is not running so i get the transport endpoint not connected error.
No idea why.

[rfjakob]

When forking into the background, gocryptfs used to keed stdout and stderr open. This is helpful to see panics, but if they are connected to another program that exits, this kills gocryptfs. So I close them now proactively: gocryptfs_v1.1-beta1-24-g14fd5ce_fedora24_amd64.tar.gz
Edit: This may fix this issue.
Edit2: "exits", not "exists". If the other program gets killed it takes gocryptfs with it.

[jsalatiel]

Well, it did not work.
I will leave the patched libpam-encfs source here. It works fine on ubuntu/linux mint.
In CentOS i keep getting "transport endpoint not connected"
If @rfjakob or someone else can take a look why this happens in centOS it would be great.
I am no programmer, soh i just changed a few lines in pam-encfs source to work with gocryptfs.

Now i am gonna try to figure it out a way to make it work with pam_mount !

pam-gc.zip

[jsalatiel]

I really miss the days when linux were all the same.
What works in ubuntu wont work on CentOS and vice versa!

Well, i was able to make pam_mount work with CentOS just fine. I created a little wrapper to mount it.
The problem is, it wont work with mint/ubuntu ! WTF !
After login i never get the prompt back, but the directory is mounted, and if i cancel the login and try again it will work !

Well, here it is for those who prefer redhat like distros.
pam_mount.zip

[jsalatiel]

Just to make it clear, use pam_gc if you are on ubuntu derivatives, or pam_mount if you are on redhat derivatives.

@rfjakob , thank you for your help ! I'd like to help more, but i just cant figure it out whats happening.
If someone can, please post in this issue the fix.

[rfjakob]

Oh. That's a bug. Give me a second....

[rfjakob]

Fixed in dc4fdd8 , sorry about that!

[jsalatiel]

It worked, i will post the pam changes for mint/ubuntu soon.
But there is still a "bug" in the wrapper, it wont check if it is already mounted, so it will mount over and over and over for each session i open. It should not mount again if it is already mounted.

testuser 24220 0.6 0.9 205168 74352 ? Sl 18:55 0:00 ./gocryptfs -f -notifypid=24213 -nonempty -allow_other /home/testuser.cipher /home/testuser
testuser 24274 0.8 0.9 352632 76360 ? Sl 18:55 0:00 ./gocryptfs -f -notifypid=24267 -nonempty -allow_other /home/testuser.cipher /home/testuser
testuser 24355 8.6 0.9 213364 76708 ? Sl 18:56 0:00 ./gocryptfs -f -notifypid=24348 -nonempty -allow_other /home/testuser.cipher /home/testuser

[rfjakob]

Hmm, I thought pam_mount checks for that. I will take a look at the pam_mount source code.

[rfjakob]

Fixed in a985096. gocryptfs_pam_mount.bash now checks for an existing mount. The check in pam_mount does not seem to be working for FUSE.

[jsalatiel]

Almost perfect. Just do not echo 'something is already mounted on /home/testuser, refusing' when quiet option is set, and exit with '0' , otherwise every new session pam_mount will show this message even with debug disabled:
(mount.c:72): Messages from underlying mount program:
(mount.c:76): gocryptfs_pam_mount.bash: something is already mounted on /home/testuser, refusing
(pam_mount.c:522): mount of /usr/local/bin/gocryptfs_pam_mount.bash#/home/testuser.cipher failed

[rfjakob]

I have integrated the functionality of gocryptfs_pam_mount.bash into gocryptfs itself now ( 9cf3ced ). I have moved the instruction text to https://github.com/rfjakob/gocryptfs/wiki/Mounting-on-login-using-pam_mount . As per your suggestion, pam_mount is called in "auth" AND in "session" so it does not ask for the password again. I have tested this for ssh logins and it seems to work nicely.

The bash wrapper should be no longer needed and I have removed it.

[jsalatiel]

Hi @rfjakob , nice idea!
Well, it is not working on mint/ubuntu.

(mount.c:76): You passed: "-nonempty" "-allow_other" "-quiet" "-dev" "-suid" "/home/testuser.cipher"``"/home/testuser"
(mount.c:76): flag provided but not defined: -dev
(pam_mount.c:522): mount of /usr/local/bin/gocryptfs#/home/testuser.cipher failed

I think the defaults are different, since i am not passing those options.

See my pam_mount file:

<pam_mount>
<volume user="testuser" fstype="fuse" options="nonempty,allow_other,quiet" path="/usr/local``/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" />
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions require="" />
<logout wait="0" hup="0" term="0" kill="0" />
<mkmountpoint enable="1" remove="true" />
<pam_mount>

btw, please remember ( if you agree) that we can use "*" as user in pam_mount, so it would be really nice the following behaviour if quiet options is set:

1. check if already mounted should always exit with 0 and not echo anything when quiet is set
2. should check if SRC_DIR is really a gocrypfs folder (gocryptfs.conf?) and always exit with 0 also not echoing anything when quiet is set.

This ensures that in a multi user environment , users that do not use gocryptfs wont get cryptic errors about gocrypfs, but still allowing those users who want use it , create the cipher dir and encrypt their directories ! I hope you understand what i mean.

[jsalatiel]

I made a few edits to the last two sentences. ( sorry the english )

[rfjakob]

Yeah, you need "nodev,nosuid" otherwise mount adds "dev" and "suid". Need to think about the quiet thing. But isn't there a per-user pam mount config?

[jsalatiel]

I know there is per-user pam mount config and it is pŕetty usable to my home computer, but if you think about small offices or even big offices , it is not safe at all and should not be allowed. ( i am thinking gocryptfs going big =] )
About the per-user config, according to the pam_mount.conf manual : " The mount process is executed as superuser. This may have security implications, so this feature is disabled by default."

[rfjakob]

I'd rather have this as an external script, this should be quite easy to in bash. Maybe something like this (lightly tested): https://gist.github.com/rfjakob/d11d4a1085516fe1d70c3b7ce447d556

[jsalatiel]

Perfectly! I agree =)
Could you leave this script in some folder of the release ?

[rfjakob]

Added as https://github.com/rfjakob/gocryptfs/blob/master/contrib/gocryptfs-maybe.bash !

[jsalatiel]

thanks!

[lechner]

This patch to pam_mount may also be helpful to you. Among other things, it eliminates the nonempty mount option.

[rfjakob]

Am I reading this right, pam_mount was creating an xml file in the mountpoint? Wtf.

[lechner]

The xml file in the home directory (<luserconf>) lists user-specified volumes to mount at login. It was previously difficult to make encryption of a home directory optional, or to allow different methods (such as encfs, gocryptfs, etc.). Moreover, the file was masked after mounting. With the patch one can place the user's configuration elsewhere, such as /acct/${user}/absent/pam_mount.conf.xml.

Such a place for unencrypted user data may also also be usefule for ssh's authorized_keys, for example.

[jsalatiel]

Hi @rfjakob , i can not tell exactly when it happened, but i tried to compile from git today and the binary wont automount using pam_mount. After try to login, the terminal hangs and it does not show the shell prompt. If i use the binary that i compiled from git on april 24 it works just fine. Any big change that could affect the automount ?

[rfjakob]

I tried to reproduce right now and it seemed to hang here as well. No idea yet what caused it, will investigate tonight.

[rfjakob]

@jsalatiel should be fixed in master by commit 496968e . Can you confirm?

[jsalatiel]

It is working. Thanks !

[lestephane]

I think the original issue title still stands. Without a libpam-gocryptfs, it's impossible to update the gocryptfs password when the user changes his / her login password. In a PAM world it would be done in response to the the pam_sm_setcred callback, which corresponds to using pam_mount.so in a password... pam.d config line, as opposed to auth... or session.... In my version of libpam-mount (2.14), that callback is empty:

/**
 * pam_sm_setcred -
 * @pamh:	PAM handle
 * @flags:	PAM flags
 * @argc:	number of elements in @argv
 * @argv:	NULL-terminated argument vector
 *
 * This is a placeholder function so PAM does not get mad.
 */
PAM_EXTERN EXPORT_SYMBOL int pam_sm_setcred(pam_handle_t *pamh, int flags,
    int argc, const char **argv)
{
	return PAM_SUCCESS;
}

Not dramatic, but I wanted to put it out there that libpam-gocryptfs could exist in its own right to do something that pam_mount on its own can't. Maybe pam_mount will eventually provide config hooks to propagate the callback to a user configurable command, but I would not hold my breath for it to happen anytime soon.

[rfjakob]

Good point, thanks