Xfce Forum

doodloo

Member

From: London

Registered: 2015-09-11

Posts: 59

pam.d, pam_mount and SSH login.

A bit of an explanation before my question

[EDIT] I'm aware that this discussion forum is articulated around XFCE, whilst my problem isn't really. But I always found friendly answers here, so that's why I am giving it a shot

I'm running Xubuntu 22.04.1. One of the hard disk has a LUKS based encrypted partition - the passphrase is the same as my user's password. I have some setup done in `/etc/security/pam_mount.conf.xml` so that upon logging-in, the encrypted partition gets unlocked and mounted as my home.
It works great, as long as the encryption passphrase is the same as my user's password.

Cool.

But enters key-based SSH authentication. I often login to my computer from another computer, and unfortunately, because my SSH setup is key-based, no password is required. And therefore, pam_mount simply fails - it doesn't know how to acquire the password to unlock my encrypted home.

My first question is - do you guys have encountered this flaw, and if so did you find ideas to work around it?

My next questions is - do you have any idea if any of the following solutions would work using basic Linux scripting, and if so - how?

- Having some sort of way to have my encryption password encrypted using my SSH key, so that upon logging-in using SSH it could be automatically decrypted during the pam.d pipeline?
- Otherwise, having a `.bashrc` file in my user's folder before it gets "overwritten" by the encrypted mount, so that this `.bashrc` file would somehow "force re-authentication" and ultimately ask for my password?
- Or anything else?

Thanks a lot for reading and thinking about my problem

In case this is useful - this is the `/var/log/auth.log` excerpt of a successful SSH login with a subsequent failure to decrypt and mount my home:

Jan  8 22:45:03 Legionaire sshd[2399]: Accepted publickey for doodloo from 192.168.42.139 port 35260 ssh2: ED25519 SHA256:WUljJKvrZ4/76QaofheUTFnt9Eq4XPK7RpzBT1Momoo
Jan  8 22:45:03 Legionaire sshd[2399]: pam_unix(sshd:session): session opened for user doodloo(uid=1000) by (uid=0)
Jan  8 22:45:03 Legionaire sshd[2399]: (pam_mount.c:173): conv->conv(...): Conversation error
Jan  8 22:45:03 Legionaire sshd[2399]: (pam_mount.c:476): warning: could not obtain password interactively either
Jan  8 22:45:05 Legionaire sshd[2399]: (mount.c:68): Messages from underlying mount program:
Jan  8 22:45:05 Legionaire sshd[2399]: (mount.c:72): crypt_activate_by_passphrase: Operation not permitted
Jan  8 22:45:05 Legionaire sshd[2399]: (mount.c:72): Device /dev/mapper/_dev_nvme0n1p7 does not exist or access denied.
Jan  8 22:45:05 Legionaire sshd[2399]: (pam_mount.c:522): mount of /dev/disk/by-uuid/da565c55-2942-442e-9864-f318b3b2852f failed
Jan  8 22:45:05 Legionaire sshd[2399]: (pam_mount.c:173): conv->conv(...): Conversation error
Jan  8 22:45:05 Legionaire sshd[2399]: (pam_mount.c:476): warning: could not obtain password interactively either
Jan  8 22:45:05 Legionaire systemd-logind[800]: New session 8 of user doodloo.

Oh and in case you are curious, this is `/etc/security/pam_mount.xml` allowing my system to automatically mount my encrypted home using my user's password as the decryption passphrase:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
  <pam_mount>
    <debug enable="0" />
    <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
    <mntoptions require="nosuid,nodev" />
    <logout wait="15" hup="yes" term="yes" kill="yes" />
    <mkmountpoint enable="1" remove="true" />
    <volume user="doodloo" fstype="auto" path="/dev/disk/by-uuid/6a506b95-d00a-4c87-b92f-e96c88f55afb" mountpoint="/home/doodloo" options="fsck,noatime" />
  </pam_mount>

Last edited by doodloo (2023-01-08 22:08:32)

CwF

Member

Registered: 2018-01-28

Posts: 288

Re: pam.d, pam_mount and SSH login.

It's a little over my head, but it looks like the user authentication is covered, so maybe use a second slot with a separate key when using SSH? With a second key slot, I suppose the question is still how/what rule to activate it?