PAM configuration on Fedora

[yerlaser]

This is perhaps more a question although maybe it's better that the documentation be updated.
I am trying to use fscrypt on Fedora and since there are no packages available I compiled it from sources.
I managed to make it work with pass phrase protector, but login protector doesn't work.
Documentation says to add pam_fscrypt.so lines to /etc/pam.d/common-auth and /etc/pam.d/common-session
Both files don't exist, here's the listing of /etc/pam.d

config-util gdm-password password-auth smartcard-auth system-auth
cups gdm-pin polkit-1 sshd systemd-user
fingerprint-auth gdm-smartcard postlogin sssd-shadowutils vlock
fscrypt liveinst ppp su vmtoolsd
gdm-autologin login remote sudo xserver
gdm-fingerprint other runuser sudo-i
gdm-launch-environment passwd runuser-l su-l

I already tried to add the lines to gdm-password, login, passwd, password-auth, system-auth but none of them worked. Also, I don't see any errors in the logs. It's as if the lines get ignored.
Any help would be appreciated.

[yerlaser]

Small additition: I found out that pam_fscrypt.so should be installed to /usr/lib64/security instead of of /usr/lib/security as all other similar modules are there.
The problem still remains, though, and auto unlock doesn't work.

Do developer test the software on Fedora at all?

[ebiggers]

I haven't tested fscrypt on Fedora.

PAM configuration differs between distributions, so issues like this are expected to some extent.

If you can put together a working configuration on Fedora, we'd be glad to add it to the documentation. You can also request that your distro packages fscrypt as an official package, in which case the packager would likely take care of the PAM configuration.

[luzeal]

Hello,

First thing first, thanks for the wonderful project ! I am currently using it to encrypt virtual machines images at rest, and it is working great !

Alas, as OP, PAM configuration seems to be a bit tricky on Fedora. I am also trying to make auto unlock work on Fedora 34, and intend to eventually request a port or port it to Fedora myself.

My test configuration

• New fresh Fedora 34 server installation with gnome-shell
• SELinux disabled (temporarily, until the issue is solved)
• Linux kernel 5.12.13

What works

• Everything related to fscrypt that I have tested

• Allow fscrypt to check your login passphrase (as least when it comes to the login protector). As expected, adding an fscrypt file to etc/pam.d/fscrypt allows fscrypt to use the login protector.

[root@test]# cat /etc/pam.d/fscrypt 
auth        required    pam_unix.so

What doesn't (yet)

• Automatically unlock directories when logging in
• Keep login protector in sync with unix passphrase

Fedora specifics

• As correctly pointed out by @yerlaser, Fedora expects the pam_fscrypt.so module to be located in /usr/lib64/security
• Instead of three separate pam.d conf files, common-password, common-auth and common-session, Fedora seems to rely on only one file password-auth or system-auth, which seem to include everything provided by the three Ubuntu conf files.
• The content of password-auth or system-auth is almost identical.

According to this forum tread, password-auth uses modules which can be used in remote configuration. We will use this one but it should be ok to use system-auth too.

[root@test]# cat /etc/pam.d/password-auth
#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        required      pam_deny.so
auth        optional	  pam_fscrypt.so debug

account     required      pam_unix.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password    required      pam_deny.so
password    optional      pam_fscrypt.so debug

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required	  pam_unix.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     optional      pam_fscrypt.so drop_caches lock_policies debug

Content of /etc/fscrypt.conf

cat /etc/fscrypt.conf
{
	"source": "custom_passphrase",
	"hash_costs": {
		"time": "26",
		"memory": "131072",
		"parallelism": "2"
	},
	"options": {
		"padding": "32",
		"contents": "AES_256_XTS",
		"filenames": "AES_256_CTS",
		"policy_version": "2"
	},
	"use_fs_keyring_for_v1_policies": false
}

According to the logs bellow, it seems that fscrypt AUTHTOK cannot access the unix password.

[root@test ~]# journalctl -b | grep fscrypt
Jul 07 09:54:22 vdmed kernel: Key type ._fscrypt registered
Jul 07 09:54:22 vdmed kernel: Key type .fscrypt registered
Jul 07 09:54:22 vdmed kernel: Key type fscrypt-provisioning registered
Jul 07 09:54:24 vdmed pam_fscrypt[600]: OpenSession(map[debug:true]) starting
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Session count for UID=42 updated to 1
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[42]
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Setting euid=42 egid=42 groups=[42]
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Current privs (real, effective): uid=(0,42) gid=(0,42) groups=[42]
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Reading config from "/etc/fscrypt.conf"
Jul 07 09:54:24 vdmed pam_fscrypt[600]: creating context for user "gdm"
Jul 07 09:54:24 vdmed pam_fscrypt[600]: found ext4 filesystem "/" (/dev/vda3)
Jul 07 09:54:24 vdmed pam_fscrypt[600]: listing descriptors in "/.fscrypt/protectors"
Jul 07 09:54:24 vdmed pam_fscrypt[600]: found 2 descriptor(s)
Jul 07 09:54:24 vdmed pam_fscrypt[600]: could not read metadata from "/.fscrypt/protectors/41cbb2c50c977db8": open /.fscrypt/protectors/41cbb2c50c977db8: permission denied
Jul 07 09:54:24 vdmed pam_fscrypt[600]: could not read metadata from "/.fscrypt/protectors/a6943dd52cec7cc4": open /.fscrypt/protectors/a6943dd52cec7cc4: permission denied
Jul 07 09:54:24 vdmed pam_fscrypt[600]: no protector to unlock: no PAM protector for UID=42 on "/"
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Setting euid=0 egid=0 groups=[42]
Jul 07 09:54:24 vdmed pam_fscrypt[600]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[42]
Jul 07 09:54:24 vdmed audit[600]: USER_START pid=600 uid=0 auid=42 ses=1 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_fscrypt acct="gdm" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 07 09:54:24 vdmed pam_fscrypt[600]: OpenSession(map[debug:true]) succeeded
Jul 07 09:54:24 vdmed pam_fscrypt[575]: OpenSession(map[debug:true]) starting
Jul 07 09:54:24 vdmed pam_fscrypt[575]: OpenSession(map[debug:true]) failed: open /run/fscrypt/42.count: permission denied
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: OpenSession(map[debug:true]) starting
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Session count for UID=1000 updated to 1
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[1000]
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Setting euid=1000 egid=1000 groups=[1000]
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Current privs (real, effective): uid=(0,1000) gid=(0,1000) groups=[1000]
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Reading config from "/etc/fscrypt.conf"
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: creating context for user "test"
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: found ext4 filesystem "/" (/dev/vda3)
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: listing descriptors in "/.fscrypt/protectors"
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: found 2 descriptor(s)
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: could not read metadata from "/.fscrypt/protectors/41cbb2c50c977db8": open /.fscrypt/protectors/41cbb2c50c977db8: permission denied
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: could not read metadata from "/.fscrypt/protectors/a6943dd52cec7cc4": open /.fscrypt/protectors/a6943dd52cec7cc4: permission denied
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: no protector to unlock: no PAM protector for UID=1000 on "/"
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Setting euid=0 egid=0 groups=[1000]
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: Current privs (real, effective): uid=(0,0) gid=(0,0) groups=[1000]
Jul 07 09:54:32 vdmed audit[1083]: USER_START pid=1083 uid=0 auid=1000 ses=3 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_fscrypt acct="test" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jul 07 09:54:32 vdmed pam_fscrypt[1083]: OpenSession(map[debug:true]) succeeded
Jul 07 09:54:36 vdmed pam_fscrypt[575]: CloseSession(map[debug:true]) starting
Jul 07 09:54:36 vdmed pam_fscrypt[575]: count is 0 and we are not locking
Jul 07 09:54:36 vdmed pam_fscrypt[575]: CloseSession(map[debug:true]) failed: open /run/fscrypt/42.count: permission denied
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: OpenSession(map[debug:true]) starting
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Session count for UID=0 updated to 1
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Current privs (real, effective): uid=(1000,0) gid=(1000,1000) groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Setting euid=0 egid=0 groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Current privs (real, effective): uid=(1000,0) gid=(1000,0) groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Reading config from "/etc/fscrypt.conf"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: creating context for user "root"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: found ext4 filesystem "/" (/dev/vda3)
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: listing descriptors in "/.fscrypt/protectors"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: found 2 descriptor(s)
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/protectors/41cbb2c50c977db8"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/protectors/a6943dd52cec7cc4"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Getting protector a6943dd52cec7cc4 from option
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/protectors/a6943dd52cec7cc4"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: listing descriptors in "/.fscrypt/policies"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: found 3 descriptor(s)
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/policies/5a646c836b29ab1cd7a570119e314804"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: got data for 5a646c836b29ab1cd7a570119e314804 from "/"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/policies/1e3a25c695b1e4b9fde46f5ee44c9f4a"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: got data for 1e3a25c695b1e4b9fde46f5ee44c9f4a from "/"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: successfully read metadata from "/.fscrypt/policies/032e9d66c10fcf915991a6c0d411d41d"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: got data for 032e9d66c10fcf915991a6c0d411d41d from "/"
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/firmware/efi/efivars/.fscrypt: invalid argument
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/firmware/efi/efivars/.fscrypt/policies: invalid argument
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/firmware/efi/efivars/.fscrypt/protectors: invalid argument
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/fs/bpf/.fscrypt: operation not permitted
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/fs/bpf/.fscrypt/policies: operation not permitted
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: stat /sys/fs/bpf/.fscrypt/protectors: operation not permitted
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: unlocking 1 policies protected with AUTHTOK
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Setting euid=0 egid=1000 groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: Current privs (real, effective): uid=(1000,0) gid=(1000,1000) groups=[0]
Jul 07 10:02:33 vdmed pam_fscrypt[1890]: OpenSession(map[debug:true]) failed: unlocking protector a6943dd52cec7cc4: AUTHTOK data missing: No module specific data is present

The problem seems to be how can we apply /usr/local/share/pam-configs/fscrypt to Fedora. For Ubuntu or Debian, there is a tool to do pam-auth-update. By knowing what exactly is happening during this step, it might help us to make pam_fscrypt.so works on Fedora. (Or perhaps more accurately, make Fedora works with pam_fscrypt.so)

Any idea how it could be solved ?

[luzeal]

• Current instructions to build it on Fedora (feel free to hack it) : https://docs.phyllo.me/Lv26rFvIS9GmCVIzTm06fw?view
• Current quick instructions to set-up fscrypt on Ubuntu (likewise) : https://docs.phyllo.me/N30CxBKCTTGyDLf-mQNcjQ?view

[yerlaser]

Hi,
Unfortunately, I gave up after several attempts and had to switch back to Ubuntu because unlocking manually after each restart was too annoying.

Looking at the Ubuntu configs, I found out that the session file looks like this:
session optional pam_fscrypt.so drop_caches lock_policies
So, there are two additional parameters: drop_caches and lock_policies
I don't know if that matters, but, if you have a chance, can you check that?

[ebiggers]

So, there are two additional parameters: drop_caches and lock_policies
I don't know if that matters, but, if you have a chance, can you check that?

The drop_caches and lock_policies options only affect locking (not unlocking), and they aren't needed with the latest version of fscrypt (they are now no-ops). So they aren't relevant here, as the issue here is with unlocking.

[yerlaser]

OK, thanks, you saved me a hassle of installing Fedora to check just that.
But, sadly, we are at the dead end currently until someone with deeper PAM knowledge comes by.

[yerlaser]

Hi @luzeal,

Did you try to run authselect or authconfig (https://fedoraproject.org/wiki/Changes/Authselect) to update PAM configuration?

[luzeal]

Good news, I have been able to find a good PAM configuration for Fedora (and perhaps by extension other related distributions) !

@yerlaser : thanks for your suggestion, I dove into authselect* and found out that there is a opt-in feature for ecryptfs on certain ready-made profiles such as minimal. I used that as an inspiration to get a working configuration for pam_fscrypt.so. (*authselect now supersedes authconfig and allows an administrator to apply specific authentication schemes on a system).

• Current limitations : it doesn't work with SELinux, so I had to deactivate it completely for now (I don't use it in production yet). More precisely, it seems that SELinux doesn't allow regular users to access the hidden fscrypt folder ./fscrypt where the protector resides.
• What works : everything that I have tested so far, including auto-unlock of encrypted folders on user login and password "synchronization" between fscrypt and the unix password program.

Incomplete walk-through**

• Compile fscrypt from source, ready the targeted ext4 filesystem tune2fs -O encrypt /dev/vda3
• Move pam_fscrypt.so to correct location
  mv /usr/local/lib/security/pam_fscrypt.so /usr/lib64/security/pam_fscrypt.so
• Create fscrypt file under pam.d directory to let fscrypt check the user password. echo "auth required pam_unix.so" > /etc/pam.d/fscrypt
• Create a fscrypt profile based on the minimal template.
  authselect create-profile fscrypt --based-on=minimal
• Select this profile authselect select custom/fscrypt --force
• Modify the content of the password-auth file to match this one (especially when it comes to the pam_fscrypt.so):

cat /etc/authselect/custom/fscrypt/password-auth

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        required                                     pam_faillock.so preauth silent                         {include if "with-faillock"}
auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth        required                                     pam_faillock.so authfail                               {include if "with-faillock"}
auth        required                                     pam_deny.so
auth        optional                                     pam_fscrypt.so debug

account     required                                     pam_access.so                                          {include if "with-pamaccess"}
account     required                                     pam_faillock.so                                        {include if "with-faillock"}
account     required                                     pam_unix.so

password    requisite                                    pam_pwquality.so try_first_pass
password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password    required                                     pam_deny.so
password    optional                                     pam_fscrypt.so debug

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
session     optional                                     pam_fscrypt.so debug
session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
-session    optional                                     pam_systemd.so
session     optional                                     pam_oddjob_mkhomedir.so                               {include if "with-mkhomedir"}
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so

• Modify the content of the system-auth file to match this one:

cat /etc/authselect/custom/fscrypt/system-auth

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        required                                     pam_faillock.so preauth silent                         {include if "with-faillock"}
auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
auth        required                                     pam_faillock.so authfail                               {include if "with-faillock"}
auth        required                                     pam_deny.so
auth	    optional                                     pam_fscrypt.so debug

account     required                                     pam_access.so                                          {include if "with-pamaccess"}
account     required                                     pam_faillock.so                                        {include if "with-faillock"}
account     required                                     pam_unix.so

password    requisite                                    pam_pwquality.so try_first_pass
password    sufficient                                   pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok
password    required                                     pam_deny.so
password    optional                                     pam_fscrypt.so debug

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
session     optional                                     pam_ecryptfs.so unwrap                                {include if "with-ecryptfs"}
session     optional                                     pam_fscrypt.so debug
-session    optional                                     pam_systemd.so
session     optional                                     pam_oddjob_mkhomedir.so                               {include if "with-mkhomedir"}
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so

• Modify the content of the postlogin file to match this one:

cat /etc/authselect/custom/fscrypt/postlogin

auth        optional                   pam_fscrypt.so debug
auth        optional                   pam_ecryptfs.so unwrap                                 {include if "with-ecryptfs"}

password    optional                   pam_fscrypt.so debug
password    optional                   pam_ecryptfs.so unwrap                                 {include if "with-ecryptfs"}

session     optional                   pam_umask.so silent
session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session     [default=1]                pam_lastlog.so nowtmp {if "with-silent-lastlog":silent|showfailed}
session     optional                   pam_lastlog.so silent noupdate showfailed

• Apply changes: authselect apply-changes
• Setup fscrypt: fscrypt setup
• Et voilà !

**A more complete walk-through will follow when I am back from holidays next week.

Clearly, pam_fscrypt.so for Fedora and related distributions ought to be implemented as a feature of an existing profile, not as an entire profile. But this will be for another day...

[yerlaser]

@luzeal , Man, you're a hero!
Have a nice holiday!

[fkaempfer]

Took me a while to figure this out, but I think the easiest way to use fscrypt'ed home directories in Fedora today is using systemd-homed:

# enable systemd homed support in pam
authselect enable-feature with-systemd-homed
systemctl enable --now systemd-homed.service

# Then recreate the user
homectl create username --storage=fscrypt

That's it.

Note that if no user with uid 1000 exists, gdm will load the initial setup screen on next boot

You can disable this in /etc/gdm/custom.conf
change

[daemon]
InitialSetupEnable=false

[ebiggers]

You can use systemd-homed if you want to. Just keep in mind that it's not actually related to this project https://github.com/google/fscrypt. It uses the same kernel functionality, but not the userspace code. The userspace code of systemd-homed is separate and is written by the systemd developers. systemd-homed uses v1 encryption policies instead of v2, so you may encounter the known issues from those.