Montar partição criptografada após o login (LUKS / pam_mount)

Question

Montar partição criptografada após o login (LUKS / pam_mount)

1

Durante as instalações do Fedora 23 eu escolhi a opção para criptografar a partição / home. Como esperado, peço agora que insira a senha antes que o login seja exibido. Agora, tenho que conseguir que a partição inicial criptografada seja desbloqueada e montada automaticamente após um login bem-sucedido. Então comecei a configurar o pam_mount seguindo, por exemplo, esta instrução ( pam_mount / ArchLinux ) e alguns outros de diferentes blogs e fóruns. Até agora, nada funciona. Ainda me pedem para inserir a frase secreta antes do login.

Aqui estão minhas configurações:

/etc/security/pam_mount.conf.xml

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
    See pam_mount.conf(5) for a description.
-->

<pam_mount>

    <!-- debug should come before everything else,
    since this file is still processed in a single pass
    from top-to-bottom -->

<debug enable="0" />

    <!-- Volume definitions -->


    <!-- pam_mount parameters: General tunables -->

<!--
    <luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
 You will need to explicitly initialize it with the empty string
 to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />


    <!-- pam_mount parameters: Volume-related -->

<volume user="XYZ" fstype="crypt" path="/dev/dm-0" mountpoint="/home"     options="fsck" />

<mkmountpoint enable="1" remove="true" />


</pam_mount>

--------- /etc/pam.d/system-auth ---------

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        optional      pam_mount.so
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    optional      pam_mount.so
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
 password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    required      pam_deny.so

session     optional      pam_mount.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

------------ /etc/pam.d/gdm-password ----------------

auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        optional      pam_mount.so
auth        substack      password-auth
auth        optional      pam_gnome_keyring.so
auth        include       postlogin

account     required      pam_nologin.so
account     include       password-auth

password    substack       password-auth
-password   optional       pam_gnome_keyring.so use_authtok

session     required      pam_selinux.so close
session     optional      pam_mount.so
session     required      pam_loginuid.so
session     optional      pam_console.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     include       password-auth
session     optional      pam_gnome_keyring.so auto_start
session     include       postlogin

------------ /etc/pam.d/login ----------------

#%PAM-1.0
auth       optional     pam_mount.so
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    optional     pam_mount.so
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

Aqui também estão algumas informações sobre a nomeação e estrutura da minha partição:

----------- ls -la de /dev/mapper ---------------

insgesamt 0
drwxr-xr-x.  2 root root     100  4. Feb 2014  .
drwxr-xr-x. 20 root root    4300 22. Jan 12:27 ..
crw-------.  1 root root 10, 236  4. Feb 2014  control
lrwxrwxrwx.  1 root root       7  4. Feb 2014  homeVolumeGroup-00 -> ../dm-0
lrwxrwxrwx.  1 root root       7  4. Feb 2014  luks-73c29d47-ce01-464b-9099-3075a215d430 -> ../dm-1

----------- extrato de ls -la de /dev ---------------

insgesamt 4
drwxr-xr-x. 20 root root        4300 22. Jan 12:27 .
dr-xr-xr-x. 18 root root        4096 22. Jan 10:34 ..
crw-------.  1 root root     10, 235  4. Feb 2014  autofs
drwxr-xr-x.  2 root root         360 22. Jan 12:27 block
drwxr-xr-x.  2 root root         180 22. Jan 12:27 bsg
crw-------.  1 root root     10, 234  4. Feb 2014  btrfs-control
drwxr-xr-x.  3 root root          60  4. Feb 2014  bus
drwxr-xr-x.  2 root root        4080 22. Jan 12:27 char
crw-------.  1 root root      5,   1  4. Feb 2014  console
lrwxrwxrwx.  1 root root          11  4. Feb 2014  core -> /proc/kcore
drwxr-xr-x.  6 root root         140  4. Feb 2014  cpu
crw-------.  1 root root     10,  62  4. Feb 2014  cpu_dma_latency
drwxr-xr-x.  6 root root         120  4. Feb 2014  disk
brw-rw----.  1 root disk    253,   0  4. Feb 2014  dm-0
brw-rw----.  1 root disk    253,   1  4. Feb 2014  dm-1
drwxr-xr-x.  2 root root         100  4. Feb 2014  dri
crw-rw----.  1 root video    29,   0  4. Feb 2014  fb0
lrwxrwxrwx.  1 root root          13  4. Feb 2014  fd -> /proc/self/fd
crw-rw-rw-.  1 root root      1,   7  4. Feb 2014  full
crw-rw-rw-.  1 root root     10, 229 22. Jan 11:52 fuse
crw-------.  1 root root    248,   0  4. Feb 2014  hidraw0
crw-------.  1 root root    248,   1  4. Feb 2014  hidraw1
drwxr-xr-x.  2 root root          60  4. Feb 2014  homeVolumeGroup
crw-------.  1 root root     10, 228  4. Feb 2014  hpet
drwxr-xr-x.  3 root root           0  4. Feb 2014  hugepages
crw-------.  1 root root     10, 183  4. Feb 2014  hwrng
lrwxrwxrwx.  1 root root          25  4. Feb 2014  initctl -> /run/systemd/initctl/fifo
drwxr-xr-x.  4 root root         200  4. Feb 2014  input
crw-r--r--.  1 root root      1,  11  4. Feb 2014  kmsg
crw-rw-rw-+  1 root kvm      10, 232  4. Feb 2014  kvm
lrwxrwxrwx.  1 root root          28  4. Feb 2014  log -> /run/systemd/journal/dev-log
crw-rw----.  1 root disk     10, 237  4. Feb 2014  loop-control
crw-rw----.  1 root lp        6,   0  4. Feb 2014  lp0
crw-rw----.  1 root lp        6,   1  4. Feb 2014  lp1
crw-rw----.  1 root lp        6,   2  4. Feb 2014  lp2
crw-rw----.  1 root lp        6,   3  4. Feb 2014  lp3
drwxr-xr-x.  2 root root         100  4. Feb 2014  mapper
crw-------.  1 root root     10, 227  4. Feb 2014  mcelog
crw-------.  1 root root    244,   0  4. Feb 2014  mei0
crw-r-----.  1 root kmem      1,   1  4. Feb 2014  mem
crw-------.  1 root root     10,  59  4. Feb 2014  memory_bandwidth
drwxrwxrwt.  2 root root          40  4. Feb 2014  mqueue
crw-------.  1 root root    254,   0  4. Feb 2014  ndctl0
drwxr-xr-x.  2 root root          60  4. Feb 2014  net
crw-------.  1 root root     10,  61  4. Feb 2014  network_latency
crw-------.  1 root root     10,  60  4. Feb 2014  network_throughput
crw-rw-rw-.  1 root root      1,   3  4. Feb 2014  null
crw-------.  1 root root     10, 144  4. Feb 2014  nvram
crw-r-----.  1 root kmem      1,   4  4. Feb 2014  port
crw-------.  1 root root    108,   0  4. Feb 2014  ppp
crw-------.  1 root root    247,   0  4. Feb 2014  pps0
crw-rw-rw-.  1 root tty       5,   2 22. Jan 12:40 ptmx
crw-------.  1 root root    246,   0  4. Feb 2014  ptp0
crw-------.  1 root root    246,   1  4. Feb 2014  ptp1
drwxr-xr-x.  2 root root           0  4. Feb 2014  pts
crw-rw-rw-.  1 root root      1,   8  4. Feb 2014  random
drwxr-xr-x.  2 root root          60  4. Feb 2014  raw
crw-rw-r--+  1 root root     10,  58  4. Feb 2014  rfkill
lrwxrwxrwx.  1 root root           4  4. Feb 2014  rtc -> rtc0
crw-------.  1 root root    252,   0  4. Feb 2014  rtc0
brw-rw----.  1 root disk      8,   0  4. Feb 2014  sda
brw-rw----.  1 root disk      8,   1  4. Feb 2014  sda1
brw-rw----.  1 root disk      8,   2  4. Feb 2014  sda2
brw-rw----.  1 root disk      8,   3  4. Feb 2014  sda3
brw-rw----.  1 root disk      8,   4  4. Feb 2014  sda4
brw-rw----.  1 root disk      8,   5  4. Feb 2014  sda5
brw-rw----.  1 root disk      8,  16  4. Feb 2014  sdb
brw-rw----.  1 root disk      8,  17  4. Feb 2014  sdb1
brw-rw----.  1 root disk      8,  32  4. Feb 2014  sdc
brw-rw----.  1 root disk      8,  48  4. Feb 2014  sdd
brw-rw----.  1 root disk      8,  64  4. Feb 2014  sde
brw-rw----.  1 root disk      8,  80  4. Feb 2014  sdf
brw-rw----.  1 root disk      8,  96 22. Jan 12:27 sdg
brw-rw----.  1 root disk      8,  97 22. Jan 12:27 sdg1
crw-rw----.  1 root disk     21,   0  4. Feb 2014  sg0
crw-rw----.  1 root disk     21,   1  4. Feb 2014  sg1
crw-rw----.  1 root disk     21,   2  4. Feb 2014  sg2
crw-rw----.  1 root disk     21,   3  4. Feb 2014  sg3
crw-rw----.  1 root disk     21,   4  4. Feb 2014  sg4
crw-rw----.  1 root disk     21,   5  4. Feb 2014  sg5
crw-rw----.  1 root disk     21,   6 22. Jan 12:27 sg6

Até agora, durante o login, fui solicitado a digitar "pam_password" em vez da senha normal. No entanto, a frase secreta de criptografia ainda deve ser inserida antes do login, como mencionei.

encryption pam fedora linux

por Varius 24.01.2016 / 20:35

0 respostas

Tags encryption pam fedora linux

O DNS pára de ser resolvido após alguns minutos. Apenas no WiFi fazendo backup do Linux (CentOS) para rsync.net