#40 mount.crypt fails with:"crypt_activate: Invalid argument"

closed-works-for-me
pam-mount (40)
5
2014-08-18
2010-08-05
Anonymous
No

first of all i was planning to use pam_mount to mount my /home/max dir at login time, I have a encrypted partition /dev/sda8 that works and can be mounted this way:
openssl bf-cbc -d -in /home/max.key |cryptsetup -c serpent create max /dev/sda8.

Distro:gentoo,pam_mount-2.4

Problem is when i try to run it through pam_mount i get this (with debugging enabled):

Aug 5 18:01:11 leia login[6549]: pam_mount(pam_mount.c:364): pam_mount 2.4: entering auth stage
Aug 5 18:01:11 leia login[6549]: pam_mount(pam_mount.c:364): pam_mount 2.4: entering auth stage
Aug 5 18:01:12 leia login[6549]: pam_unix(login:session): session opened for user max by LOGIN(uid=0)
Aug 5 18:01:12 leia login[6549]: pam_unix(login:session): session opened for user max by LOGIN(uid=0)
Aug 5 18:01:12 leia login[6549]: pam_mount(pam_mount.c:553): pam_mount 2.4: entering session stage
Aug 5 18:01:12 leia login[6549]: pam_mount(pam_mount.c:553): pam_mount 2.4: entering session stage
Aug 5 18:01:12 leia login[6549]: pam_mount(misc.c:38): Session open: (e/ruid=0/0, e/rgid=0/0)
Aug 5 18:01:12 leia login[6549]: pam_mount(misc.c:38): Session open: (e/ruid=0/0, e/rgid=0/0)
Aug 5 18:01:12 leia login[6549]: pam_mount(mount.c:196): Mount info: globalconf, user=max <volume fstype="crypt" server="(null)" path="/dev/sda8" mountpoint="/home/max" cipher="(null)" fskeypath="/home/max.key" fskeycipher="bf-cbc" fskeyhash="md5" options="cipher=serpent" /> fstab=0
Aug 5 18:01:12 leia login[6549]: pam_mount(mount.c:196): Mount info: globalconf, user=max <volume fstype="crypt" server="(null)" path="/dev/sda8" mountpoint="/home/max" cipher="(null)" fskeypath="/home/max.key" fskeycipher="bf-cbc" fskeyhash="md5" options="cipher=serpent" /> fstab=0
Aug 5 18:01:12 leia login[6549]: command: 'mount.crypt' '-ofsk_cipher=bf-cbc' '-ofsk_hash=md5' '-okeyfile=/home/max.key' '-ocipher=serpent' '/dev/sda8' '/home/max'
Aug 5 18:01:12 leia login[6549]: command: 'mount.crypt' '-ofsk_cipher=bf-cbc' '-ofsk_hash=md5' '-okeyfile=/home/max.key' '-ocipher=serpent' '/dev/sda8' '/home/max'
Aug 5 18:01:12 leia login[6551]: pam_mount(misc.c:38): set_myuid<pre>: (e/ruid=0/0, e/rgid=0/0)
Aug 5 18:01:12 leia login[6551]: pam_mount(misc.c:38): set_myuid<pre>: (e/ruid=0/0, e/rgid=0/0)
Aug 5 18:01:12 leia login[6551]: pam_mount(misc.c:38): set_myuid<post>: (e/ruid=0/0, e/rgid=0/0)
Aug 5 18:01:12 leia login[6551]: pam_mount(misc.c:38): set_myuid<post>: (e/ruid=0/0, e/rgid=0/0)
Aug 5 18:01:12 leia kernel: [ 1258.508744] device-mapper: table: 254:1: crypt: Error decoding and setting key
Aug 5 18:01:12 leia kernel: [ 1258.508744] device-mapper: table: 254:1: crypt: Error decoding and setting key
Aug 5 18:01:12 leia kernel: [ 1258.508752] device-mapper: ioctl: error adding target to table
Aug 5 18:01:12 leia kernel: [ 1258.508752] device-mapper: ioctl: error adding target to table
Aug 5 18:01:12 leia login[6549]: pam_mount(mount.c:64): Errors from underlying mount program:
Aug 5 18:01:12 leia login[6549]: pam_mount(mount.c:64): Errors from underlying mount program:
Aug 5 18:01:12 leia login[6549]: pam_mount(mount.c:68): crypt_activate: Invalid argument
Aug 5 18:01:12 leia login[6549]: pam_mount(mount.c:68): crypt_activate: Invalid argument
Aug 5 18:01:13 leia login[6549]: pam_mount(pam_mount.c:521): mount of /dev/sda8 failed
Aug 5 18:01:13 leia login[6549]: pam_mount(pam_mount.c:521): mount of /dev/sda8 failed
Aug 5 18:01:13 leia login[6549]: command: 'pmvarrun' '-u' 'max' '-o' '1'
Aug 5 18:01:13 leia login[6549]: command: 'pmvarrun' '-u' 'max' '-o' '1'
Aug 5 18:01:13 leia login[6560]: pam_mount(misc.c:38): set_myuid<pre>: (e/ruid=0/0, e/rgid=0/0)
Aug 5 18:01:13 leia login[6560]: pam_mount(misc.c:38): set_myuid<pre>: (e/ruid=0/0, e/rgid=0/0)
Aug 5 18:01:13 leia login[6560]: pam_mount(misc.c:38): set_myuid<post>: (e/ruid=0/0, e/rgid=0/0)
Aug 5 18:01:13 leia login[6560]: pam_mount(misc.c:38): set_myuid<post>: (e/ruid=0/0, e/rgid=0/0)
Aug 5 18:01:13 leia login[6549]: pam_mount(pam_mount.c:440): pmvarrun says login count is 1
Aug 5 18:01:13 leia login[6549]: pam_mount(pam_mount.c:440): pmvarrun says login count is 1
Aug 5 18:01:13 leia login[6549]: pam_mount(pam_mount.c:643): done opening session (ret=0)
Aug 5 18:01:13 leia login[6549]: pam_mount(pam_mount.c:643): done opening session (ret=0)

so lets try using mount.crypt directly:
leia ~ # mount.crypt -v -ofsk_cipher=bf-cbc -ofsk_hash=md5 -okeyfile=/home/max.key -ocipher=serpent /dev/sda8 /home/max
command: 'readlink' '-fn' '/dev/sda8'
command: 'readlink' '-fn' '/home/max'
Password:
mount.crypt(crypto-dmc.c:142): Using _dev_sda8 as dmdevice name
crypt_activate: Invalid argument

no idea what is going on and i have spend to days trying to fix the issue so i am getting a bit frustrated...

Discussion

  • Jan Engelhardt
    Jan Engelhardt
    2010-08-05

    • status: open --> open-accepted
     
  • Jan Engelhardt
    Jan Engelhardt
    2010-08-05

    For the testcase database, can you tell how through which commands you constructed your key?

     
  • Aleister
    Aleister
    2010-08-05

    generate random key:
    openssl rand -base64 79 >key
    encrypt it:
    openssl enc bf-cbc -in key -out key.encrypted

     
  • Jan Engelhardt
    Jan Engelhardt
    2010-08-08

    • status: open-accepted --> pending-works-for-me
     
  • Jan Engelhardt
    Jan Engelhardt
    2010-08-08

    You need to add hash=ripemd160,keysize=256 to the options list. (Hooray for cryptsetup's strange default behavior.)

     
  • Aleister
    Aleister
    2010-08-10

    • status: pending-works-for-me --> open-works-for-me
     
  • Aleister
    Aleister
    2010-08-10

    ok that got me one step forward:
    mount.crypt -v -ofsk_cipher=bf-cbc -ofsk_hash=md5 -okeyfile=/home/max.key -ocipher=serpent -ohash=ripemd160 -okeysize=25 /dev/sda8 /home/max
    command: 'readlink' '-fn' '/dev/sda8'
    command: 'readlink' '-fn' '/home/max'
    Password:
    mount.crypt(crypto-dmc.c:142): Using _dev_sda8 as dmdevice name
    command: 'mount' '-n' '/dev/mapper/_dev_sda8' '/home/max'
    mount: you must specify the filesystem type
    mount failed with run_sync status 32

     
  • Jan Engelhardt
    Jan Engelhardt
    2010-08-10

    keysize 256, not 25.

     
  • Jan Engelhardt
    Jan Engelhardt
    2010-08-10

    • status: open-works-for-me --> pending-works-for-me
     
  • Aleister
    Aleister
    2010-08-11

    • status: pending-works-for-me --> open-works-for-me
     
  • Aleister
    Aleister
    2010-08-11

    ah sorry bad paste:

    mount.crypt -v -ofsk_cipher=bf-cbc -ofsk_hash=md5 -okeyfile=/home/max.key -ocipher=serpent -ohash=ripemd160 -okeysize=256 /dev/sda8 /home/max
    command: 'readlink' '-fn' '/dev/sda8'
    command: 'readlink' '-fn' '/home/max'
    Password:
    mount.crypt(crypto-dmc.c:142): Using _dev_sda8 as dmdevice name
    command: 'mount' '-n' '/dev/mapper/_dev_sda8' '/home/max'
    mount: you must specify the filesystem type
    mount failed with run_sync status 32

     
  • Jan Engelhardt
    Jan Engelhardt
    2010-08-11

    • status: open-works-for-me --> open-works-for-me
     
  • Jan Engelhardt
    Jan Engelhardt
    2010-08-11

    I really do not know what's wrong. If you have a system that I can log in, virtual machine or even the one itself, I can investigate, but locally it's a dead end.

     
  • could it be some escape character or something in the key? I guess ill just have to start over and try again when i find the time :)

     
  • Jan Engelhardt
    Jan Engelhardt
    2010-08-11

    • status: open-works-for-me --> pending-works-for-me
     
  • Jan Engelhardt
    Jan Engelhardt
    2010-08-11

    Now that you mention that... I skipped over your openssl at first, but now ran that and saw that it splits its output over multiple lines. Since you are simply piping that into cryptsetup (without special options), you created the volume using merely the first line of openssl output. (One way to do key weakening.) pam_mount on the other hand of course uses the entire openssl output.

     
    • status: pending-works-for-me --> closed-works-for-me
     
  • This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).