#31 device-mapper: reload ioctl failed: Invalid argument

pam-mount
closed
pam-mount (40)
7
2014-08-19
2010-04-04
raglan_road
No

Hello,

I have not been able to use pam_mount for a long time now, ever since I switched from Gentoo to Debian. The command I can use to mount a partition manually is:

openssl bf-cbc -d -in /etc/crypt.keys/data.key.root | cryptsetup -c blowfish-cbc-essiv:sha256 -h sha512 -s 448 -b `blockdev --getsize /dev/sdb11` create data /dev/sdb11
mount /dev/mapper/data /crypto/data

However, the following block in /etc/security/pam_mount.conf.xml does not work:

<volume user="i"
path="/dev/sdb11"
mountpoint="/crypto/data"
fstype="crypt"
options="cipher=blowfish-cbc-essiv:sha256 hash=sha512 keysize=448"
fskeypath="/etc/crypt.keys/data.key.i"
fskeycipher="bf-cbc" />

I get the following error message when I try to log in:

pam_mount(pam_mount.c:100): unknown pam_mount option "use_first_pass"
pam_mount(pam_mount.c:314): pam_mount 1.33: entering auth stage
pam_mount(pam_mount.c:533): pam_mount 1.33: entering session stage
pam_mount(misc.c:38): Session open: (uid=1000, euid=0, gid=1000, egid=1000)
pam_mount(mount.c:196): Mount info: globalconf, user=i <volume fstype="crypt" server="(null)" path="/dev/sdb11" mountpoint="/crypto/data" cipher="(null)" fskeypath="/etc/crypt.keys/data.key.i" fskeycipher="bf-cbc" fskeyhash="(null)" options="cipher=blowfish-cbc-essiv:sha256 hash=sha512 keysize=448" /> fstab=0
command: [mount] [-t] [crypt] [-o cipher=blowfish-cbc-essiv:sha256 hash=sha512 keysize=448] [/dev/sdb11] [/crypto/data]
pam_mount(misc.c:38): set_myuid<pre>: (uid=1000, euid=0, gid=1000, egid=1000)
pam_mount(misc.c:38): set_myuid<post>: (uid=0, euid=0, gid=1000, egid=1000)
pam_mount(mount.c:64): Errors from underlying mount program:
pam_mount(mount.c:68): device-mapper: reload ioctl failed: Invalid argument
Filesystem Type 1K-blocks Used Available Use% Mounted on
/dev/sda3 ext3 3447140 308692 3138448 9% /
tmpfs tmpfs 1030164 0 1030164 0% /lib/init/rw
proc proc 0 0 0 - /proc
sysfs sysfs 0 0 0 - /sys
udev tmpfs 10240 2104 8136 21% /dev
tmpfs tmpfs 1030164 12 1030152 1% /dev/shm
devpts devpts 0 0 0 - /dev/pts
/dev/sda1 ext3 482214 27015 455199 6% /boot
/dev/sda7 ext3 2949028 69996 2879032 3% /opt
/dev/sda6 ext3 2949028 70348 2878680 3% /tmp
/dev/sda5 ext3 14761044 3337944 11423100 23% /usr
/dev/sda8 ext3 3937220 466472 3470748 12% /var
fusectl fusectl 0 0 0 - /sys/fs/fuse/connections
/dev/mapper/home
ext3 29530400 14008400 14021936 50% /home
pam_mount(pam_mount.c:501): mount of /dev/sdb11 failed
command: [pmvarrun] [-u] [i] [-o] [1]
pam_mount(misc.c:38): set_myuid<pre>: (uid=1000, euid=0, gid=1000, egid=1000)
pam_mount(misc.c:38): set_myuid<post>: (uid=0, euid=0, gid=1000, egid=1000)
pmvarrun(pmvarrun.c:248): parsed count value 2
pam_mount(pam_mount.c:424): pmvarrun says login count is 3
pam_mount(pam_mount.c:619): done opening session (ret=0)

What am I doing wrong?

Discussion

  • Jan Engelhardt

    Jan Engelhardt - 2010-04-04
    • status: open --> pending
     
  • Jan Engelhardt

    Jan Engelhardt - 2010-04-04

    Your options line

    options="cipher=blowfish-cbc-essiv:sha256 hash=sha512 keysize=448"

    looks quite malformed. Replace the spaces by comma. You also need to most likely specify the fskeyhash= parameter at the <volume> level to tell pam_mount which openssl hash you used.

     
  • raglan_road

    raglan_road - 2010-04-05

    Re: the options line, I've changed it to

    options="cipher=blowfish-cbc-essiv:sha256,hash=sha512,keysize=448"

    Now I get a different error message:

    pam_mount(pam_mount.c:314): pam_mount 1.33: entering auth stage
    pam_mount(pam_mount.c:533): pam_mount 1.33: entering session stage
    pam_mount(misc.c:38): Session open: (uid=1000, euid=0, gid=1000, egid=1000)
    pam_mount(mount.c:196): Mount info: globalconf, user=i <volume fstype="crypt" server="(null)" path="/dev/sdb11" mountpoint="/crypto/data" cipher="(null)" fskeypath="/etc/crypt.keys/data.key.i" fskeycipher="bf-cbc" fskeyhash="(null)" options="cipher=blowfish-cbc-essiv:sha256,hash=sha512,keysize=448" /> fstab=0
    command: [mount] [-t] [crypt] [-o cipher=blowfish-cbc-essiv:sha256,hash=sha512,keysize=448] [/dev/sdb11] [/crypto/data]
    pam_mount(misc.c:38): set_myuid<pre>: (uid=1000, euid=0, gid=1000, egid=1000)
    pam_mount(misc.c:38): set_myuid<post>: (uid=0, euid=0, gid=1000, egid=1000)
    pam_mount(mount.c:64): Errors from underlying mount program:
    pam_mount(mount.c:68): mount: you must specify the filesystem type
    pam_mount(mount.c:68): mount failed with run_sync status 32
    Filesystem Type 1K-blocks Used Available Use% Mounted on
    /dev/sda3 ext3 3447140 311908 3135232 10% /
    tmpfs tmpfs 1030164 0 1030164 0% /lib/init/rw
    proc proc 0 0 0 - /proc
    sysfs sysfs 0 0 0 - /sys
    udev tmpfs 10240 2092 8148 21% /dev
    tmpfs tmpfs 1030164 12 1030152 1% /dev/shm
    devpts devpts 0 0 0 - /dev/pts
    /dev/sda1 ext3 482214 27015 455199 6% /boot
    /dev/sda7 ext3 2949028 69996 2879032 3% /opt
    /dev/sda6 ext3 2949028 70048 2878980 3% /tmp
    /dev/sda5 ext3 14761044 3388872 11372172 23% /usr
    /dev/sda8 ext3 3937220 458008 3479212 12% /var
    fusectl fusectl 0 0 0 - /sys/fs/fuse/connections
    /dev/mapper/home
    ext3 29530400 14013988 14016348 50% /home
    pam_mount(pam_mount.c:501): mount of /dev/sdb11 failed
    command: [pmvarrun] [-u] [i] [-o] [1]
    pam_mount(misc.c:38): set_myuid<pre>: (uid=1000, euid=0, gid=1000, egid=1000)
    pam_mount(misc.c:38): set_myuid<post>: (uid=0, euid=0, gid=1000, egid=1000)
    pmvarrun(pmvarrun.c:248): parsed count value 1
    pam_mount(pam_mount.c:424): pmvarrun says login count is 2
    pam_mount(pam_mount.c:619): done opening session (ret=0)

    Re: the openssl hash, you've told me this before (tracker id 2891721). But (a) how do I know which openssl hash I used? I never specified a hash while creating the filesystem, as you can from the manual (cryptsetup) command which works, and (b) why does pam_mount need this parameter now, when it used to work without fskeyhash before?

     
  • raglan_road

    raglan_road - 2010-04-05
    • status: pending --> open
     
  • raglan_road

    raglan_road - 2010-04-05

    OK, I've tried the following as "fskeyhash":

    md2, md4, md5, rmd160, sha, sha1, sah256, sha512

    and none of them worked. In fact, I do not think I used a hash while creating the encrypted filesystem key, because then the following command should not work:

    openssl bf-cbc -d -in /etc/crypt.keys/data.key.i | cryptsetup -c blowfish-cbc-essiv:sha256 -h sha512 -s 448 -b `blockdev --getsize /dev/sdb11` create data /dev/sdb11
    mount /dev/mapper/data /crypto/data

    but it does, when I supply my login password.

     
  • Jan Engelhardt

    Jan Engelhardt - 2010-04-07

    That seems to pretty much work for me however.

    1. echo -en "test\x00bar" | openssl bf-cbc >data.key
    2. modprobe brd
    3. openssl bf-cbc -d -in data.key | cryptsetup -c blowfish-cbc-essiv:sha256 -h sha512 -s 448 create data /dev/ram0
    4. mkfs.ext4 /dev/mapper/data
    5. cryptsetup remove data
    6. 'mount.crypt' '-ofsk_cipher=bf-cbc' '-ofsk_hash=md5' '-okeyfile=/home/jengelh/code/pam_mount/src/data.key' '-ocipher=blowfish-cbc-essiv:sha256,hash=sha512,keysize=448' '/dev/ram0' '/mnt'

    Using <volume fstype="crypt" path="/dev/ram0" mountpoint="/mnt" fskeypath="/home/jengelh/code/pam_mount/src/data.key" fskeycipher="bf-cbc" fskeyhash="md5" options="cipher=blowfish-cbc-essiv:sha256,hash=sha512,keysize=448" />

    I left out the -b option yes, that seemed really redundant because cryptsetup can figure that out on its own.
    As far as I can reproduce, your case works with 1.33 (plus fskeyhash=md5).

     
  • Jan Engelhardt

    Jan Engelhardt - 2010-04-07
    • status: open --> pending
     
  • Jan Engelhardt

    Jan Engelhardt - 2010-04-13
    • priority: 5 --> 7
     
  • Jan Engelhardt

    Jan Engelhardt - 2010-04-13

    I have also released v1.36 now. Though I don't expect anything changed for you, you are encouraged to try. There is also a t-crypt shell script provided in the source tarball that you can test, and hopefully augment with your failing case. A patch would be really welcome.

     
  • SourceForge Robot

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     
  • SourceForge Robot

    • status: pending --> closed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks