Ubuntu
ecryptfs-utils package

Ecryptfs,cryptsetup p/w prompt enter key failures

Bug #1258900 reported by MetaChrome
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cryptsetup
New
Undecided
Unassigned
ecryptfs-utils (Ubuntu)
New
Undecided
Unassigned
libpam-mount (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

1. With ecryptsfs:

/etc/fstab:
/root/ecfs_data /root/ecfs ecryptfs rw,exec,suid 0 0

a) Pressing the enter key quickly with no other input returns that some input is required.
b) Pressing the enter key the first time subsequent to some input appears to append a return character to the password string. Pressing the enter subsequent to that submits the now incorrect password resulting in failure.
c) If you hold the enter key, it sends multiple return characters, some times some of them appear to be appended to the password string, until eventually they start being sent to subsequent prompts. It would appear that sometimes multiple return characters are added to the password string because the signatures change on various attempts.

c) may be relevant in the sense that the holding the enter key in #2 facilitates a workaround.

2. The password prompt created by cryptsetup exhibits similar behavior but can be worked around by holding the enter key.

/etc/fstab:
/root/e_data /root/e crypto_LUKS defaults 0 0

b) Pressing the enter key without any input specifies that the password was incorrect.
a) Pressing the enter key the first time subsequent to some input appears to append a return character to the password string. A subsequent press of the enter key submits the now incorrect password.
c) Holding the enter key subsequent to entering the password facilitates mounting. However, there are no further messages specifying success. Boot continues.

In both instances of #1 and #2, the data from previous boot instructions appears past the `Password:` semicolon, ie:

Password: /dev/sda1: 333 files, 13026/126976 clusters

This does not appear to affect the success of 2.c.

3. The following may look like it is unrelated but consider the fact that the password prompt is not halted and the fact that this should in fact work.

The reason why I think the following is related is because I think that it's possible that it is returning from the password prompt and failing the crypttab execution asynchronously if that is perhaps how the relevant executables (upstart?) operate.

/etc/crypttab:
swap_e /dev/sda8 /dev/urandom swap

/etc/fstab:
/dev/mapper/swap_e none swap sw 0 0 #<-- if this is before the next line, it specifies that /dev/mapper/swape does not exist, and auto returns from the ecryptfs password prompt
/root/ecfs_data /root/ecfs ecryptfs rw,exec,suid 0 0

As specified, when the ecryptfs mount entry in fstab is after the swap mount, it specifies that the /dev/mapper/swape disk does not exist and auto skips the ecryptfs mount, auto returning from the password prompt and said mount failure is not recorded in /var/log/boot.log.

System:

Ubuntu 12.04.3 LTS
ecryptfs-utils 96-0ubuntu3
cryptsetup-luks 2:1.6.1-1ubuntu1
libpam-mount 2.14-1

See original description
MetaChrome (imagenesis)
description: updated
description: updated
MetaChrome (imagenesis)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

> /etc/fstab:
> /root/e_data /root/e crypto_LUKS defaults 0 0

What are you expecting this to do? crypto_LUKS is not a filesystem. There's no way this is going to do anything meaningful.

> cryptsetup-luks 2:1.6.1-1ubuntu1

There is no such package in Ubuntu.

> 2. The password prompt created by cryptsetup exhibits
> similar behavior but can be worked around by holding the enter key.

cryptsetup does not at boot prompt for passphrases in Ubuntu. It communicates with plymouth for prompting. Please provide information about the plymouth configuration on your machine (including /proc/cmdline).

> 1. With ecryptsfs:

> /etc/fstab:
> /root/ecfs_data /root/ecfs ecryptfs rw,exec,suid 0 0

ecryptfs is designed for cases where an encrypted filesystem is *not* mounted at boot, but instead mounted at user login (and unmounted at user logout). I have no idea what the behavior is of ecryptfs if used from /etc/fstab. How is ecryptfs prompting for a passphrase? If it is bypassing plymouth, then this is a bug in ecryptfs-utils, and the error you're experiencing is because it's fighting plymouth for the console. Plymouth owns the console exclusively at boot.

affects: upstart → cryptsetup (Ubuntu)
Changed in cryptsetup (Ubuntu):
status: New → Incomplete
Revision history for this message
MetaChrome (imagenesis) wrote :

>What are you expecting this to do? crypto_LUKS is not a filesystem. There's no way this is going to do anything meaningful.

crypto_LUKS is a mount extension provided by libpam-mount and its functionality does not fail outside of the scope of the specified behavior.

that is the package specified as provided by `apt-cache show cryptsetup`.

http://pastebin.com/G5Ynhtix

This package is possibly relevant because crypt_LUKS probably functions along the lines of being a script that does:

losetup
cryptsetup
mount

>cryptsetup does not at boot prompt for passphrases in Ubuntu. It communicates with plymouth for prompting. Please provide >information about the plymouth configuration on your machine (including /proc/cmdline).

plymouth version information: http://pastebin.com/zCLrGUms

>ecryptfs is designed for cases where an encrypted filesystem is *not* mounted at boot, but instead mounted at user login (and >unmounted at user logout). I have no idea what the behavior is of ecryptfs if used from /etc/fstab. How is ecryptfs prompting >for a passphrase? If it is bypassing plymouth, then this is a bug in ecryptfs-utils, and the error you're experiencing is because >it's fighting plymouth for the console. Plymouth owns the console exclusively at boot.

1. Considering that the issues are quite similar on 2 different password prompts, please consider the possibility that this behavior is caused outside the scope ecryptfs despite the possibility of a lack of explicit support for mounting at boot.
2. Please consider whether there is an explicit expectation of the specified failure.

Please consider whether there is no implicit support for mount at boot or implicit interaction with the plymouth package. I don't know the abstractions provided by boot/plymouth, but would not a generic prompt for input, be correctly handled at boot, without the need for interfacing with plymouth, facilitating an implicit expectation of functionality at boot?

Revision history for this message
MetaChrome (imagenesis) wrote :

Considering that the behavior of ecryptfs and crypto_LUKS is undefined at this time with regards to mount at boot, I will provide behavior of cryptsetup at boot to see if the crypto_LUKS behavior is presumed caused by a call to cryptsetup.

The reason I am using crypto_LUKS is because I am mounting a container not a partition.

Revision history for this message
Steve Langasek (vorlon) wrote :

> crypto_LUKS is a mount extension provided by libpam-mount and its
> functionality does not fail outside of the scope of the specified
> behavior.

Ah. Then this is a libpam-mount bug, for sure, for doing something that is communicating directly with the console.

affects: cryptsetup (Ubuntu) → libpam-mount (Ubuntu)
Changed in libpam-mount (Ubuntu):
status: Incomplete → New
Revision history for this message
Robie Basak (racb) wrote :

Please can you provide exact steps to reproduce on a fresh VM, including setup of appropriate ecryptfs/LUKS volumes? Once done, please change the bug status back to New. Thanks!

Changed in libpam-mount (Ubuntu):
status: New → Incomplete
Revision history for this message
MetaChrome (imagenesis) wrote :

This bug remains. I was only able to resolve it functionally by specifying a one letter p/w. With multiple character passwords, it becomes impossible to submit the correct p/w. (both with regards to libpam which is what I care about)

You want me to specify how to create a standard luks file container?

!#/bin/bash
file=/acc/t_data
mnt=/acc/t
lo=/dev/loop1
name=t
dd if=/dev/zero of=$file bs=1MB count=5
losetup $lo $file
cryptsetup luksFormat $lo
cryptsetup luksOpen $lo $name
mkfs.ext4 /dev/mapper/$name

The fstab is:

/acc/t_data /acc/t crypto_LUKS defaults 0 0

Revision history for this message
MetaChrome (imagenesis) wrote :

Do you understand that these specified bugs with Plymouth's behavior and/or these critical crypto packages make it impossible to encrypt on boot with a passphrase?

This is a fundamental feature and critical to running encrypted services. Encryption of the home directory is functionally useless for servers.

Revision history for this message
MetaChrome (imagenesis) wrote :

In addition encrypting on boot with a USB is not a reasonable workflow in many cases for multiple reasons. Please specify how to go about fixing these bugs namely:

1. Are these bugs stemming from unexpected behavior of Plymouth from the standpoint of the API used by these programs. Eg, please specify in psuedocode how the password prompt is initiated and closed by these scripts.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.