Login troubles

I could not login to user account uuss encrypted in img file:

journalctl -r
Jul 24 09:20:02 lin lightdm[3916]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
Jul 24 09:20:01 lin kernel: broken atomic modeset userspace detected, disabling atomic
Jul 24 09:20:00 lin systemd-logind[964]: Session 4 logged out. Waiting for processes to exit.
Jul 24 09:20:00 lin display-manager[3845]: Error writing X authority: Failed to open X authority /home/uuss/.Xauthority: Permission denied
Jul 24 09:20:00 lin lightdm[4299]: pam_unix(lightdm:session): session opened for user uuss by (uid=0)
Jul 24 09:20:00 lin systemd[1]: Started User Manager for UID 1001.
# ls -la /home/uuss/.Xauthority
ls: cannot access '/home/uuss/.Xauthority': No such file or directory

So I’ve changed owner from root to uuss:


chown  uuss:users /home/uuss.key
chown  uuss:users /home/uuss.img
chown -R uuss:users /home/uuss

I can login since that but profile is almost empty.

I’ve tried remove that user and recreate new using yast2 but there was complain that uuss user was logged in

ps aux | grep uuss
host      6475  0.0  0.0   8692   912 pts/4    S+   10:10   0:00 grep --color=auto uuss
uuss       22814  0.0  0.1  72600  8420 ?        Ss   09:54   0:00 /usr/lib/systemd/systemd --user
uuss       22815  0.0  0.0 267016  3080 ?        S    09:54   0:00 (sd-pam)
uuss       22835  0.0  0.0  39748  4220 ?        Ss   09:54   0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
uuss       22878  0.0  0.0 281516  7040 ?        Ssl  09:54   0:00 /usr/lib/gvfs/gvfsd
uuss       22883  0.0  0.0 416052  7148 ?        Sl   09:54   0:00 /usr/lib/gvfs/gvfsd-fuse /run/user/1001/gvfs -f -o big_writes
uuss       23118  0.0  0.0  15860   444 ?        Ss   09:54   0:00 /usr/bin/ssh-agent -s
uuss       23203  0.0  0.1 311720  9296 ?        Ssl  09:54   0:00 /usr/lib/gvfs/gvfs-udisks2-volume-monitor
uuss       23216  0.0  0.0 344884  5980 ?        Ssl  09:54   0:00 /usr/lib/at-spi2/at-spi-bus-launcher
uuss       23223  0.0  0.0  39488  3976 ?        S    09:54   0:00 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3
uuss       23226  0.0  0.0 268164  4580 ?        Ssl  09:54   0:00 /usr/lib/gvfs/gvfs-mtp-volume-monitor
uuss       23239  0.0  0.0 264288  5684 ?        Ssl  09:54   0:00 /usr/lib/gvfs/gvfs-goa-volume-monitor
uuss       23250  0.0  0.4 739084 33976 ?        Sl   09:54   0:00 /usr/lib/goa-daemon
uuss       23307  0.0  0.0 292928  7584 ?        Sl   09:54   0:00 /usr/lib/goa-identity-service
uuss       23318  0.0  0.0 349204  7520 ?        Ssl  09:54   0:00 /usr/lib/gvfs/gvfs-afc-volume-monitor
uuss       23340  0.0  0.0 280696  6232 ?        Ssl  09:54   0:00 /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
uuss       23421  0.0  0.0 357652  7584 ?        Sl   09:54   0:00 /usr/lib/gvfs/gvfsd-trash --spawner :1.3 /org/gtk/gvfs/exec_spaw/0

What is please the best solution ?

You have not said anything about what crypto you are using. I presume that is somehow involved.

Personally, I have “/home” encrypted (as part of an encrypted LVM). I have also experimented with using “ecryptfs” for an encrypted home directory. But there are other ways of doing that, and you need to indicate what you are using.

I’ve encrypted this profile using yast2 in earlier version of openSUSE. There was no info about used encryption method so I don’t know what method was used.

Yast no longer offers that option. I think they dropped support for it. Perhaps it should still work after an upgrade, but it is not well supported.

The encrypted image is probably a LUKS encrypted container. You should be able to use “cryptsetup” to decrypt that for accessing the data.

It might be better setup this user as a normal user. And then, if encryption is needed, perhaps it is sufficient to use an ecryptfs private directory, or to use Plasma Vaults (if you are a KDE user). Those would leave an unencrypted home directory for the user, but the sensitive files could be kept encrypted. And, after setting up the user that way, use “cryptsetup” to access the image file, and copy the user data to where it is wanted with the new setup.

For the record, I currently use an encrypted partition for “/home”, and and ecryptfs private directory within that as a second layer of crypto for anything particularly sensitive. I am also experimenting with Plasma Vaults, but I am not seriously using that at present.

Manual here cryptsetup - Unix, Linux Command says *luksOpen *requires partition as parameter and application output told it too. Is it possible to mount img file as “partition” ?

I’ve never used a container in that way.

Maybe

cryptsetup luksOpen --type=loopaes ...other parameters...

might work.

Yes, a plain (unencrypted) image file can be mounted with a loopback mount. In my experience, the “mount” command recognizes this.

cryptsetup open --type=loopaes --key-file /home/u.key /home/u.img crloop
Incompatible loop-AES keyfile detected.


cryptsetup luksOpen --type=loopaes --key-file /home/u.key /home/u.img crloop
No key available with this passphrase.

I just tried working through what is described here:
https://blog.canadianwebhosting.com/how-to-create-an-encrypted-container/


I varied it a little.  I used a 100M container instead of the 1G container that they suggest.  And I used a manual password (that I type in when prompted) instead of a random key in a file.

It worked just fine in Tumbleweed.

I then booted to Leap 15.2 on the same system, and I was able to use "cryptsetup luksOpen" on the container, and mount it.

It should work the same way on Leap 15.1, but I don't have that on the same computer for testing.

Thank you. I’m sorry it did not solve my problem.
(Leap 15.1 was upgraded to 15.2)

That looks like home directory was encrypted by cryptconfig. Could you check whether the first 8 bytes of uuss.key are equal to “Salted__”?

cryptconfig generated random key and encrypted it using user password; encrypted key was stored in file with .key suffix. So you cannot use cryptsetup directly because you simply do not have the key. Unfortunately cryptconfig does not appear to be available for Leap 15.x anymore, last version was Leap 42.3. cryptconfig used OpenSSL with aes-256-cbc symmetric cipher, but encrypted material is prepended by magic and salt.

I would actually try whether cryptconfig from 42.3 runs under 15.1, it will be the easiest way to get access to encrypted data. Failing that, try to build cryptconfig for 15.1 and if that also fails, well - it is still possible to manually extract salt and use “openssl enc” command with suitable parameters.

It runs under 15.2, one needs to install libopenssl1_0_0. I successfully created and opened image using cryptconfig. It may even be possible to use PAM module, but I leave it as exercise to someone more interested :slight_smile:

Many thanks, it works :slight_smile:

Yes, first 8 bytes of uuss.key are equal to “Salted__”

GDM prevents from login to account stored in an encrypted file. Login is working fine from TTY or from lightdm (for example). Leap 15.2, 15.3

It has stopped to work now. No error in journalctl. Anyone else has please seen this error ?