pam-config / sssd / ecrytptfs

after setting up logon via sssd (kerberos + ldap), the encrypted home with ecryptfs of an existing local user is not decrypted any more after login. running “ecryptfs-mount-private” solves it, but it breaks sddm + kde login.

i read, that /etc/pam.d/system-auth should look like this:

auth sufficient pam_sss.so forward_pass

in arch linux (i guess by hand). Can anyone help me to get this working with suse?

what i don’t understand: as far as i have seen, there is no system-auth, but the file common-auth, which is generated by pam-config. I guess i should change this?

Studiing the docs of pam-config, i have not found a way, to tell it

  1. to change the order - currently pam_ecryptfs.so is before pam_sss
  2. to replace use_first_pass with forward_pass in the line of pam_sss

is there a way to do so with pam-config?

After installing “ecryptfs”, I find that I need to run (as root):

pam-config -a --ecryptfs

and that fixes the problem. Manual editing of files in “/etc/pam.d” only gives a temporary fix, which will break when there is some future pam change. The command that I suggest seems to be more permanent.

No, it doesn’t work. If so, only until reboot, while changes have not been reloaded. Encryption unwrapping does not work as soon, as there is any other pam- module inserted for me. After removing sss and krb5 e.g, only having ecryptfs activated via pam-config works. It doesn’t matter in which order i activate the modules with pam-config.

This is how it looks like “working”
common-account

account required        pam_unix.so     try_first_pass

common-auth

[FONT=monospace]auth    required        pam_env.so 
auth    required        pam_unix.so     try_first_pass  
auth    required        pam_ecryptfs.so unwrap

[/FONT]
common-password

[FONT=monospace]password        requisite       pam_cracklib.so 
password        required        pam_unix.so     use_authtok nullok shadow try_first_pass

common-session

[FONT=monospace]session optional        pam_systemd.so 
session required        pam_limits.so 
session required        pam_unix.so     try_first_pass  
session optional        pam_umask.so 
session optional        pam_ecryptfs.so unwrap 
session optional        pam_env.so

[/FONT][/FONT]
After “pam-config -a --sss”:
[FONT=monospace]
[FONT=monospace][FONT=monospace]

[FONT=monospace]account requisite       pam_unix.so     try_first_pass  
account sufficient      pam_localuser.so  
account required        pam_sss.so      use_first_pass

[/FONT][/FONT][/FONT]

auth    required        pam_env.so 
auth    sufficient      pam_unix.so     try_first_pass  
auth    required        pam_ecryptfs.so unwrap 
auth    required        pam_sss.so      use_first_pass

[FONT=monospace]

[FONT=monospace]password        requisite       pam_cracklib.so 
password        sufficient      pam_unix.so     use_authtok nullok shadow try_first_pass  
password        required        pam_sss.so      use_authtok

[/FONT][/FONT]

session optional        pam_systemd.so 
session required        pam_limits.so 
session required        pam_unix.so     try_first_pass  
session optional        pam_sss.so 
session optional        pam_umask.so 
session optional        pam_ecryptfs.so unwrap 
session optional        pam_env.so

[/FONT]
This is not working encryption of home is not done any more at login, leaving me stuck with an quite empty home until doing “ecryptfs-mount-private” by hand.

I have played around with those files (knowing that it will be overwritten) - but i have not found a way to do so that it works like this:

  • First, try sssd - user- auth
  • If this is known to sssd, take the password and pass it to ecryptfs for unwrapping
  • if sssd account fails, take local account
  • if this is working, pass the password to ecryptfs
  • if none of those are working -> deny

Can you tell me, how those files should look like? If we figured that out, i may open an issue und do a push in pam-config to get this working automagically. i can do so on github and already compiled it.

Its just me not knowing how to setup pam the right way. Any docs i have found are not for opensuse and do not work as described.

It is working fine here.

To be fair, though, I use an ecryptfs private directory. I do not use an encrypted home directory. However, “/home” is LUKS encrypted. I have use an ecryptfs encrypted home directory, but that was several years ago. I don’t think it should be much different.

Skipping the “#comment” lines:

common-account

account required        pam_unix.so     try_first_pass

common-auth


auth    required        pam_env.so      
auth    optional        pam_gnome_keyring.so
auth    required        pam_unix.so     try_first_pass 
auth    required        pam_ecryptfs.so unwrap

common-password


password        requisite       pam_cracklib.so 
password        optional        pam_gnome_keyring.so    use_authtok
password        required        pam_unix.so     use_authtok nullok shadow try_first_pass

common-session


session optional        pam_systemd.so
session required        pam_limits.so   
session required        pam_unix.so     try_first_pass 
session optional        pam_umask.so    
session optional        pam_gnome_keyring.so    auto_start only_if=gdm,gdm-password,lxdm,lightdm,mdm,sddm 
session optional        pam_ecryptfs.so unwrap
session optional        pam_env.so