pam_mount(crypto.c:154) error getting cipher "aes-cbc-essiv:

I’m getting this error when trying to mount a partition at /home/<useraccount>. I can’t quite see where the problem is, and the message is not specific enough to use it for diagnosis.
I’m running OpenSuSE 11.0 on a Dell Dimension 4600. Here’s what I’ve done:

  1. cryptsetup -v -c aes-cbc-essiv:sha256 luksFormat /dev/sdc1 /local/sdc1
    (/local/sdc1 contains the fskey.)

  2. cryptsetup -v luksOpen /dev/sdc1 dev_sdc1

  3. mkfs.xfs /dev/mapper/dev_sdc1

    My /etc/security/pam_mount.conf.xml looks like this:

<?xml version=“1.0” encoding=“utf-8” ?>
<!-- See pam_mount.conf.xml.doc for usage information. →
<pam_mount>
<debug enable=“1” />
<mkmountpoint enable=“1” remove=“true” />
<fsckloop device="/dev/loop7" />
<mntoptions allow=“nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other” />
<mntoptions deny=“suid,dev” />
<mntoptions require=“nosuid,nodev” />
<path>
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
</path>
<lsof>
lsof %(MNTPT)
</lsof>
<fsck>
fsck -p %(FSCKTARGET)
</fsck>
<msg-authpw>
pam_mount password:
</msg-authpw>
<msg-sessionpw>
Reenter password for pam_mount:
</msg-sessionpw>
<volume fstype=“crypt”
user="<useraccount>"
mountpoint="/home/<useraccount>"
path="/dev/sdc1"
fskeypath="/local/sdc1"
options=“cipher=aes”
fskeycipher=“aes-cbc-essiv:sha256” />
</pam_mount>

My /etc/pam.d/common-auth-pc contains

auth required pam_env.so
auth optional pam_mount.so
auth required pam_unix2.so use_first_pass

and my /etc/pam.d/common-session-pc.contains

session required pam_limits.so
session required pam_unix2.so
session optional pam_umask.so
session optional pam_mount.so

When I start a tty session and login &lt;useraccount&gt; these messages appear in /var/log/warn:

Nov 5 18:53:48 pinto login[19767]: pam_mount(rdconf1.c:810) ignoring volume record… (not for me)
Nov 5 18:53:48 pinto login[19767]: pam_mount(pam_mount.c:208) enter read_password
Nov 5 18:53:52 pinto login[19767]: pam_mount(pam_mount.c:317) saving authtok for session code
Nov 5 18:53:52 pinto login[19767]: pam_mount(rdconf1.c:810) ignoring volume record… (not for me)
Nov 5 18:53:52 pinto login[19767]: pam_mount(pam_mount.c:466) Entered pam_mount session stage
Nov 5 18:53:52 pinto login[19767]: pam_mount(pam_mount.c:487) back from global readconfig
Nov 5 18:53:52 pinto login[19767]: pam_mount(pam_mount.c:489) per-user configurations not allowed by pam_mount.conf.xml
Nov 5 18:53:52 pinto login[19767]: pam_mount(misc.c:56) Session open: (uid=0, euid=0, gid=0, egid=0)
Nov 5 18:53:52 pinto login[19767]: pam_mount(rdconf2.c:226) checking sanity of volume record (/dev/sdc1)
Nov 5 18:53:52 pinto login[19767]: pam_mount(pam_mount.c:541) about to perform mount operations
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:416) information for mount:
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:417) ----------------------
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:418) (defined by globalconf)
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:419) user: <useraccount>
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:420) server:
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:421) volume: /dev/sdc1
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:422) mountpoint: /home/<useraccount>
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:423) options: cipher=aes
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:424) fs_key_cipher: aes-cbc-essiv:sha256
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:425) fs_key_path: /local/sdc1
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:426) use_fstab: 0
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:427) ----------------------
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:182) realpath of volume “/home/<useraccount>” is “/home/<useraccount>”
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:186) checking to see if /dev/mapper/_dev_sdc1 is already mounted at /home/<useraccount>
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:880) checking for encrypted filesystem key configuration
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:889) decrypting FS key using system auth. token and aes-cbc-essiv:sha256
Nov 5 18:53:52 pinto login[19767]: pam_mount(crypto.c:154) error getting cipher “aes-cbc-essiv:sha256”
Nov 5 18:53:52 pinto login[19767]: pam_mount(pam_mount.c:544) mount of /dev/sdc1 failed
Nov 5 18:53:52 pinto login[19767]: pam_mount(pam_mount.c:140) clean system authtok (0)
Nov 5 18:53:52 pinto login[19767]: pam_mount(misc.c:285) command: pmvarrun -u] <useraccount>] -o] [1]
Nov 5 18:53:52 pinto login[19986]: pam_mount(misc.c:56) set_myuid<pre>: (uid=0, euid=0, gid=0, egid=0)
Nov 5 18:53:52 pinto login[19986]: pam_mount(misc.c:56) set_myuid<post>: (uid=0, euid=0, gid=0, egid=0)
Nov 5 18:53:53 pinto login[19767]: pam_mount(pam_mount.c:431) pmvarrun says login count is 1
Nov 5 18:53:53 pinto login[19767]: pam_mount(pam_mount.c:554) done opening session (ret=3)

Here's what modprobe -l |grep 'dm-\|aes' shows me:

modprobe -l |grep ‘dm-|aes’
/lib/modules/2.6.25.20-0.5-pae/kernel/sound/pci/snd-maestro3.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/media/radio/radio-maestro.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-zero.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-snapshot.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-round-robin.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-region_hash.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-rdac.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-raid4-5.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-multipath.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-mod.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-mirror.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-message.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-mem-cache.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-log.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-hp-sw.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-emc.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-delay.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-crypt.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/crypto/padlock-aes.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/crypto/geode-aes.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/crypto/aes_generic.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/arch/x86/crypto/aes-i586.ko

Something seems to be missing, but what?

Leslie

The fskeypath attribute is for specifying a keyfile that will be decrypted with OpenSSL.

So I should not have used it in the pam_mount <volume…> specification?

 Where is fskeypath documented?  There do not seem to be any useful descriptions of the attributes that pam_mount.conf.xml accepts; not in the comments in the file itself, nor in man pam_mount, and nothing in man cryptsetup either.

Documentation goes into manpages, and preferably not clutter up the config file (because that makes it even harder to automatically upgrade it than it already is). See the pam_mount.conf.xml(5) manpage.