I’m getting this error when trying to mount a partition at /home/<useraccount>. I can’t quite see where the problem is, and the message is not specific enough to use it for diagnosis.
I’m running OpenSuSE 11.0 on a Dell Dimension 4600. Here’s what I’ve done:
-
cryptsetup -v -c aes-cbc-essiv:sha256 luksFormat /dev/sdc1 /local/sdc1
(/local/sdc1 contains the fskey.) -
cryptsetup -v luksOpen /dev/sdc1 dev_sdc1
-
mkfs.xfs /dev/mapper/dev_sdc1
My /etc/security/pam_mount.conf.xml looks like this:
<?xml version=“1.0” encoding=“utf-8” ?>
<!-- See pam_mount.conf.xml.doc for usage information. →
<pam_mount>
<debug enable=“1” />
<mkmountpoint enable=“1” remove=“true” />
<fsckloop device="/dev/loop7" />
<mntoptions allow=“nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other” />
<mntoptions deny=“suid,dev” />
<mntoptions require=“nosuid,nodev” />
<path>
/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
</path>
<lsof>
lsof %(MNTPT)
</lsof>
<fsck>
fsck -p %(FSCKTARGET)
</fsck>
<msg-authpw>
pam_mount password:
</msg-authpw>
<msg-sessionpw>
Reenter password for pam_mount:
</msg-sessionpw>
<volume fstype=“crypt”
user="<useraccount>"
mountpoint="/home/<useraccount>"
path="/dev/sdc1"
fskeypath="/local/sdc1"
options=“cipher=aes”
fskeycipher=“aes-cbc-essiv:sha256” />
</pam_mount>
My /etc/pam.d/common-auth-pc contains
auth required pam_env.so
auth optional pam_mount.so
auth required pam_unix2.so use_first_pass
and my /etc/pam.d/common-session-pc.contains
session required pam_limits.so
session required pam_unix2.so
session optional pam_umask.so
session optional pam_mount.so
When I start a tty session and login <useraccount> these messages appear in /var/log/warn:
Nov 5 18:53:48 pinto login[19767]: pam_mount(rdconf1.c:810) ignoring volume record… (not for me)
Nov 5 18:53:48 pinto login[19767]: pam_mount(pam_mount.c:208) enter read_password
Nov 5 18:53:52 pinto login[19767]: pam_mount(pam_mount.c:317) saving authtok for session code
Nov 5 18:53:52 pinto login[19767]: pam_mount(rdconf1.c:810) ignoring volume record… (not for me)
Nov 5 18:53:52 pinto login[19767]: pam_mount(pam_mount.c:466) Entered pam_mount session stage
Nov 5 18:53:52 pinto login[19767]: pam_mount(pam_mount.c:487) back from global readconfig
Nov 5 18:53:52 pinto login[19767]: pam_mount(pam_mount.c:489) per-user configurations not allowed by pam_mount.conf.xml
Nov 5 18:53:52 pinto login[19767]: pam_mount(misc.c:56) Session open: (uid=0, euid=0, gid=0, egid=0)
Nov 5 18:53:52 pinto login[19767]: pam_mount(rdconf2.c:226) checking sanity of volume record (/dev/sdc1)
Nov 5 18:53:52 pinto login[19767]: pam_mount(pam_mount.c:541) about to perform mount operations
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:416) information for mount:
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:417) ----------------------
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:418) (defined by globalconf)
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:419) user: <useraccount>
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:420) server:
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:421) volume: /dev/sdc1
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:422) mountpoint: /home/<useraccount>
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:423) options: cipher=aes
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:424) fs_key_cipher: aes-cbc-essiv:sha256
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:425) fs_key_path: /local/sdc1
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:426) use_fstab: 0
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:427) ----------------------
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:182) realpath of volume “/home/<useraccount>” is “/home/<useraccount>”
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:186) checking to see if /dev/mapper/_dev_sdc1 is already mounted at /home/<useraccount>
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:880) checking for encrypted filesystem key configuration
Nov 5 18:53:52 pinto login[19767]: pam_mount(mount.c:889) decrypting FS key using system auth. token and aes-cbc-essiv:sha256
Nov 5 18:53:52 pinto login[19767]: pam_mount(crypto.c:154) error getting cipher “aes-cbc-essiv:sha256”
Nov 5 18:53:52 pinto login[19767]: pam_mount(pam_mount.c:544) mount of /dev/sdc1 failed
Nov 5 18:53:52 pinto login[19767]: pam_mount(pam_mount.c:140) clean system authtok (0)
Nov 5 18:53:52 pinto login[19767]: pam_mount(misc.c:285) command: pmvarrun -u] <useraccount>] -o] [1]
Nov 5 18:53:52 pinto login[19986]: pam_mount(misc.c:56) set_myuid<pre>: (uid=0, euid=0, gid=0, egid=0)
Nov 5 18:53:52 pinto login[19986]: pam_mount(misc.c:56) set_myuid<post>: (uid=0, euid=0, gid=0, egid=0)
Nov 5 18:53:53 pinto login[19767]: pam_mount(pam_mount.c:431) pmvarrun says login count is 1
Nov 5 18:53:53 pinto login[19767]: pam_mount(pam_mount.c:554) done opening session (ret=3)
Here's what modprobe -l |grep 'dm-\|aes' shows me:
modprobe -l |grep ‘dm-|aes’
/lib/modules/2.6.25.20-0.5-pae/kernel/sound/pci/snd-maestro3.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/media/radio/radio-maestro.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-zero.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-snapshot.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-round-robin.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-region_hash.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-rdac.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-raid4-5.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-multipath.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-mod.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-mirror.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-message.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-mem-cache.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-log.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-hp-sw.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-emc.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-delay.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/md/dm-crypt.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/crypto/padlock-aes.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/drivers/crypto/geode-aes.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/crypto/aes_generic.ko
/lib/modules/2.6.25.20-0.5-pae/kernel/arch/x86/crypto/aes-i586.ko
Something seems to be missing, but what?
Leslie