[pkg-cryptsetup-devel] Bug#758788: Bug#758788: cryptsetup: Passphrase caching broken in decrypt_keyctl

Fri Oct 10 13:34:16 UTC 2014

Hey Luc,

Am 10.10.2014 um 10:29 schrieb Luc Maisonobe:
> Le 09/10/2014 10:39, Jonas Meurer a écrit :
>> I see. But you don't need to resize your filesystems or go through
>> similar hassle. Simply use file containers for testing. The following
>> commands should setup a testing environment (use carefully, even though
>> I tested them):
>>
>> # dd if=/dev/urandom of=/cont1 bs=1M count=3
>> # dd if=/dev/urandom of=/cont2 bs=1M count=3
>> # echo "testpw" | cryptsetup luksFormat /cont1
>> # echo "testpw" | cryptsetup luksFormat /cont2
>> # echo "cont1_crypt /cont1 pw1 luks,keyscript=decrypt_keyctl" \
>> 	>> /etc/crypttab
>> # echo "cont2_crypt /cont1 pw1 luks,keyscript=decrypt_keyctl" \
>> 	>> /etc/crypttab
>> # cryptdisks_start cont1_crypt
>> # cryptdisks_start cont2_crypt
> 
> On the first invocation (for cont1_crypt), I got this dialog:
> 
> root at marislae:~# cryptdisks_start cont1_crypt
> [[....] Starting crypto disk...[info] cont1_crypt (starting)...
> Caching passphrase for /cont1:  ******
> keyctl_set_timeout: Permission denied
> Error setting timeout on key (2524288), removing
> Caching passphrase for /cont1:  ******
> keyctl_set_timeout: Permission denied
> Error setting timeout on key (612589418), removing
> 
> [Here I pressed <ctrl-C> to stop the attempts]
> 
> Caching passphrase  for /cont1:  Erreur de lecture de la phrase secrète.
> 
> 
> I was running the commands from root. I initially logged in to the
> computer from SSH to a regular user, than did "sudo -i" to get root
> access if this matters. As I suspected this may be a problem, I allowed
> root direct SSH access and tried again, login directly to root account,
> this time it worked:

Interesting, never saw these kind of problems before. I'm testing on a
Laptop with Ubuntu 14.04 installed and use 'sudo -i' a lot. Indeed I
used it for testing the commands above as well. For me it worked. But
let's keep that aside. It's another issue and out of scope for this
bugreport ;)

> root at marislae:~# cryptdisks_start cont1_crypt
> [....] Starting crypto disk...[info] cont1_crypt (starting)...
> Caching passphrase for /cont1:  ******
> [ ok _crypt (started)...done.
> root at marislae:~# cryptdisks_start cont2_crypt
> [....] Starting crypto disk...[info] cont2_crypt (starting)...
> Using cached passphrase for /cont2.
> [ ok _crypt (started)...done.
> root at marislae:~#
> 
> The /dev/mapper/cont1_crypt and /dev/mapper/cont2_crypt did appear
> correctly.

Looks like it worked for you as well this time. Do you still discover
the bug during the boot process with your older decrypt_keyring setup?
Did you try the test setup from above during boot process? It would be
helpful do know whether the keyscript works on boot process with the
test setup (it does work for me), and what's the exact difference
between your older decrypt_keyctl devices and the new test ones.

> Is there a way I could check the keyring just after boot, before it is
> cleared? I could probably set an independent init script to run after
> disks are mounted to dump the list of the keys in the keyring to some
> file in /tmp so I can retrieve them once the system is up and debug. I
> thing I could do this using some keyctl command, but don't know which
> one to use for a given entry in /etc/crypttab. Should it be simply
> "keyctl list pw1" in the case of your example or something else? I saw
> in the decrypt_keyctl script some cryptkey-$1 identifier (probably used
> with an _ appended). How could I use this?

The script uses the user keyring '@u' for storing the cryptdisks key.
You can list the keyring with 'keyring list @u'. In order to get the
particular key from the keyring, do 'keyring search @u user
<IDENTIFIER>', where <IDENTIFIER>' is cryptkey-pw1 in the example.
Then you get the key id, which is needed to get the key itself using
'keyctl print <KEY-ID>' or 'keyctl pipe <KEY-ID>'.

If you want to output all values during keyscript invokation for
debugging purposes, the easiest way is to modify the script at
/lib/cryptsetup/decrypt_keyctl. Add the following just after the last
line to the script:

echo -e "BEGIN DECRYPT_KEYCTL DEBUG OUTPUT\nid: $ID_ | key id:
$KID_\nkey content: $(keyctl pipe $KID_)\nkey list:\n$(keyctl list
@u)\nEND DECRYPT_KEYCTL DEBUG OUTPUT\n" >&2

Be warned, this line will print your key in plaintext to the console. If
you want to redirect the output to a logfile, simply replace '>&2' by
e.g. '>/root/decrypt_keyctl.log'.

In order to not break your boot process again, after modifying first
test the decrypt_keyctl keyscript with the test setup from above by
using cryptdisks_start/_stop and only do a reboot after you verified
that the keyscript still works.

Kind regards,
 jonas