pam_pefs setup (Re: RFC: pefs - stacked cryptographic filesystem)

Gleb Kurtsou gleb.kurtsou at gmail.com
Tue Sep 7 17:52:31 UTC 2010 

On (07/09/2010 16:32), Thomas Vogt wrote:
[...]
> 
> I've an issue with pam_pefs:
> 
> ===> lib/libpam/modules/pam_pefs (install)
> install -C -o root -g wheel -m 444   libpam_pefs.a /usr/lib
> install -C -o root -g wheel -m 444   libpam_pefs_p.a /usr/lib
> install -o root -g wheel -m 444 pam_pefs.8.gz  /usr/share/man/man8
> 
> I do not see any pam_pefs.so which makes login not possible if
> pam.d/system is modified as mentioned in your description:
> 
> auth	sufficient	pam_pefs.so	try_first_pass
Sorry, I don't quite understand you here. Don't hesitate contacting me
again if didn't understand you correctly.

I've also missed one more line, which actually adds the key:
session         optional        pam_pefs.so

Setup I've posted makes possible to login using pefs key or standard
pam_unix.so password. Here is my /etc/pam.d/system file:

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_pefs.so             try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
account         required        pam_login_access.so
account         required        pam_unix.so

# session
session         optional        pam_pefs.so
session         required        pam_lastlog.so          no_fail

# password
password        required        pam_unix.so             no_warn try_first_pass


I have "stronger" password for pefs, while traditional password is
"weaker" and easier to type. I use pefs password to login only the first
time and add key my home directory.

Please note that your home directory has to be mounted, I mount it in
/etc/rc.local, but don't add any keys. pam_pefs adds the key. Also note
that it has to be exactly your home directory (/home/gleb in my case), to
prevent possible attacks. And keychain database has to be created, so
that pam_pefs knows how to verify the key.

Details on how to create it available in my original email. That's
rather inconvenient procedure, but you need to do it just once, it's so
complicated because pefs is read-only if no key specified, but database
should not be encrypted to make it accessible by pam_pefs:
> 3. Mount pefs filesystem:
> # pefs mount /home/ME /home/ME
>
> 4. Enter passphrase:
> # pefs addkey /home/ME
>
> # pefs addchain -Z /home/ME
> Don't encrypt .pefs.db:
> # mv ~/Private/.pefs.db /tmp
> # umount ~/Private
> # mv /tmp/.pefs.db /home/ME
> # pefs mount /home/ME /home/ME
> Use -c option to verify key is in database
> # pefs addkey -c /home/ME

I'll try to make it easier, I didn't actually expect anyone to try it,
and just mentioned it without providing instructions not to write long
setup procedure.

You can also try adding debug option to pam_pefs.so config if something
goes wrong.

I don't remember details but pefs/Makefile contains the following
comment by me:
# Should be built from sources tree
# SUBDIR+= lib/libpam/modules/pam_pefs

But if you are able to build it, it should be fine.

Thanks,
Gleb.

> 
> Regards,
> Thomas

More information about the freebsd-current mailing list