Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pam_mount: do not re-prompt for password #49896

Merged
merged 1 commit into from Oct 27, 2021
Merged

pam_mount: do not re-prompt for password #49896

merged 1 commit into from Oct 27, 2021

Conversation

peterhoeg
Copy link
Member

Motivation for this change

nixos-rebuild test causes pam_mount to prompt for a password when running with
an encrypted home:

building '/nix/store/p6bflh7n5zy2dql8l45mix9qnzq65hbk-nixos-system-mildred-18.09.git.98592c5da79M.drv'...
activating the configuration...
setting up /etc...
reenter password for pam_mount:
(mount.c:68): Messages from underlying mount program:
(mount.c:72): crypt_activate_by_passphrase: File exists
(pam_mount.c:522): mount of /dev/mapper/vg0-lv_home_peter failed
kbuildsycoca5 running...

This change makes pam_mount not prompt. It still tries to remount (and fails in
the process) but that message can be ignored.

Fixes: #44586

Reference: https://unix.stackexchange.com/a/273894

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: pam_mount

Partial log (click to expand)

  /nix/store/4v5nkv8hkilimfxvmwkfl0mlry3qqzk9-popt-1.16
  /nix/store/cnf1jgv1x1d7wry1iihq3hfpmkw7m6kd-cryptsetup-2.0.4
  /nix/store/k82pz2skh0nkka51q1mbd5yz6nzy2fxd-pam_mount-2.16
  /nix/store/y2j8pmv853n1a67bll402gnrg9j6hbby-json-c-0.13.1
copying path '/nix/store/y2j8pmv853n1a67bll402gnrg9j6hbby-json-c-0.13.1' from 'https://nix-cache.s3.amazonaws.com'...
copying path '/nix/store/27lqfbkwss1z2wqqvfv1nqbfypcarsr5-libHX-3.22' from 'https://nix-cache.s3.amazonaws.com'...
copying path '/nix/store/4v5nkv8hkilimfxvmwkfl0mlry3qqzk9-popt-1.16' from 'https://nix-cache.s3.amazonaws.com'...
copying path '/nix/store/cnf1jgv1x1d7wry1iihq3hfpmkw7m6kd-cryptsetup-2.0.4' from 'https://nix-cache.s3.amazonaws.com'...
copying path '/nix/store/k82pz2skh0nkka51q1mbd5yz6nzy2fxd-pam_mount-2.16' from 'https://nix-cache.s3.amazonaws.com'...
/nix/store/k82pz2skh0nkka51q1mbd5yz6nzy2fxd-pam_mount-2.16

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: pam_mount

Partial log (click to expand)

shrinking /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/sbin/pmt-ehd
shrinking /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/sbin/pmvarrun
shrinking /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/sbin/mount.crypt
gzipping man pages under /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/share/man/
strip is /nix/store/p9akxn2sfy4wkhqdqa3li97pc6jaz3r1-binutils-2.30/bin/strip
stripping (with command strip and flags -S) in /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/lib  /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/sbin
patching script interpreter paths in /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16
checking for references to /build in /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16...
moving /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/sbin/* to /nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16/bin
/nix/store/dd9zyik4hxh6fdf1f8b3sfgn9g3w72k4-pam_mount-2.16

@peterhoeg
Copy link
Member Author

Cc @samueldr

@samueldr
Copy link
Member

samueldr commented Nov 10, 2018
edited

Any difference in behaviour between switch and test, and if so, why would there be?

Additionally, most mounting-related tasks are applied live with test and switch, (which is a bit annoying when failing and systemd kicks you to the rescue mode!) Do I misunderstand that this would break the assumption of mounting un-mounted devices during switch and test?

@peterhoeg
Copy link
Member Author

Any difference in behaviour between switch and test, and if so, why would there be?

No difference

Do I misunderstand that this would break the assumption of mounting un-mounted devices during switch and test?

With disable_interactive, we are dependent on the login manager passing down the password to pam_mount. So if you add an encrypted device which wasn't there at the time of session start and do nixos-rebuild, it would not be available.

The problem without the option is the repeated prompts which happen all the time.

@peterhoeg
Copy link
Member Author

@samueldr any thoughts on how we can move this forward?

@peterhoeg
Copy link
Member Author

@samueldr - do you still have any concerns?

@peterhoeg
pam_mount: do not re-prompt for password
fe01fa4 
nixos-rebuild test causes pam_mount to prompt for a password when running with
an encrypted home:

building '/nix/store/p6bflh7n5zy2dql8l45mix9qnzq65hbk-nixos-system-mildred-18.09.git.98592c5da79M.drv'...
activating the configuration...
setting up /etc...
reenter password for pam_mount:
(mount.c:68): Messages from underlying mount program:
(mount.c:72): crypt_activate_by_passphrase: File exists
(pam_mount.c:522): mount of /dev/mapper/vg0-lv_home_peter failed
kbuildsycoca5 running...

This change makes pam_mount not prompt. It still tries to remount (and fails in
the process) but that message can be ignored.

Fixes: NixOS#44586
@stale
Copy link

stale bot commented Dec 7, 2020

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Dec 7, 2020
@peterhoeg peterhoeg removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Dec 7, 2020
@peterhoeg peterhoeg self-assigned this Dec 7, 2020
@stale
Copy link

stale bot commented Jun 6, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 6, 2021
@peterhoeg
Copy link
Member Author

@samueldr , the only case that "breaks" (and the reason for quotes is the fact that it really isn't) with this change is the following:

  1. a generation is created without any encrypted homes for user xxx
  2. user xxx logs in and adds encrypted home config to configuration.nix
  3. user xxx runs nixos-rebuild switch (or test)
  4. encrypted home for xxx is not decrypted and mounted

But, having your $HOME get remounted underneath you seems like a really bad idea anyway.

So while there is a change in how things work for one very special case, in general this makes things much nicer when using encrypted homes.

Any strong objections? If not, let's get this shipped.

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Oct 26, 2021
@samueldr
Copy link
Member

Sorry, never had strong objections, only concerns since I didn't "get" everything, as I'm not using pam_mount

Do not block on these.

Anyway:

  • You're daily driving it
  • You understand the underlying use cases
  • No one else seems to have had any concerns

Feel free to take ownership I guess!

@peterhoeg peterhoeg merged commit 22a500a into NixOS:master Oct 27, 2021
@peterhoeg peterhoeg deleted the f/activation branch October 27, 2021 00:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@peterhoeg peterhoeg

Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

nixos-rebuild test (and switch) causes pam_mount to remount
3 participants
@peterhoeg @GrahamcOfBorg @samueldr