DM-Crypt and PAM Mount

To: Debian Security <debian-security@lists.debian.org>
Subject: DM-Crypt and PAM Mount
From: Clemens Bier <ClemensBier@arcor.de>
Date: Sun, 07 Nov 2004 01:45:18 +0100
Message-id: <1099788318.14553.20.camel@zappa.bruchsal.local>

Hi fellow Debian users,

I just got the combination of a dm encrypted FS with the PAM mount
ability working. What gave me quite a headache was the following:
You can use the PAM mount lib to encrypt your mantra of the dm encrypted
partition with your login password. I started out with a rather long
(2880 Bytes) dm mantra. I generated it by something like:
<snip>
head -c 2880 /dev/random | uuencode -m -| head -n 65 | tail -n 64
> /home/clemens.key
</snip>

Afterwards, I set everything up as it is explained in 
/usr/share/doc/libpam-mount/README.Debian.gz always ending up with the
following log file entries:
<snip /var/log/auth.log/>
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: (defined by globalconf)
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: user:          clemens
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: server:
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount:
volume:        /dev/hdb7
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: mountpoint:    /mnt/dm/
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: options:
cipher=twofish,hash=sha512
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: fs_key_cipher:
aes-256-ecb
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount:
fs_key_path:   /home/clemens.key
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: use_fstab:   0
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: --------
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: checking to see
if /dev/mapper/_dev_hdb7 is already mounted at /mnt/dm/
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: checking for encrypted
filesystem key configuration
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: decrypting FS key using
system auth. token and aes-256-ecb
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: bad pad on end of
encrypted file (wrong algorithm or key size?)
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: mount of /dev/hdb7
failed
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: checking sanity of
volume record (/dev/hdb7)
Nov  7 00:48:25 zappa kdm: :0[11226]: pam_mount: about to perform mount
operations
<endSnip /var/log/auth.log/>

So, I am not quite sure where the cut off happens: 
a) in the openssl package while the mantra file gets decrypted
b) in the dmsetup package when setting up the device mapper file

Everything works fine when I use shorter passwords.
Since I could not find any documentation stating this problem, 
I address this issue here to the list.

Am I missing something?

Thanks for your comments and explanations. 

Clemens Bier
   
-- 
GPG Key: http://eigenvalue.net/~clemens/gpgkey.asc
Fingerprint: 1024D/A07D0D1B 
5FB1 B155 8070 DF8B 4350  6583 87FF 3589 A07D 0D1B

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Prev by Date: Re: rkhunter / chkrootkit
Next by Date: unscribe
Previous by thread: Re: rkhunter / chkrootkit
Next by thread: unscribe
Index(es):
- Date
- Thread