fscrypt: PAM login failure after update to bd2ca31
After updating to revision bd2ca31a8d92581582e4150de53eccef99a36b3c my previously working fscrypt setup started failing.
Steps:
- Setup fscrypt (0.2.2.7.g141265f-1) + PAM unlocking using pam_fscrypt.so as described in https://github.com/google/fscrypt/issues/77#issuecomment-362490057
- Logging in unlocks home and login succeeds (both console and GDM).
- Update to fscrypt 0.2.3.2.gbd2ca31-1 or 0.2.3.0.ge131cec-1 (both tested).
- Attempt to login results in a. GDM appears to succeed and then goes back to login screen (no desktop shown). b. Console redisplays login prompt, no shell prompt displayed.
Home directory is left in unlocked state after this, so pam_fscrypt.so is partially working. Removing all pam_fscrypt.so instances from /etc/pam.d/system-auth and /etc/pam.d/system-login results in successful login (if home directory is in unlocked state, which it is after at least one failed attempt).
Reverting to revision 141265f solves the issue and logins work again.
Non-encrypted logins do work even with pam_fscrypt.so enabled (my root home is not encrypted). Logs with debug option in all pam_fscrypt.so instances:
Look at pam_fscrypt[11273] for instance:
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 16 (4 by maintainers)
This may be the bug I’m fixing with https://github.com/google/fscrypt/pull/97. It was causing glibc to silently abort() the login process later in the PAM stack, so the login prompt would just appear again. It may have started appearing after 5d71e1d16b06 switched Argon2 implementations from C to Go, because that may have started making the Go runtime leave extra threads around.
Sure, I’ll post the links here when I’ve reproduced it in a VM 👍