* [PATCH] cifscreds: add a check and warning for missing session keyring
@ 2012-07-17 13:28 Jeff Layton
[not found] ` <1342531717-30135-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
0 siblings, 1 reply; 14+ messages in thread
From: Jeff Layton @ 2012-07-17 13:28 UTC (permalink / raw)
To: linux-cifs-u79uwXL29TY76Z2rM5mHXA
Cc: knizek.confy-Re5JQEeQqe8AvxtiuMwx3w, dhowells-H+wXaHxf7aLQT0dZR+AlfA
Many distros do not call into pam_keyinit to set up the session keyring
properly at login time. When cifscreds add is used in such a session,
the kernel will spawn a new session keyring in which to install the
credentials. That keyring will then go away once the cifscreds process
exits.
Check for this situation by looking to see if the session and
user-session keyrings are the same. Throw a warning if so, and add some
verbiage to the cifscreds manpage that explains the issue.
Cc: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Reported-by: Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
---
cifscreds.1 | 9 ++++++++-
cifscreds.c | 21 +++++++++++++++++++++
cifscreds.pod | 8 ++++++++
3 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/cifscreds.1 b/cifscreds.1
index 44a02a2..83afae6 100644
--- a/cifscreds.1
+++ b/cifscreds.1
@@ -124,7 +124,7 @@
.\" ========================================================================
.\"
.IX Title "CIFSCREDS 1"
-.TH CIFSCREDS 1 "2012-01-24" "" ""
+.TH CIFSCREDS 1 "2012-07-17" "" ""
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -186,6 +186,13 @@ different username.
The cifscreds utility requires a kernel built with support for the
\&\fBlogin\fR key type. That key type was added in v3.3 in mainline Linux
kernels.
+.PP
+Since \fBcifscreds\fR adds keys to the session keyring, it is highly
+recommended that one use \fBpam_keyinit\fR to ensure that a session keyring
+is established at login time.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIpam_keyinit\fR\|(8)
.SH "AUTHORS"
.IX Header "AUTHORS"
The cifscreds program was originally developed by Igor Druzhinin
diff --git a/cifscreds.c b/cifscreds.c
index efc76e6..f521ba5 100644
--- a/cifscreds.c
+++ b/cifscreds.c
@@ -465,6 +465,25 @@ static int cifscreds_update(struct cmdarg *arg)
return EXIT_SUCCESS;
}
+static void
+check_session_keyring(void)
+{
+ key_serial_t ses_key, uses_key;
+
+ ses_key = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
+ if (ses_key == -1)
+ return;
+
+ uses_key = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
+ if (uses_key == -1)
+ return;
+
+ if (ses_key == uses_key)
+ fprintf(stderr, "Warning: you have no session keyring. "
+ "cifscreds keys will not persist. See "
+ "pam_keyinit(8).\n");
+}
+
int main(int argc, char **argv)
{
struct command *cmd, *best;
@@ -535,5 +554,7 @@ int main(int argc, char **argv)
if (arg.user == NULL)
arg.user = getusername(getuid());
+ check_session_keyring();
+
return best->action(&arg);
}
diff --git a/cifscreds.pod b/cifscreds.pod
index 17e453f..c3bafb5 100644
--- a/cifscreds.pod
+++ b/cifscreds.pod
@@ -79,6 +79,14 @@ The cifscreds utility requires a kernel built with support for the
B<login> key type. That key type was added in v3.3 in mainline Linux
kernels.
+Since B<cifscreds> adds keys to the session keyring, it is highly
+recommended that one use B<pam_keyinit> to ensure that a session keyring
+is established at login time.
+
+=head1 SEE ALSO
+
+pam_keyinit(8)
+
=head1 AUTHORS
The cifscreds program was originally developed by Igor Druzhinin
--
1.7.10.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH] cifscreds: add a check and warning for missing session keyring
[not found] ` <1342531717-30135-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
@ 2012-07-17 20:46 ` David Howells
[not found] ` <30167.1342557999-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
[not found] ` <1342704916-2224-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
0 siblings, 2 replies; 14+ messages in thread
From: David Howells @ 2012-07-17 20:46 UTC (permalink / raw)
To: Jeff Layton
Cc: dhowells-H+wXaHxf7aLQT0dZR+AlfA,
linux-cifs-u79uwXL29TY76Z2rM5mHXA,
knizek.confy-Re5JQEeQqe8AvxtiuMwx3w
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> wrote:
> +static void
> +check_session_keyring(void)
> +{
> + key_serial_t ses_key, uses_key;
> +
> + ses_key = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
> + if (ses_key == -1)
> + return;
> +
> + uses_key = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
> + if (uses_key == -1)
> + return;
> +
> + if (ses_key == uses_key)
> + fprintf(stderr, "Warning: you have no session keyring. "
> + "cifscreds keys will not persist. See "
> + "pam_keyinit(8).\n");
> +}
I would suggest reporting an error and exiting in the event that certainly the
first call returns -1 and maybe the second.
Other than that, it looks okay.
I wonder if I should suggest giving an error if you try and modify the session
keyring when there isn't one (where modification includes adding a key to it).
When I first did the keyring stuff in the kernel, I didn't envision pam_keyinit
- which in retrospect is a much better way of generating the session keyring
than having the kernel try to guess.
Note that this would not stop processes joining a session keyring or creating a
new session keyring.
David
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH] cifscreds: add a check and warning for missing session keyring
[not found] ` <30167.1342557999-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
@ 2012-07-18 10:29 ` Jeff Layton
2012-07-19 13:35 ` [PATCH v2] cifscreds: add a check and warnings for session keyring problems Jeff Layton
1 sibling, 0 replies; 14+ messages in thread
From: Jeff Layton @ 2012-07-18 10:29 UTC (permalink / raw)
To: David Howells
Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA, knizek.confy-Re5JQEeQqe8AvxtiuMwx3w
On Tue, 17 Jul 2012 21:46:39 +0100
David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> wrote:
>
> > +static void
> > +check_session_keyring(void)
> > +{
> > + key_serial_t ses_key, uses_key;
> > +
> > + ses_key = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
> > + if (ses_key == -1)
> > + return;
> > +
> > + uses_key = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
> > + if (uses_key == -1)
> > + return;
> > +
> > + if (ses_key == uses_key)
> > + fprintf(stderr, "Warning: you have no session keyring. "
> > + "cifscreds keys will not persist. See "
> > + "pam_keyinit(8).\n");
> > +}
>
> I would suggest reporting an error and exiting in the event that certainly the
> first call returns -1 and maybe the second.
>
Yeah, I considered that. I figured the follow-on keyctl() calls would
end up erroring out, but I suppose doing it at this point would be more
efficient. I'll respin the patch in a bit...
> Other than that, it looks okay.
>
> I wonder if I should suggest giving an error if you try and modify the session
> keyring when there isn't one (where modification includes adding a key to it).
> When I first did the keyring stuff in the kernel, I didn't envision pam_keyinit
> - which in retrospect is a much better way of generating the session keyring
> than having the kernel try to guess.
>
> Note that this would not stop processes joining a session keyring or creating a
> new session keyring.
>
That might be more reasonable. Spawning a new session keyring on the
fly like is done today seems to be of questionable value.
Thanks,
--
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v2] cifscreds: add a check and warnings for session keyring problems
[not found] ` <30167.1342557999-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2012-07-18 10:29 ` Jeff Layton
@ 2012-07-19 13:35 ` Jeff Layton
1 sibling, 0 replies; 14+ messages in thread
From: Jeff Layton @ 2012-07-19 13:35 UTC (permalink / raw)
To: linux-cifs-u79uwXL29TY76Z2rM5mHXA
Cc: knizek.confy-Re5JQEeQqe8AvxtiuMwx3w, dhowells-H+wXaHxf7aLQT0dZR+AlfA
Many distros do not call into pam_keyinit to set up the session keyring
properly at login time. When cifscreds add is used in such a session,
the kernel will spawn a new session keyring in which to install the
credentials. That keyring will then go away once the cifscreds process
exits.
Check for this situation by looking to see if the session and
user-session keyrings are the same. Throw a warning if so, and add some
verbiage to the cifscreds manpage that explains the issue. Also, if
the session keyring can't be queried for any reason, then cause the
program to error out.
Cc: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Reported-by: Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
---
cifscreds.1 | 9 ++++++++-
cifscreds.c | 34 ++++++++++++++++++++++++++++++++++
cifscreds.pod | 8 ++++++++
3 files changed, 50 insertions(+), 1 deletion(-)
diff --git a/cifscreds.1 b/cifscreds.1
index 44a02a2..83afae6 100644
--- a/cifscreds.1
+++ b/cifscreds.1
@@ -124,7 +124,7 @@
.\" ========================================================================
.\"
.IX Title "CIFSCREDS 1"
-.TH CIFSCREDS 1 "2012-01-24" "" ""
+.TH CIFSCREDS 1 "2012-07-17" "" ""
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
@@ -186,6 +186,13 @@ different username.
The cifscreds utility requires a kernel built with support for the
\&\fBlogin\fR key type. That key type was added in v3.3 in mainline Linux
kernels.
+.PP
+Since \fBcifscreds\fR adds keys to the session keyring, it is highly
+recommended that one use \fBpam_keyinit\fR to ensure that a session keyring
+is established at login time.
+.SH "SEE ALSO"
+.IX Header "SEE ALSO"
+\&\fIpam_keyinit\fR\|(8)
.SH "AUTHORS"
.IX Header "AUTHORS"
The cifscreds program was originally developed by Igor Druzhinin
diff --git a/cifscreds.c b/cifscreds.c
index efc76e6..bb35c02 100644
--- a/cifscreds.c
+++ b/cifscreds.c
@@ -28,6 +28,7 @@
#include <ctype.h>
#include <keyutils.h>
#include <getopt.h>
+#include <errno.h>
#include "mount.h"
#include "resolve_host.h"
#include "util.h"
@@ -465,6 +466,36 @@ static int cifscreds_update(struct cmdarg *arg)
return EXIT_SUCCESS;
}
+static int
+check_session_keyring(void)
+{
+ key_serial_t ses_key, uses_key;
+
+ ses_key = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
+ if (ses_key == -1) {
+ if (errno == ENOKEY)
+ fprintf(stderr, "Error: you have no session keyring. "
+ "Consider using pam_keyinit to "
+ "install one.\n");
+ else
+ fprintf(stderr, "Error: unable to query session "
+ "keyring: %s\n", strerror(errno));
+ return (int)ses_key;
+ }
+
+ /* A problem querying the user-session keyring isn't fatal. */
+ uses_key = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
+ if (uses_key == -1)
+ return 0;
+
+ if (ses_key == uses_key)
+ fprintf(stderr, "Warning: you have no persistent session "
+ "keyring. cifscreds keys will not persist "
+ "after this process exits. See "
+ "pam_keyinit(8).\n");
+ return 0;
+}
+
int main(int argc, char **argv)
{
struct command *cmd, *best;
@@ -535,5 +566,8 @@ int main(int argc, char **argv)
if (arg.user == NULL)
arg.user = getusername(getuid());
+ if (check_session_keyring())
+ return EXIT_FAILURE;
+
return best->action(&arg);
}
diff --git a/cifscreds.pod b/cifscreds.pod
index 17e453f..c3bafb5 100644
--- a/cifscreds.pod
+++ b/cifscreds.pod
@@ -79,6 +79,14 @@ The cifscreds utility requires a kernel built with support for the
B<login> key type. That key type was added in v3.3 in mainline Linux
kernels.
+Since B<cifscreds> adds keys to the session keyring, it is highly
+recommended that one use B<pam_keyinit> to ensure that a session keyring
+is established at login time.
+
+=head1 SEE ALSO
+
+pam_keyinit(8)
+
=head1 AUTHORS
The cifscreds program was originally developed by Igor Druzhinin
--
1.7.10.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v2] cifscreds: add a check and warnings for session keyring problems
[not found] ` <1342704916-2224-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
@ 2012-07-20 14:19 ` David Howells
2012-07-20 18:51 ` Jeff Layton
2012-08-08 17:45 ` Milan Knížek
2 siblings, 0 replies; 14+ messages in thread
From: David Howells @ 2012-07-20 14:19 UTC (permalink / raw)
To: Jeff Layton
Cc: dhowells-H+wXaHxf7aLQT0dZR+AlfA,
linux-cifs-u79uwXL29TY76Z2rM5mHXA,
knizek.confy-Re5JQEeQqe8AvxtiuMwx3w
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> wrote:
> Many distros do not call into pam_keyinit to set up the session keyring
> properly at login time. When cifscreds add is used in such a session,
> the kernel will spawn a new session keyring in which to install the
> credentials. That keyring will then go away once the cifscreds process
> exits.
>
> Check for this situation by looking to see if the session and
> user-session keyrings are the same. Throw a warning if so, and add some
> verbiage to the cifscreds manpage that explains the issue. Also, if
> the session keyring can't be queried for any reason, then cause the
> program to error out.
>
> Cc: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> Reported-by: Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
Acked-by: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] cifscreds: add a check and warnings for session keyring problems
[not found] ` <1342704916-2224-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2012-07-20 14:19 ` David Howells
@ 2012-07-20 18:51 ` Jeff Layton
2012-08-08 17:45 ` Milan Knížek
2 siblings, 0 replies; 14+ messages in thread
From: Jeff Layton @ 2012-07-20 18:51 UTC (permalink / raw)
To: Jeff Layton
Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA,
knizek.confy-Re5JQEeQqe8AvxtiuMwx3w,
dhowells-H+wXaHxf7aLQT0dZR+AlfA
On Thu, 19 Jul 2012 09:35:16 -0400
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> wrote:
> Many distros do not call into pam_keyinit to set up the session keyring
> properly at login time. When cifscreds add is used in such a session,
> the kernel will spawn a new session keyring in which to install the
> credentials. That keyring will then go away once the cifscreds process
> exits.
>
> Check for this situation by looking to see if the session and
> user-session keyrings are the same. Throw a warning if so, and add some
> verbiage to the cifscreds manpage that explains the issue. Also, if
> the session keyring can't be queried for any reason, then cause the
> program to error out.
>
> Cc: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> Reported-by: Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
> ---
> cifscreds.1 | 9 ++++++++-
> cifscreds.c | 34 ++++++++++++++++++++++++++++++++++
> cifscreds.pod | 8 ++++++++
> 3 files changed, 50 insertions(+), 1 deletion(-)
>
> diff --git a/cifscreds.1 b/cifscreds.1
> index 44a02a2..83afae6 100644
> --- a/cifscreds.1
> +++ b/cifscreds.1
> @@ -124,7 +124,7 @@
> .\" ========================================================================
> .\"
> .IX Title "CIFSCREDS 1"
> -.TH CIFSCREDS 1 "2012-01-24" "" ""
> +.TH CIFSCREDS 1 "2012-07-17" "" ""
> .\" For nroff, turn off justification. Always turn off hyphenation; it makes
> .\" way too many mistakes in technical documents.
> .if n .ad l
> @@ -186,6 +186,13 @@ different username.
> The cifscreds utility requires a kernel built with support for the
> \&\fBlogin\fR key type. That key type was added in v3.3 in mainline Linux
> kernels.
> +.PP
> +Since \fBcifscreds\fR adds keys to the session keyring, it is highly
> +recommended that one use \fBpam_keyinit\fR to ensure that a session keyring
> +is established at login time.
> +.SH "SEE ALSO"
> +.IX Header "SEE ALSO"
> +\&\fIpam_keyinit\fR\|(8)
> .SH "AUTHORS"
> .IX Header "AUTHORS"
> The cifscreds program was originally developed by Igor Druzhinin
> diff --git a/cifscreds.c b/cifscreds.c
> index efc76e6..bb35c02 100644
> --- a/cifscreds.c
> +++ b/cifscreds.c
> @@ -28,6 +28,7 @@
> #include <ctype.h>
> #include <keyutils.h>
> #include <getopt.h>
> +#include <errno.h>
> #include "mount.h"
> #include "resolve_host.h"
> #include "util.h"
> @@ -465,6 +466,36 @@ static int cifscreds_update(struct cmdarg *arg)
> return EXIT_SUCCESS;
> }
>
> +static int
> +check_session_keyring(void)
> +{
> + key_serial_t ses_key, uses_key;
> +
> + ses_key = keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 0);
> + if (ses_key == -1) {
> + if (errno == ENOKEY)
> + fprintf(stderr, "Error: you have no session keyring. "
> + "Consider using pam_keyinit to "
> + "install one.\n");
> + else
> + fprintf(stderr, "Error: unable to query session "
> + "keyring: %s\n", strerror(errno));
> + return (int)ses_key;
> + }
> +
> + /* A problem querying the user-session keyring isn't fatal. */
> + uses_key = keyctl_get_keyring_ID(KEY_SPEC_USER_SESSION_KEYRING, 0);
> + if (uses_key == -1)
> + return 0;
> +
> + if (ses_key == uses_key)
> + fprintf(stderr, "Warning: you have no persistent session "
> + "keyring. cifscreds keys will not persist "
> + "after this process exits. See "
> + "pam_keyinit(8).\n");
> + return 0;
> +}
> +
> int main(int argc, char **argv)
> {
> struct command *cmd, *best;
> @@ -535,5 +566,8 @@ int main(int argc, char **argv)
> if (arg.user == NULL)
> arg.user = getusername(getuid());
>
> + if (check_session_keyring())
> + return EXIT_FAILURE;
> +
> return best->action(&arg);
> }
> diff --git a/cifscreds.pod b/cifscreds.pod
> index 17e453f..c3bafb5 100644
> --- a/cifscreds.pod
> +++ b/cifscreds.pod
> @@ -79,6 +79,14 @@ The cifscreds utility requires a kernel built with support for the
> B<login> key type. That key type was added in v3.3 in mainline Linux
> kernels.
>
> +Since B<cifscreds> adds keys to the session keyring, it is highly
> +recommended that one use B<pam_keyinit> to ensure that a session keyring
> +is established at login time.
> +
> +=head1 SEE ALSO
> +
> +pam_keyinit(8)
> +
> =head1 AUTHORS
>
> The cifscreds program was originally developed by Igor Druzhinin
Merged...
--
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] cifscreds: add a check and warnings for session keyring problems
[not found] ` <1342704916-2224-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2012-07-20 14:19 ` David Howells
2012-07-20 18:51 ` Jeff Layton
@ 2012-08-08 17:45 ` Milan Knížek
[not found] ` <1344447933.32720.3.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
2 siblings, 1 reply; 14+ messages in thread
From: Milan Knížek @ 2012-08-08 17:45 UTC (permalink / raw)
To: Jeff Layton; +Cc: linux-cifs, dhowells-H+wXaHxf7aLQT0dZR+AlfA
Jeff Layton píše v Čt 19. 07. 2012 v 09:35 -0400:
> Many distros do not call into pam_keyinit to set up the session keyring
> properly at login time. When cifscreds add is used in such a session,
> the kernel will spawn a new session keyring in which to install the
> credentials. That keyring will then go away once the cifscreds process
> exits.
How does one arrange that the session keyring is set up properly for
various login methods?
I added "session optional pam_keyinit.so force revoke"
into /etc/pam.d/login and /etc/pam.d/sshd and "cifscreds add" works fine
when logged in console (alt+f2) or via ssh.
Session Keyring
812231719 --alswrv 1001 100 keyring: _ses
132272983 --alswrv 1001 -1 \_ keyring: _uid.1001
1046511393 ----sw-v 1001 100 \_ logon: cifs:a:192.168.1.3
pam_keyinit.so was already in /etc/pam.d/gdm-password, though when
logged in into Xfce from GDM, then "cifscreds add" typed in
xfce4-terminal complains about non-persistent keyring.
I can see that the name of the top level keyring differs for Xfce session:
Session Keyring
666176370 --alswrv 1001 -1 keyring: _uid_ses.1001
132272983 --alswrv 1001 -1 \_ keyring: _uid.1001
Does anyone know if that is some GDM bug/feature and how avoid it?
Sorry if being off-topic here, though I guess it might help others who
will run into the problems with cifscreds, too.
Regards,
Milan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] cifscreds: add a check and warnings for session keyring problems
[not found] ` <1344447933.32720.3.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
@ 2012-08-09 0:19 ` Jeff Layton
2012-08-09 12:00 ` knizek.confy-Re5JQEeQqe8AvxtiuMwx3w
2012-08-13 21:21 ` David Howells
1 sibling, 1 reply; 14+ messages in thread
From: Jeff Layton @ 2012-08-09 0:19 UTC (permalink / raw)
To: Milan Knížek; +Cc: linux-cifs, dhowells-H+wXaHxf7aLQT0dZR+AlfA
On Wed, 08 Aug 2012 19:45:33 +0200
Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> Jeff Layton píše v Čt 19. 07. 2012 v 09:35 -0400:
> > Many distros do not call into pam_keyinit to set up the session keyring
> > properly at login time. When cifscreds add is used in such a session,
> > the kernel will spawn a new session keyring in which to install the
> > credentials. That keyring will then go away once the cifscreds process
> > exits.
>
> How does one arrange that the session keyring is set up properly for
> various login methods?
>
> I added "session optional pam_keyinit.so force revoke"
> into /etc/pam.d/login and /etc/pam.d/sshd and "cifscreds add" works fine
> when logged in console (alt+f2) or via ssh.
> Session Keyring
> 812231719 --alswrv 1001 100 keyring: _ses
> 132272983 --alswrv 1001 -1 \_ keyring: _uid.1001
> 1046511393 ----sw-v 1001 100 \_ logon: cifs:a:192.168.1.3
>
>
> pam_keyinit.so was already in /etc/pam.d/gdm-password, though when
> logged in into Xfce from GDM, then "cifscreds add" typed in
> xfce4-terminal complains about non-persistent keyring.
>
> I can see that the name of the top level keyring differs for Xfce session:
> Session Keyring
> 666176370 --alswrv 1001 -1 keyring: _uid_ses.1001
> 132272983 --alswrv 1001 -1 \_ keyring: _uid.1001
>
> Does anyone know if that is some GDM bug/feature and how avoid it?
>
> Sorry if being off-topic here, though I guess it might help others who
> will run into the problems with cifscreds, too.
>
An excellent question. I see the same behavior on a fairly stock Fedora
17 host too. I can only assume that the actual desktop session is
ending up with a different keyring session than gdm had.
--
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] cifscreds: add a check and warnings for session keyring problems
2012-08-09 0:19 ` Jeff Layton
@ 2012-08-09 12:00 ` knizek.confy-Re5JQEeQqe8AvxtiuMwx3w
0 siblings, 0 replies; 14+ messages in thread
From: knizek.confy-Re5JQEeQqe8AvxtiuMwx3w @ 2012-08-09 12:00 UTC (permalink / raw)
To: Jeff Layton; +Cc: linux-cifs, dhowells-H+wXaHxf7aLQT0dZR+AlfA
Jeff Layton writes:
> On Wed, 08 Aug 2012 19:45:33 +0200
> Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> > pam_keyinit.so was already in /etc/pam.d/gdm-password, though when
> > logged in into Xfce from GDM, then "cifscreds add" typed in
> > xfce4-terminal complains about non-persistent keyring.
> >
> > I can see that the name of the top level keyring differs for Xfce session:
> > Session Keyring
> > 666176370 --alswrv 1001 -1 keyring: _uid_ses.1001
> > 132272983 --alswrv 1001 -1 \_ keyring: _uid.1001
> >
> > Does anyone know if that is some GDM bug/feature and how avoid it?
> >
> An excellent question. I see the same behavior on a fairly stock Fedora
> 17 host too. I can only assume that the actual desktop session is
> ending up with a different keyring session than gdm had.
For the sake of curiosity, when logging in remotely with x2go (based on NX),
the session keyring is okay:
$ keyctl show
Session Keyring
420490248 --alswrv 1000 100 keyring: _ses
318990990 --alswrv 1000 -1 \_ keyring: _uid.1000
909936426 --alswrv 1000 100 | \_ user: 75fbf6399a9cf084
909201030 --alswrv 1000 100 | \_ user: aa10afc0620e9893
256104206 ----sw-v 1000 100 \_ logon: cifs:a:192.168.1.3
(That is for another user, the extra keys are for ecryptfs).
Later on I will try to run startx from console as well to see if GDM is the
suspect.
Milan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] cifscreds: add a check and warnings for session keyring problems
[not found] ` <1344447933.32720.3.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
2012-08-09 0:19 ` Jeff Layton
@ 2012-08-13 21:21 ` David Howells
[not found] ` <6113.1344892912-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
1 sibling, 1 reply; 14+ messages in thread
From: David Howells @ 2012-08-13 21:21 UTC (permalink / raw)
To: Milan =?UTF-8?Q?Kn=C3=AD=C5=BEek?=
Cc: dhowells-H+wXaHxf7aLQT0dZR+AlfA, Jeff Layton, linux-cifs
Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> How does one arrange that the session keyring is set up properly for
> various login methods?
These are all the places I have it:
/etc/pam.d/fingerprint-auth session optional pam_keyinit.so revoke
/etc/pam.d/fingerprint-auth-ac session optional pam_keyinit.so revoke
/etc/pam.d/gdm-autologin session optional pam_keyinit.so force revoke
/etc/pam.d/gdm-fingerprint session optional pam_keyinit.so force revoke
/etc/pam.d/gdm-password session optional pam_keyinit.so force revoke
/etc/pam.d/gdm-smartcard session optional pam_keyinit.so force revoke
/etc/pam.d/gdm-welcome session optional pam_keyinit.so force revoke
/etc/pam.d/kdm session optional pam_keyinit.so force revoke
/etc/pam.d/kdm-np session optional pam_keyinit.so force revoke
/etc/pam.d/login session optional pam_keyinit.so force revoke
/etc/pam.d/password-auth session optional pam_keyinit.so revoke
/etc/pam.d/password-auth-ac session optional pam_keyinit.so revoke
/etc/pam.d/remote session optional pam_keyinit.so force revoke
/etc/pam.d/runuser session optional pam_keyinit.so revoke
/etc/pam.d/runuser-l session optional pam_keyinit.so force revoke
/etc/pam.d/smartcard-auth session optional pam_keyinit.so revoke
/etc/pam.d/smartcard-auth-ac session optional pam_keyinit.so revoke
/etc/pam.d/sshd session optional pam_keyinit.so force revoke
/etc/pam.d/sudo session optional pam_keyinit.so revoke
/etc/pam.d/sudo-i session optional pam_keyinit.so force revoke
/etc/pam.d/su-l session optional pam_keyinit.so force revoke
/etc/pam.d/system-auth session optional pam_keyinit.so revoke
/etc/pam.d/system-auth-ac session optional pam_keyinit.so revoke
/etc/pam.d/vsftpd session optional pam_keyinit.so force revoke
/etc/pam.d/xdm session optional pam_keyinit.so force revoke
/etc/pam.d/xserver session optional pam_keyinit.so force revoke
> pam_keyinit.so was already in /etc/pam.d/gdm-password, though when
> logged in into Xfce from GDM, then "cifscreds add" typed in
> xfce4-terminal complains about non-persistent keyring.
What name does gdm use when logging in? I see five different names in the
list above.
David
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] cifscreds: add a check and warnings for session keyring problems
[not found] ` <6113.1344892912-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
@ 2012-08-15 20:39 ` Milan Knížek
[not found] ` <1345063168.23732.18.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
0 siblings, 1 reply; 14+ messages in thread
From: Milan Knížek @ 2012-08-15 20:39 UTC (permalink / raw)
To: David Howells; +Cc: Jeff Layton, linux-cifs
David Howells píše v Po 13. 08. 2012 v 22:21 +0100:
> Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> > How does one arrange that the session keyring is set up properly for
> > various login methods?
> ...
> > pam_keyinit.so was already in /etc/pam.d/gdm-password, though when
> > logged in into Xfce from GDM, then "cifscreds add" typed in
> > xfce4-terminal complains about non-persistent keyring.
>
> What name does gdm use when logging in? I see five different names in the
> list above.
>
In Arch, gdm-welcome is used for GDM greeter (run under user gdm) and
gdm-password for the user about to log in.
I tried to change the "optional" to "required" in gdm-password:
session required pam_keyinit.so force revoke
and the user was not able to login then. With "optional", the user logs
in but the keyring is then probably created by some other process w/o
pam_keyinit.
With
session optional pam_keyinit.so force revoke debug
the /var/log/gdm/:0-slave.log shows:
gdm-password][19678]: pam_keyinit(gdm-password:session): OPEN 1
gdm-password][19678]: pam_keyinit(gdm-password:session): UID:1000 [0]
GID:100 [100]
gdm-password][19678]: pam_keyinit(gdm-password:session): JOIN = -1
A bit of googling revealed some info (comment 13):
https://bugs.freedesktop.org/show_bug.cgi?id=49211
I do not understand much of the comments there and what is causing the
failure (gdm, kernel, pam_keyinit), however I can see that you - David -
got involved (comment 26) and provided a patch to kernel.
If it is related, in which version of kernel was this patch released?
My versions are: linux 3.4.8-1-ARCH, gdm 3.4.1-2
regards,
Milan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] cifscreds: add a check and warnings for session keyring problems
[not found] ` <1345063168.23732.18.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
@ 2012-08-17 15:54 ` Milan Knížek
[not found] ` <1345218866.32023.5.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
[not found] ` <20120817120242.53ee6504-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
0 siblings, 2 replies; 14+ messages in thread
From: Milan Knížek @ 2012-08-17 15:54 UTC (permalink / raw)
To: David Howells; +Cc: Jeff Layton, linux-cifs
Milan Knížek píše v St 15. 08. 2012 v 22:39 +0200:
> David Howells píše v Po 13. 08. 2012 v 22:21 +0100:
> > Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> >
> With
> session optional pam_keyinit.so force revoke debug
> the /var/log/gdm/:0-slave.log shows:
> gdm-password][19678]: pam_keyinit(gdm-password:session): OPEN 1
> gdm-password][19678]: pam_keyinit(gdm-password:session): UID:1000 [0]
> GID:100 [100]
> gdm-password][19678]: pam_keyinit(gdm-password:session): JOIN = -1
>
> A bit of googling revealed some info (comment 13):
> https://bugs.freedesktop.org/show_bug.cgi?id=49211
> I do not understand much of the comments there and what is causing the
> failure (gdm, kernel, pam_keyinit), however I can see that you - David
> - got involved (comment 26) and provided a patch to kernel.
Recompiling 3.4.8 kernel with the patch applied (plus another one
mentioned in that patch description) solved the problem - in Xfce
session opened from GDM the session keyring exists and "cifscreds add
server" works. (And mounting CIFS shares with multiuser option as well.)
Thanks!
regards,
Milan
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] cifscreds: add a check and warnings for session keyring problems
[not found] ` <1345218866.32023.5.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
@ 2012-08-17 16:02 ` Jeff Layton
0 siblings, 0 replies; 14+ messages in thread
From: Jeff Layton @ 2012-08-17 16:02 UTC (permalink / raw)
To: Milan Knížek; +Cc: David Howells, linux-cifs
On Fri, 17 Aug 2012 17:54:26 +0200
Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> Milan Knížek píše v St 15. 08. 2012 v 22:39 +0200:
> > David Howells píše v Po 13. 08. 2012 v 22:21 +0100:
> > > Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > >
> > With
> > session optional pam_keyinit.so force revoke debug
> > the /var/log/gdm/:0-slave.log shows:
> > gdm-password][19678]: pam_keyinit(gdm-password:session): OPEN 1
> > gdm-password][19678]: pam_keyinit(gdm-password:session): UID:1000 [0]
> > GID:100 [100]
> > gdm-password][19678]: pam_keyinit(gdm-password:session): JOIN = -1
> >
> > A bit of googling revealed some info (comment 13):
> > https://bugs.freedesktop.org/show_bug.cgi?id=49211
> > I do not understand much of the comments there and what is causing the
> > failure (gdm, kernel, pam_keyinit), however I can see that you - David
> > - got involved (comment 26) and provided a patch to kernel.
>
> Recompiling 3.4.8 kernel with the patch applied (plus another one
> mentioned in that patch description) solved the problem - in Xfce
> session opened from GDM the session keyring exists and "cifscreds add
> server" works. (And mounting CIFS shares with multiuser option as well.)
>
> Thanks!
>
> regards,
> Milan
>
Awesome! David, are there any plans to push this patch to mainline?
--
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2] cifscreds: add a check and warnings for session keyring problems
[not found] ` <20120817120242.53ee6504-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
@ 2012-08-17 21:02 ` David Howells
0 siblings, 0 replies; 14+ messages in thread
From: David Howells @ 2012-08-17 21:02 UTC (permalink / raw)
To: Jeff Layton
Cc: dhowells-H+wXaHxf7aLQT0dZR+AlfA, Milan Knížek, linux-cifs
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> wrote:
> Awesome! David, are there any plans to push this patch to mainline?
I was hoping someone would test it, review it or comment on it, but to this
point, no one did. Now, however, ...
David
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2012-08-17 21:02 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-07-17 13:28 [PATCH] cifscreds: add a check and warning for missing session keyring Jeff Layton
[not found] ` <1342531717-30135-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2012-07-17 20:46 ` David Howells
[not found] ` <30167.1342557999-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2012-07-18 10:29 ` Jeff Layton
2012-07-19 13:35 ` [PATCH v2] cifscreds: add a check and warnings for session keyring problems Jeff Layton
[not found] ` <1342704916-2224-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2012-07-20 14:19 ` David Howells
2012-07-20 18:51 ` Jeff Layton
2012-08-08 17:45 ` Milan Knížek
[not found] ` <1344447933.32720.3.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
2012-08-09 0:19 ` Jeff Layton
2012-08-09 12:00 ` knizek.confy-Re5JQEeQqe8AvxtiuMwx3w
2012-08-13 21:21 ` David Howells
[not found] ` <6113.1344892912-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2012-08-15 20:39 ` Milan Knížek
[not found] ` <1345063168.23732.18.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
2012-08-17 15:54 ` Milan Knížek
[not found] ` <1345218866.32023.5.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
2012-08-17 16:02 ` Jeff Layton
[not found] ` <20120817120242.53ee6504-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2012-08-17 21:02 ` David Howells
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.