Schnellzugriff »

» Kategorien

» Actionscript 3
» Administration
» Blog
» Flex
» Fun
» Google
» Java
» Linux / Unix
» Mac OS X
» MacBook
» Magento
» Mailserver
» MDA / PDA
» nerdcenter
» PHP
» Programmierung
» redmine
» SEO
» Sicherheit
» Solr
» TYPO3
» TypoScript
» Uncategorized
» Userland
» Webserver
» Windows
» Wordpress
» XEN

» Seiten

» Impressum
» Über nerdcenter

» Suche

« Debian Lenny: pam_mount, files and loop devices Java: Periodically check internet connection availability »

How-to: Debian: Automatically mounted loopback images with dm-crypt, LUKS, pam_mount

How to create encrypted loopback images with dm-crypt and LUKS + automatically mounting them after login with pam_mount

I recommend using debian squeeze for this scenario as lenny includes a very old version of libpam-mount and I had lots of problems when I tried using it.
Using only the libpam-mount package and its dependencies from squeeze maybe (I didn’t try it and I wouldn’t recommend it either) does the job too, but at least has a very bitter after taste if you take a closer look at the dependencies.

1. Make sure you have the required kernel modules loaded. If you use the stock debian kernel, this will be the case. if you don’t, make sure you’ve set the following options:

CONFIG_BLK_DEV_DM=y or CONFIG_BLK_DEV_DM=M
CONFIG_DM_CRYPT=y or CONFIG_DM_CRYPT=M
CONFIG_CRYPTO_CBC=y

Additionally, you need to include support for at least one cipher.

In make menuconfig, you can find the required kernel modules at the following locations:

Device Drivers  --->
	Multi-device support (RAID and LVM)  --->
		<*> Device mapper support
		<*> Crypt target support

Cryptographic options  --->
	 SHA256 digest algorithm
	 AES cipher algorithms (x86_64)

To avoid a reboot, you can build all of these options as modules. If you chose to do so, you can later load the modules by using modprobe .

2. Install the required packages
apt-get install cryptsetup libpam-mount
…apt-get should take care of all dependencies

3. Generate a random key and assign it to a variable for later use

KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`

4. Encrypt the key and save it to a file

echo $KEY | openssl aes-256-cbc > container.key

5. Create the loopback file and fill it with random data

dd if=/dev/urandom of=~/container.img bs=1G count=10

This will create a 10GB file and fill it with random data taken from /dev/urandom.
Another option (which will be much faster especially on older hardware) is using /dev/zero to fill the loopback file with zeros:

dd if=/dev/zero of=~/container.img bs=1G count=10

6. Set up a loop device

losetup /dev/loop0 ~/container.img

7. LuksFormat it

echo $KEY | cryptsetup -v -c aes -s 256 luksFormat /dev/loop0

8. Open it

cryptsetup luksOpen /dev/loop0 container

9. Make a filesystem of your choice

mkfs.xfs /dev/mapper/container

10. Close it and delete loop

cryptsetup luksClose container && losetup -d /dev/loop0

11. Configure pam_mount
Open /etc/security/pam_mount.conf.xml in your favorite text editor and change it to the following:

<?xml version="1.0" encoding="utf-8" ?>

<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
	<debug enable="1" />
	<mkmountpoint enable="1" remove="true" />

	<msg-sessionpw>reenter password for pam_mount:</msg-sessionpw>
	<volume user="foobar" path="/home/foobar/container.img" mountpoint="/home/foobar/containercontents"
		options="cipher=aes-cbc-essiv:sha256,hash=sha512,keysize=256" fstype="crypt" fskeycipher="aes-256-cbc"

		fskeypath="/home/foobar/container.key" fskeyhash="md5" />
</pam_mount>

Using this configuration the image /home/foobar/container.img will get mounted into /home/foobar/containercontents when the user foobar logs in.
Enabling debugging is pretty usefull if something isn't working as it should. In this case you can take a look at /var/log/auth.log.

12. Include /etc/pam.d/common-pammount in the PAM configuration files of the services that should use it (for example: SSHd)
Open /etc/security/sshd in your favorite text editor. Look for the line "@include common-session" and add a new line after it:

...
@include common-session
@include common-pammount
...

13. If needed, change the configuration of the relevant services (for example: SSHd)
Open /etc/ssh/sshd_config in your favority text editor and make sure you have the following lines in there:

# pam_mount
UsePAM yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePrivilegeSeparation no
PermitUserEnvironment yes

If you disable PasswordAuthentication and use keys instead you have to enter the users password after connecting via SSH.

14. Test if anything works as expected
Open a root session or use sudo and watch the auth log by using tail -f /var/log/auth.log. Then login as the user for which you have configured a volume earlier.
If the encrypted loopback image gets mounted, also test if it gets unmounted again, when the user logs out.
If anything works remove the debug line from /etc/security/pam_mount.conf.xml.

Many thanks go to the users tuxophil and pillgrim from the gentoo forums. Large parts of this howto were taken from their postings at http://forums.gentoo.org/viewtopic-t-274651.html.

Donnerstag, Juni 17th, 2010 and is filed under Administration, Linux / Unix, Sicherheit. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.

nerdcenter is proudly powered by WordPress
Entries (RSS) and Comments (RSS).

Calella | Lloret de Mar Reisen | Stalker Clear Sky | Empire Total War

» Archiv

April 2011 Februar 2011 Januar 2011 November 2010 September 2010 Juni 2010 März 2010 August 2009 Juli 2009 März 2009 Februar 2009 August 2008