Hi,
I’ve crypted my home directory using fscrypt tool and installed the pam_fscrypt package.
After some troubel finding why my configurations are not saved on pam.d, I’ve find that I have to create a new profile in authselect based on sssd and select it based on PAM configuration on Fedora · Issue #295 · google/fscrypt · GitHub. However, this was not enough as my home is not being decrypted at login and I’m forced to open a root session, unlock my home and go back to my KDE session.
After further investigation, I’ve found the following error:
$ sudo journalctl -b | grep -i fscrypt
Jun 16 10:07:48 fedora.home kernel: fscrypt: AES-256-CBC-CTS using implementation "cts-cbc-aes-aesni"
Jun 16 10:07:48 fedora.home kernel: fscrypt: AES-256-XTS using implementation "xts-aes-vaes-avx2"
Jun 16 10:10:23 fedora.home sudo[9697]: PAM unable to dlopen(/usr/lib64/security/pam_fscrypt.so): /usr/lib64/security/pam_fscrypt.so: cannot dynamically load position-independent executable
Jun 16 10:10:23 fedora.home sudo[9697]: PAM adding faulty module: /usr/lib64/security/pam_fscrypt.so
Jun 16 10:10:27 fedora.home (systemd)[9705]: PAM unable to dlopen(/usr/lib64/security/pam_fscrypt.so): /usr/lib64/security/pam_fscrypt.so: cannot dynamically load position-independent executable
Jun 16 10:10:27 fedora.home (systemd)[9705]: PAM adding faulty module: /usr/lib64/security/pam_fscrypt.so
When looking for the shared library, I have the following:
➜ ~ sudo dnf reinstall pam_fscrypt
Updating and loading repositories:
Repositories loaded.
Package Arch Version Repository Size
Reinstalling:
pam_fscrypt x86_64 0.3.5-2.fc42 fedora 5.6 MiB
replacing pam_fscrypt x86_64 0.3.5-2.fc42 fedora 5.6 MiB
Transaction Summary:
Reinstalling: 1 package
Replacing: 1 package
Total size of inbound packages is 2 MiB. Need to download 2 MiB.
After this operation, 0 B extra will be used (install 6 MiB, remove 6 MiB).
Is this ok [y/N]: y
[1/1] pam_fscrypt-0:0.3.5-2.fc42.x86_64 100% | 3.5 MiB/s | 1.9 MiB | 00m01s
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[1/1] Total 100% | 2.8 MiB/s | 1.9 MiB | 00m01s
Running transaction
[1/4] Verify package files 100% | 142.0 B/s | 1.0 B | 00m00s
[2/4] Prepare transaction 100% | 4.0 B/s | 2.0 B | 00m00s
[3/4] Reinstalling pam_fscrypt-0:0.3.5-2.fc42.x86_64 100% | 22.3 MiB/s | 5.6 MiB | 00m00s
[4/4] Removing pam_fscrypt-0:0.3.5-2.fc42.x86_64 100% | 16.0 B/s | 7.0 B | 00m00s
Complete!
➜ ~ file /usr/lib64/security/pam_fscrypt.so
/usr/lib64/security/pam_fscrypt.so: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=ddb36b7e4747b2126c3a3d83b2911224aa9c8d7a, for GNU/Linux 3.2.0, stripped
➜ ~ file /usr/lib64/security/pam_access.so
/usr/lib64/security/pam_access.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=df46f8209138e927982124c384c4cd046cbbcf74, stripped
So what’s wrong with that library ? Anyone could recompile it eventually ?
Just for your knowledge, when creating a new authselect profile, I’ve created manually the file profile.xml as authselect will complain about missing file:
➜ fscrypt pwd
/etc/authselect/custom/fscrypt
➜ fscrypt cat profile.xml
<?xml version="1.0" encoding="UTF-8"?>
<profile id="fscrypt" version="1">
<description>fscrypt profile</description>
<base-on>sssd</base-on>
</profile>
and I don’t have time to add a new flag with-fscrypt as it’s my first time with authselect package.
Thank you
