passphrase do not get rewrapped when changing password on NixOS
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
eCryptfs |
New
|
Undecided
|
Unassigned |
Bug Description
I'm the ecryptfs package maintener for NixOS. eCryptfs, in general, works fine on NixOS, however passphrases do not get rewrapped when changing password:
Here's what I see in the log
[Invoke passwd command, haven't typed anything yet]
Aug 19 10:12:24 hostname passwd[16250]: pam_ecryptfs: PAM passphrase change module retrieved a NULL passphrase; nothing to do
[Type current password]
Aug 19 10:13:09 hostname passwd[16250]: pam_ecryptfs: Passphrase file wrapped
Aug 19 10:13:09 hostname passwd[16250]: pam_ecryptfs: PAM passphrase change module retrieved at least one NULL passphrase; nothing to do
[Type new password twice]
Aug 19 10:13:45 hostname passwd[16250]: pam_unix(
Here's the relevant PAM config file:
$ grep ^password /etc/pam.d/passwd
password optional /nix/store/
password requisite pam_unix.so nullok sha512
If that helps, here's the ecryptfs package file for NixOS:
https:/
and these files contain the pam entries:
https:/
https:/
This problem also existed on the last couple of eCryptfs versions.
Help appreciated.
I've actually gotten to the bottom of this. I had two issues:
1) I moved the password optional ecryptfs.so line BELOW the pam_unix.so line (despite what https:/ /wiki.archlinux .org/index. php/ECryptfs says)
2) I realized that the password rewrapper looks for the wrapped-passphrase in /home/user/ .ecryptfs rather than /home/. ecryptfs/ user/.ecryptfs -- when I made the former a symlink to the latter, rewrapping started working.