Ubuntu

passphrase for encrypted home partition not being read

Reported by Pete Phillips on 2009-11-17
48
This bug affects 8 people
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
Undecided
Unassigned

Bug Description

This bug is similiar to https://bugs.launchpad.net/ubuntu/+source/mountall/+bug/430496

Release: Ubuntu 9.10

PROBLEM

My /home partition is encrypted and has been since at least Jaunty and perhaps Intrepid or Hardy.

When Karmic starts up and I am prompted for the passphrase, I type it in and frequently when I hit <CR> the prompt just sits there as if it hasn't seen me hit it. If I hit CR again, it will usually see it and feed a newline, and complain that the key is incorrect, and prompt me again. Sometimes it will see the passphrase and CR correctly, and mount the partition, othertimes I enter it three times after which the mount fails and I end up having to reboot.

I *think* that every time it fails i have had to hit <CR> at least twice. I don't think that it has ever acknowledged the CR but lost some of the passphrase.

It looks like something is eating the keystrokes! I did read in one similar bug report that gdm may be running and interfering with this process.

My crypttab is:

  lap1:[~] % cat /etc/crypttab
  # <target name> <source device> <key file> <options>
  crypt-home /dev/sda3 none luks

fstab:

  dev/mapper/crypt-home /home ext3 defaults,relatime 0 2

regards
Pete

affects: openjdk-6 (Ubuntu) → ubuntu
tags: added: needs-reassignment
Philip Muškovac (yofel) on 2009-11-18
affects: ubuntu → cryptsetup (Ubuntu)
flummy (nospam09) wrote :

I seem to have a similar issue, my /etc/crypttab contains:
# <target name> <source device> <key file> <options>
CRYPT1 /dev/mapper/momo-crypt1 none luks,timeout=30

/etc/fstab:
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/CRYPT1 /media/CRYPT1 ext3 defaults 0 0

My System is DISTRIB_RELEASE=9.10, fully upgraded from 9.04, using LILO since 9.04 due to LVM2 root fs.

During system boot, "Starting early crypto disks" (probably from /lib/cryptsetup/cryptdisks.functions sourced in /etc/init/cryptdisks-enable.conf?) prompts for the passphrase for CRYPT1, a second later gdm starts and offers a login prompt.

When I switch back to tty1 with Ctrl+Alt+F1, I have the same situation as Pete - I usually need several attempts to enter the passphrase.

Kind Regards,
Flummy

matejcik (matejcik) wrote :

i'm seeing this with the following crypttab:

data /dev/sda7 none luks

/dev/mapper/data is marked as bootwait in fstab. when it's not, the usual problems happen - gdm happily starts while my other startup scripts are waiting indefinitely for the frozen cryptdisks job.
When i mark it bootwait, the system will show a password prompt for a very short time and then switch to splash screen with "/media/data : waiting for /dev/mapper/data, press ESC for recovery shell". This screen is completely unresponsive to anything but ctrl+alt+delete, i can't even switch back to the password prompt.
If i start the system with nosplash, i will see the password prompt, but it won't read my keystrokes, exactly as described by Pete.

at this point, the only way to get my system started is using the recovery mode.

Pete Phillips (pete-smtl) wrote :

Evening all.

I have been experimenting how to work around this. I may have a partial (and slightly embarrassing) solution.

When the password/passphrase prompt comes up, hit BACKSPACE about 20-30 times.

Type in your normal password.

Hit <CR>

If you don't get a newline and acceptance of your password, hit backspace 20-30 times again and re-enter. Hit <CR>

At this stage it usually works for me.

The key is, if when you hit backspace you don't see the password being accepted, then DO NOT TRY TO HIT <CR> AGAIN - that will use up one of your login attempts. Just hit a bunch of backspaces and re-enter.

I realise this is a potch, but as I usually suspend my laptop I only have to go through this palaver once a week or so (usually after a kernel update).

Let me know if this is of any help.
Pete

flummy (nospam09) wrote :

Hi Pete,

Hitting CR a second time when not seeing a reaction to the first CR
improved the situation for me, too. (Got the crypto partition mounted after 1-3 attempts most of the time)

cryptsetup has been updated, it seems there are several issues involved and there is a partial fix:
Version 2:1.0.6+20090405.svn49-1ubuntu7.1:

  * debian/cryptdisks.functions:
    - wrap the call to /lib/cryptsetup/askpass with watershed, to make sure
      we only ever have one of these running at a time; otherwise multiple
      invocations could steal each other's input and/or write over each
      other's output [...]

* debian/cryptdisks-udev.upstart: new, additional upstart job run once for
    each block device, using the new crypttab_start_one_disk function,
    triggered by udev; this doesn't eliminate the possibility of a race with
    gdm when the decrypted volume isn't a 'bootwait' mount point (since gdm
    kills usplash), but it does eliminate the race between udev and
    cryptsetup.

Kind Regards,
Flummy

flummy (nospam09) wrote :

P.S., using the bootwait option in /etc/fstab removed the need to manually switch back from gdm on tty7 to tty1, prior to todays cryptsetup update

Pete Phillips (pete-smtl) wrote :

Ouch.

Things have gone from bad to worse today.

After flummy's email I upgraded and rebooted.

The system came up with new error messages about

   /lib/udev/watershed not found

at this stage it seems to have abandoned looking for a password.

Had to ESC out of this to the shell.

I have abandoned auto mounting of the crypto disks. I commended out

#/dev/mapper/crypt-home /home ext3 defaults,relatime,bootwait 0 2

and wrote a short shell script:

------------------------------------------------------------
lap1:[~] % cat /usr/local/bin/crypto-home

#!/bin/sh
# start crypt disks manually

cryptsetup luksOpen /dev/sda3 crypt-home
mount /dev/mapper/crypt-home /home

---------------------------------------

so now i boot, go to a virtual terminal, run the script, then go to vt7 and log in.

not smooth, but but works.

:-(
Pete

flummy (nospam09) wrote :

Hi Pete,

according to # zgrep water /var/log/dpkg.log.*.gz
/var/log/dpkg.log.7.gz:2009-05-03 17:18:39 status installed watershed 4

i seem to have watershed installed since my upgrade from 8.10 to 9.04:
# ls -l /lib/udev/watershed
-rwxr-xr-x 1 root root 17832 2009-04-10 02:14 /lib/udev/watershed
# dpkg -l watershed
ii watershed 4 reduce superfluous executions of idempotent

>>>>> "flummy" == flummy <email address hidden> writes:

    flummy> Hi Pete, according to # zgrep water /var/log/dpkg.log.*.gz
    flummy> /var/log/dpkg.log.7.gz:2009-05-03 17:18:39 status installed
    flummy> watershed 4

    flummy> i seem to have watershed installed since my upgrade from
    flummy> 8.10 to 9.04: # ls -l /lib/udev/watershed -rwxr-xr-x 1 root
    flummy> root 17832 2009-04-10 02:14 /lib/udev/watershed # dpkg -l
    flummy> watershed ii watershed 4 reduce superfluous executions of
    flummy> idempotent

Hmmm

> apt-get instal watershed

> The following NEW packages will be installed
> watershed
> 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.

Will see if that sorts it!

Cheers
Pete

fccoelho (fccoelho) wrote :

I have the same problem, and I can't even switch to tty1, since the switchin appear not to be enable at the point of the mounting problem. I'll now try to check if watershed is actually installed in my system...

fccoelho (fccoelho) wrote :

Watershed installation didn't help....

a bit nicer workaround than Pete's, but following the same line of thought (assumes you use gdm):

1 first comment-out your home partition on fstab

2 add the following lines at the top of "/etc/gdm/Init/Default" (right after the shebang line):

zenity --entry --hide-text --text="Enter your passphrase:" | cryptsetup luksOpen /dev/sda6 cryptohome #adjust for your setup
mount /dev/mapper/cryptohome /home

thats it! once GDM starts, you will be prompted for your passphrase. You enter it, and your home partition is mounted for you. You can then proceed to login normally.

NOTE: This is a very raw solution. if you mistype your passphrase, you will have to reboot to get a new prompt...feel free to improve...

Thanks, fccoelho!
Improved solution which asks your passphrase until sucessfull mount:

== 2.a) mount by device file: ==
DEVICE=/dev/sda6
while [ ! -e /dev/mapper/cryptohome ]; do
zenity --entry --hide-text --text="Enter your passphrase:" | cryptsetup luksOpen $DEVICE cryptohome
done
mount /dev/mapper/cryptohome /home

== 2.b) mount by UUID: ==
UUID=36f9e0ca-4da0-479d-be24-a45c7f7d106d
while [ ! -e /dev/mapper/cryptohome ]; do
zenity --entry --hide-text --text="Enter your passphrase:" | cryptsetup luksOpen `readlink -f /dev/disk/by-uuid/$UUID` cryptohome
done
mount /dev/mapper/cryptohome /home

fccoelho (fccoelho) wrote :

Thanks Dimitriev!

I thinks that wil also take care of a side-effect of my original script, which prompted for the password on logout also (because GDM is restarted) when the partition is already mounted.

disz (d-schlabing) wrote :

>>> add the following lines at the top of "/etc/gdm/Init/Default" (right after the shebang line):
>>> zenity --entry --hide-text --text="Enter your passphrase:" | cryptsetup luksOpen /dev/sda6 cryptohome #adjust for your setup
>>> mount /dev/mapper/cryptohome /home

That looks promising. Does anybody have an idea how to adapt that to kde/kdm?

fccoelho (fccoelho) wrote :

I can't remember now, but KDM also has a script which run when it starts up. Find out which one it is and add the same lines above to it and it should work...

Steve Langasek (vorlon) wrote :

This bug looks like a duplicate of bug #497684, which is fixed in Lucid. Marking as such.

Changed in cryptsetup (Ubuntu):
status: New → Fix Released
TomasKovacik (nail-nodomain) wrote :

nice, so we should switch to alpha ?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers