ecryptfs PAM module causes slow authentication

Bug #425040 reported by Runar Ingebrigtsen on 2009-09-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ecryptfs-utils (Ubuntu)
Undecided
Unassigned
Declined for Jaunty by Steve Langasek
Declined for Karmic by Steve Langasek

Bug Description

The following line in /etc/pam.d/common-auth causes heavy delay in system authentication:
auth optional pam_ecryptfs.so unwrap

This default PAM module in Ubuntu causes slow logon times and a very annoying delay in the unlock process of gnome-screensaver. The difference in terms of user experience between keeping this module and disabling this module is huge, especially compared to Windows 7 and OS X screensaver unlock.

I recorded the following average times when debugging the unlock delay:
VT1 bash LOGIN times:
Default: ~ 2.8 seconds
No ecryptfs: ~ 1.1 seconds

gnome-screensaver unlock times:
Default: ~ 2.3 seconds
Ecryptfs, no gnome-keyring: ~ 2.0 seconds
No ecryptfs: ~ 0.7 seconds
Keyring, no ecrypt: ~ 0.7 seconds

In other words: By disabling ecryptfs in PAM common_auth I went from experiencing a "hang" in the gnome-screensaver unlock screen, with the password field greyed out, to an immediate desktop appearance after typing the password. Furthermore, at the same time I saw a significant reduction of login delay at the terminal. I didn't bother timing the GDM login times, as they're sure to be faster as well.

My simple request is herefore that the pam_ecryptfs module is henceforth disabled from the default Ubuntu configuration, based on this upgrade of the overall user experience in a significant area - the reactivation of the desktop after suspend, hibernate and general AFK. As per the usefulness of this module, I can't imagine the average user will miss the option to encrypt folders.

For advanced users, there need to be a different way to let them encrypt folders than putting this big hurdle in the face of regular users.

And no, this is not the same problem as #105101 - as my disabling the pam_ecryptfs line in common_auth doesn't seem to affect the speed at which the password dialog in gnome-screensaver appears.

Thanks.

Steve Langasek (vorlon) wrote :

Thank you for taking the time to report this issue and help to improve Ubuntu.

This is not a default module in Ubuntu, it's only installed if you install it manually or if you choose home directory encryption in the installer. Reassigning to the ecryptfs package for further analysis of the delays you're seeing.

affects: pam (Ubuntu) → ecryptfs-utils (Ubuntu)
Runar Ingebrigtsen (ringe) wrote :

I tried to remove the ecryptfs-utils package but that resulted in the pam_ecryptfs module being reenabled in my common_auth. Then I removed the libecryptfs0 package and the pam_ecryptfs module got disabled.

Also, I never opted in for any home directory encryption, and I never asked for the package. Exactly where is it I would have the option to choose home dir encryption, as you say?

Dustin Kirkland  (kirkland) wrote :

Can you reproduce this problem in Karmic?

I believe this bug is a duplicate of Bug #402748, which is fixed in Karmic.

:-Dustin

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers