Ubuntu
ecryptfs-utils package

Error attempting to add passphrase key to user session keyring

Bug #313330 reported by David Crosio
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
eCryptfs
Fix Released
Medium
Dustin Kirkland 
ecryptfs-utils (Ubuntu)
Fix Released
Medium
Dustin Kirkland 

Bug Description

Every time I type sudo I find in the log these lines. The login process is slow. I don't understand why the PGP passphrase conflicts with the sudo password. In theory they don't have anything in common.

Jan 2 22:25:18 Renovatio sudo: pam_sm_authenticate: Called
Jan 2 22:25:18 Renovatio sudo: pam_sm_authenticate: username = [zio]
Jan 2 22:25:18 Renovatio sudo: Error attempting to parse .ecryptfsrc file; rc = [-5]
Jan 2 22:25:18 Renovatio sudo: Unable to read salt value from user's .ecryptfsrc file; using default
Jan 2 22:25:20 Renovatio sudo: Passphrase key already in keyring
Jan 2 22:25:20 Renovatio sudo: Error attempting to add passphrase key to user session keyring; rc = [1]
Jan 2 22:25:20 Renovatio sudo: There is already a key in the user session keyring for the given passphrase.

Thanks in advance
David

Revision history for this message
David Crosio (uncle-d) wrote :

Finally, I understood what was the problem. Ecryptfs hanged and it didn't crypt my files that were always readable even with an external access (boot from cd). There was a zombie process (ecryptfs-thread) owned by root that caused the message above. I haven't been able to kill this process, so I uninstalled ecryptfs. Problem solved. Now I'm using TrueCrypt.

Sorry for the bothering

David

Revision history for this message
darthanubis (darthanubis) wrote :

I've been getting this error after upgrade 10hrs ago.
2.6.28-11-generic #38-Ubuntu SMP Fri Mar 27 10:01:17 UTC 2009 x86_64 GNU/Linux

Revision history for this message
darthanubis (darthanubis) wrote :

Apr 1 02:45:21 x su[7278]: pam_mount(pam_mount.c:100): unknown pam_mount option "use_first_pass"
Apr 1 02:45:21 x su[7278]: pam_sm_authenticate: Called
Apr 1 02:45:21 x su[7278]: pam_sm_authenticate: username = [root]
Apr 1 02:45:21 x su[7278]: Warning: Using default salt value (undefined in ~/.ecryptfsrc)
Apr 1 02:45:22 x su[7283]: Error attempting to open [/root/.ecryptfs/wrapped-passphrase] for reading
Apr 1 02:45:22 x su[7283]: Error attempting to unwrap passphrase from file [/root/.ecryptfs/wrapped-passphrase]; rc = [-5]
Apr 1 02:45:22 x su[7283]: Error adding passphrase key token to user session keyring; rc = [-5]
Apr 1 02:45:22 x su[7278]: Successful su for root by xxx
Apr 1 02:45:22 x su[7278]: + pts/0 anubis:root
Apr 1 02:45:22 x su[7278]: pam_unix(su:session): session opened for user root by xxx(uid=1000)

Revision history for this message
Martin Pitt (pitti) wrote :

Dustin, does that ring a bell?

affects: sudo (Ubuntu) → ecryptfs-utils (Ubuntu)
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

David-

You said that the sudo process is "slow" ...

Might I ask what kind of hardware you're running this on? Does it happen to be a netbook, atom or arm machine?

:-Dustin

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Okay, I'm forwarding this upstream and assigning to myself.

I think that there are two parts to this bug...

 1) Key adding on underpowered cpu's (arms and atoms in netbooks) is simply a slow process due to the 64K rounds of key strengthening. I think we should make that configurable for Karmic, but there's nothing we can really for this on Jaunty.

 2) We should clean up the error messages thrown to the log files.
  a) if the user doesn't have an ecryptfs setup, let's short circuit pam_ecryptfs and bail out without spamming the logs with error messages
  b) if the key is already in the keyring, great, no need to gripe about it.

:-Dustin

Changed in ecryptfs:
assignee: nobody → Dustin Kirkland (kirkland)
importance: Undecided → Medium
status: New → Triaged
Changed in ecryptfs-utils (Ubuntu):
assignee: nobody → Dustin Kirkland (kirkland)
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Committed revision 389.

Changed in ecryptfs:
status: Triaged → Fix Committed
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Will be in ecryptfs-utils-75

Dustin Kirkland  (kirkland)
Changed in ecryptfs:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ecryptfs-utils - 75-0ubuntu1

---------------
ecryptfs-utils (75-0ubuntu1) karmic; urgency=low

  [ Dustin Kirkland ]
  * debian/rules: drop hackery that moves stuff /usr/share/ecryptfs-utils
  * src/utils/mount.ecryptfs_private.c: update inline documentation
  * debian/changelog, src/libecryptfs/cmd_ln_parser.c,
    src/libecryptfs/key_management.c, src/pam_ecryptfs/pam_ecryptfs.c,
    src/utils/ecryptfs_add_passphrase.c,
    src/utils/ecryptfs_insert_wrapped_passphrase_into_keyring.c,
    src/utils/ecryptfs_rewrap_passphrase.c,
    src/utils/ecryptfs_unwrap_passphrase.c,
    src/utils/ecryptfs_wrap_passphrase.c: silence some useless logging,
    LP: #313330
  * include/ecryptfs.h, libecryptfs/key_management.c,
    utils/ecryptfs_insert_wrapped_passphrase_into_keyring.c,
    utils/ecryptfs_unwrap_passphrase.c: if the file to unwrap is
    unspecified, try to use the default ~/.ecryptfs/wrapped-passphrase
    before bailing out, LP: #359997
  * src/utils/ecryptfs-setup-private: unix_chkpwd is not always present
    (eg, gentoo), LP: #332341

  [ Tyler Hicks ]
  * doc/manpage/ecryptfs.7: ecryptfs_encrypted_view option desription
    was wrong LP: #328761

  [ Michal Hlavinka ]
  * decision_graph.c: fix uninitialized return code
  * mount.ecryptfs.c: don't pass verbosity option to kernel

  [ anrxc & Dustin Kirkland ]
  * doc/Makefile.am, src/desktop/Makefile.am: fix automake installation from
    /usr/share to /usr/share/ecryptfs-utils

  [ Daniel Baumann & Dustin Kirkland ]
  * debian/rules, debian/control: sync differences between Debian & Ubuntu's
    packaging

  [ Arfrever Frehtes Taifersar Arahesis ]
  * src/key_mod/ecryptfs_key_mod_gpg.c,
    src/key_mod/ecryptfs_key_mod_pkcs11_helper.c: fix implicit declations

  [ Frédéric Guihéry ]
  * key_mod/ecryptfs_key_mod_tspi.c, utils/ecryptfs_generate_tpm_key.c:
    the SRK password should be set to 20 bytes of NULL (wellknown
    password), in order for different tools to request key protection
    with the Storage Root Key

 -- Dustin Kirkland <email address hidden> Sat, 02 May 2009 11:44:56 -0500

Changed in ecryptfs-utils (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Derek White (d-man97) wrote :

So, did 75 not get pushed to jaunty? I am still getting these messages with pam and polkit-grant-helper-pam.

Revision history for this message
Martinux (martinux) wrote :

I'm getting these messeges too.

Revision history for this message
David Clayton (dcstar) wrote :

9.04 users can download the following packages from the Karmic repository - http://packages.ubuntu.com/jaunty/ecryptfs-utils - and install them:

libgpg-error0
libecryptfs0
ecryptfs-utils

This worked fine on my 64-bit install.

Revision history for this message
David Clayton (dcstar) wrote :

Whoops, wrong URL: http://packages.ubuntu.com/karmic/ecryptfs-utils

Revision history for this message
Kenny Ossa (ynnek) wrote :

this solution work fine. Tested in 9.04 32-bit (i386).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.