Ubuntu
libpam-mount package

Merge ~paelzer/ubuntu/+source/libpam-mount:lp-1804408-LUKS2-support-cosmic into ubuntu/+source/libpam-mount:ubuntu/cosmic-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/libpam-mount
  3. lp-1804408-LUKS2-support-cosmic
  4. Merge into ubuntu/cosmic-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Andreas Hasenack
Approved revision: 066ee38328c05cc65754c10632297ebba5d4feee
Merge reported by: Christian Ehrhardt 
Merged at revision: 056f42054d076a11eded92b5e358af388ae6ad2f
Proposed branch: ~paelzer/ubuntu/+source/libpam-mount:lp-1804408-LUKS2-support-cosmic
Merge into: ubuntu/+source/libpam-mount:ubuntu/cosmic-devel
Diff against target: 157 lines (+123/-0)
5 files modified
debian/changelog (+9/-0)
debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch (+49/-0)
debian/patches/series (+1/-0)
debian/tests/control (+3/-0)
debian/tests/local-luks (+61/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server Pending
git-ubuntu developers Pending
Review via email: mp+362810@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA available at: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3635

I added autopkgtests as I realized what I wrote for the bug would almost already make a good test.
For Disco I'd not upload the tests as Delta, but instead open them as MP/Bug to Debian to be included there. Only if there is no activity I'd consider adding a Delta.

But lets get a review here first :-)

The PPA worked on my box as outlined in the SRU template.

Tests will run soon (the PPA just rebuilds) and will be available in Bileto then.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I added an dep8 test for some extra confidence
Result example:
Cosmic with fix: http://paste.ubuntu.com/p/nfwBTqBdP9/
Cosmic without: http://paste.ubuntu.com/p/2rzYZJ3RYJ/
Bionic with fix: http://paste.ubuntu.com/p/WwFDY99dNh/

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

For Disco I submitted the test to Debian https://salsa.debian.org/debian/libpam-mount/merge_requests/1

Revision history for this message
Andreas Hasenack (ahasenack) :
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

There is no Debian bug (and there won't be as it is fixed in latest).
I'll remove the line.

~paelzer/ubuntu/+source/libpam-mount:lp-1804408-LUKS2-support-cosmic updated
be1116b... by Christian Ehrhardt 

there is no Debian bug for lp 1804408, remove Bug-Debian

Signed-off-by: Christian Ehrhardt <email address hidden>

Revision history for this message
Andreas Hasenack (ahasenack) :
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

+1, just some suggestions inside.

I was also going to suggest that the script be made idempotent, that helps a lot when iterating over it with enhancements or changes without having to clean up manually before each new run, but that makes it a bit more complicated than needed at this time (check user before adding, or remove user at the end, add traps, etc).

review: Approve
~paelzer/ubuntu/+source/libpam-mount:lp-1804408-LUKS2-support-cosmic updated
fed41c5... by Christian Ehrhardt 

d/t/local-luks: also check for an active mount

Signed-off-by: Christian Ehrhardt <email address hidden>

056f420... by Christian Ehrhardt 

changelog: mark dep8 bug as fixed by the new autopkgtest

Signed-off-by: Christian Ehrhardt <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 2797541..3d4a0c5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
1libpam-mount (2.16-5ubuntu0.1) cosmic; urgency=medium
2
3 * d/p/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch:
4 allow more than just LUKS1 by detecting the type (LP: #1804408)
5 * d/tests/control, d/tests/local-luks: add autopkgtest for luks1/luks2
6 automount on user login. (LP: #1679327)
7
8 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 06 Feb 2019 09:56:49 +0100
9
1libpam-mount (2.16-5) unstable; urgency=medium10libpam-mount (2.16-5) unstable; urgency=medium
211
3 * Upload to unstable.12 * Upload to unstable.
diff --git a/debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch b/debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch
4new file mode 10064413new file mode 100644
index 0000000..de3095c
--- /dev/null
+++ b/debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch
@@ -0,0 +1,49 @@
1From: Jochen Sprickerhof <git@jochen.sprickerhof.de>
2Date: Sun, 30 Sep 2018 18:48:33 +0200
3Subject: Use crypt_get_type to get type and support CRYPT_LUKS2 as well
4
5Origin: debian, https://git.launchpad.net/ubuntu/+source/libpam-mount/plain/debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch
6
7Bug-Ubuntu: https://bugs.launchpad.net/bugs/1804408
8Last-Update: 2019-02-06
9
10---
11 src/crypto-dmc.c | 4 ++--
12 src/ehd.c | 2 +-
13 2 files changed, 3 insertions(+), 3 deletions(-)
14
15diff --git a/src/crypto-dmc.c b/src/crypto-dmc.c
16index d0ab6ca..4754c2d 100644
17--- a/src/crypto-dmc.c
18+++ b/src/crypto-dmc.c
19@@ -48,7 +48,7 @@ EXPORT_SYMBOL int ehd_is_luks(const char *path, bool blkdev)
20
21 ret = crypt_init(&cd, device);
22 if (ret == 0) {
23- ret = crypt_load(cd, CRYPT_LUKS1, NULL);
24+ ret = crypt_load(cd, crypt_get_type(cd), NULL);
25 if (ret == -EINVAL)
26 ret = false;
27 else if (ret == 0)
28@@ -106,7 +106,7 @@ static bool dmc_run(const struct ehd_mount_request *req,
29 #endif
30 }
31
32- ret = crypt_load(cd, CRYPT_LUKS1, NULL);
33+ ret = crypt_load(cd, crypt_get_type(cd), NULL);
34 if (ret == 0) {
35 ret = crypt_activate_by_passphrase(cd, mt->crypto_name,
36 CRYPT_ANY_SLOT, req->key_data, req->key_size, flags);
37diff --git a/src/ehd.c b/src/ehd.c
38index 07c8099..b550613 100644
39--- a/src/ehd.c
40+++ b/src/ehd.c
41@@ -309,7 +309,7 @@ static int ehd_init_volume_luks(struct ehd_mount_request *rq,
42 lower_dev, strerror(-ret));
43 goto out;
44 }
45- ret = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, NULL,
46+ ret = crypt_format(cd, crypt_get_type(cd), cipher, cipher_mode, NULL, NULL,
47 (cont->keybits + CHAR_BIT - 1) / CHAR_BIT, &format_params);
48 if (ret < 0) {
49 fprintf(stderr, "crypt_format: %s\n", strerror(-ret));
diff --git a/debian/patches/series b/debian/patches/series
index 22fcc9d..8c1dfdc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@
12013-fix-doc-target12013-fix-doc-target
13014-allow-luserconf-outside-home13014-allow-luserconf-outside-home
140014-Don-t-compare-source-when-checking-if-it-s-already-m.patch140014-Don-t-compare-source-when-checking-if-it-s-already-m.patch
150015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch
diff --git a/debian/tests/control b/debian/tests/control
15new file mode 10064416new file mode 100644
index 0000000..7a02d06
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,3 @@
1Tests: local-luks
2Depends: @, cryptsetup, openssl, openssh-client, openssh-server
3Restrictions: allow-stderr, needs-root, isolation-machine
diff --git a/debian/tests/local-luks b/debian/tests/local-luks
0new file mode 1006444new file mode 100644
index 0000000..9471fd8
--- /dev/null
+++ b/debian/tests/local-luks
@@ -0,0 +1,61 @@
1#!/bin/bash
2set -uxe
3mkdir /etc/pam_mount_keys/
4echo -n alice > /etc/pam_mount_keys/alice.key
5echo "libpam-mount is working" > testfile
6
7createluks()
8{
9 local id=${1}
10 local type=${2}
11 local tdir=$(mktemp --directory)
12
13 fallocate -l 100M "/tmp/disk-l${id}.img"
14 cryptsetup luksFormat --batch-mode --verbose --force-password --key-file=/etc/pam_mount_keys/alice.key --type "${type}" "/tmp/disk-l${id}.img"
15 cryptsetup open --type "${type}" --batch-mode --verbose --key-file=/etc/pam_mount_keys/alice.key "/tmp/disk-l${id}.img" "img-luks${id}"
16 mkfs.ext4 -L "IMG-LUKS${id}" "/dev/mapper/img-luks${id}"
17 mount "/dev/mapper/img-luks${id}" "${tdir}"
18 cp testfile "${tdir}"
19 umount "/dev/mapper/img-luks${id}"
20 cryptsetup close "img-luks${id}"
21}
22
23checkluks()
24{
25 local id=${1}
26 local bckp=$(mktemp)
27
28 # backup and modify configuration
29 cp /etc/security/pam_mount.conf.xml "${bckp}"
30 sed -i -e 's/debug enable="0"/debug enable="1"/' /etc/security/pam_mount.conf.xml
31 sed -i -e "/<!-- Volume definitions -->/a<volume user='alice' path='/tmp/disk-l${id}.img' mountpoint='~/img-luks${id}' fstype='crypt' fskeycipher='none' fskeyhash='md5' fskeypath='/etc/pam_mount_keys/alice.key' />" /etc/security/pam_mount.conf.xml
32
33 # smoke tests the mount and if not working print debug from journal
34 ssh -o "StrictHostKeyChecking=no" -i test.key alice@localhost "ls -laF ~/img-luks${id}/testfile" || journalctl -xe -u ssh --no-pager
35
36 # make sure we are using an actual mount
37 ssh -o "StrictHostKeyChecking=no" -i test.key alice@localhost "mount" | grep img-luks${id}
38
39 # compare data on encrypted disk
40 ssh -o "StrictHostKeyChecking=no" -i test.key alice@localhost "cat ~/img-luks${id}/testfile" > "luks${id}"
41 cmp testfile "luks${id}"
42
43 # restore configuration
44 cp "${bckp}" /etc/security/pam_mount.conf.xml
45}
46
47# create user alice with PW alice
48sudo useradd -G users -m --password "$(openssl passwd -1 alice)" -s /bin/bash alice
49ssh-keygen -t rsa -N "" -f test.key
50mkdir -p ~alice/.ssh
51chown alice:alice ~alice/.ssh
52cp test.key.pub ~alice/.ssh/authorized_keys
53mkdir -p /home/alice/img-luks1 /home/alice/img-luks2
54chown alice:alice ~alice/.ssh/authorized_keys /home/alice/img-luks1 /home/alice/img-luks2
55
56# create LUKS devices with known content
57createluks 1 luks
58createluks 2 luks2
59
60checkluks 1
61checkluks 2

Subscribers

People subscribed via source and target branches