Ubuntu
libpam-mount package

Merge ~paelzer/ubuntu/+source/libpam-mount:lp-1804408-LUKS2-support-bionic into ubuntu/+source/libpam-mount:ubuntu/bionic-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/libpam-mount
  3. lp-1804408-LUKS2-support-bionic
  4. Merge into ubuntu/bionic-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Andreas Hasenack
Approved revision: 5c0a7edb8fe83691c7921d56f26b4a5eab8ae5bc
Merge reported by: Christian Ehrhardt 
Merged at revision: a88b66d8151dad0663e96c203e76d564ef031e35
Proposed branch: ~paelzer/ubuntu/+source/libpam-mount:lp-1804408-LUKS2-support-bionic
Merge into: ubuntu/+source/libpam-mount:ubuntu/bionic-devel
Diff against target: 157 lines (+123/-0)
5 files modified
debian/changelog (+9/-0)
debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch (+49/-0)
debian/patches/series (+1/-0)
debian/tests/control (+3/-0)
debian/tests/local-luks (+61/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server Pending
git-ubuntu developers Pending
Review via email: mp+362811@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

PPA available at: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3635

I added autopkgtests as I realized what I wrote for the bug would almost already make a good test.
For Disco I'd not upload the tests as Delta, but instead open them as MP/Bug to Debian to be included there. Only if there is no activity I'd consider adding a Delta.

But lets get a review here first :-)

The PPA worked on my box as outlined in the SRU template.

Tests will run soon (the PPA just rebuilds) and will be available in Bileto then.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I added an dep8 test for some extra confidence
Result example:
Cosmic with fix: http://paste.ubuntu.com/p/nfwBTqBdP9/
Cosmic without: http://paste.ubuntu.com/p/2rzYZJ3RYJ/
Bionic with fix: http://paste.ubuntu.com/p/WwFDY99dNh/

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

For Disco I submitted the test to Debian https://salsa.debian.org/debian/libpam-mount/merge_requests/1

~paelzer/ubuntu/+source/libpam-mount:lp-1804408-LUKS2-support-bionic updated
5c0a7ed... by Christian Ehrhardt 

there is no Debian bug for lp 1804408, remove Bug-Debian

Signed-off-by: Christian Ehrhardt <email address hidden>

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

+1, same suggestions as with the cosmic mp.

review: Approve
~paelzer/ubuntu/+source/libpam-mount:lp-1804408-LUKS2-support-bionic updated
6722b92... by Christian Ehrhardt 

d/t/local-luks: also check for an active mount

Signed-off-by: Christian Ehrhardt <email address hidden>

a88b66d... by Christian Ehrhardt 

changelog: mark dep8 bug as fixed by the new autopkgtest

Signed-off-by: Christian Ehrhardt <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 27b42da..704ab48 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
1libpam-mount (2.16-3ubuntu0.1) bionic; urgency=medium
2
3 * d/p/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch:
4 allow more than just LUKS1 by detecting the type (LP: #1804408)
5 * d/tests/control, d/tests/local-luks: add autopkgtest for luks1/luks2
6 automount on user login. (LP: #1679327)
7
8 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Wed, 06 Feb 2019 10:02:48 +0100
9
1libpam-mount (2.16-3build2) bionic; urgency=high10libpam-mount (2.16-3build2) bionic; urgency=high
211
3 * No change rebuild against openssl1.1.12 * No change rebuild against openssl1.1.
diff --git a/debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch b/debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch
4new file mode 10064413new file mode 100644
index 0000000..de3095c
--- /dev/null
+++ b/debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch
@@ -0,0 +1,49 @@
1From: Jochen Sprickerhof <git@jochen.sprickerhof.de>
2Date: Sun, 30 Sep 2018 18:48:33 +0200
3Subject: Use crypt_get_type to get type and support CRYPT_LUKS2 as well
4
5Origin: debian, https://git.launchpad.net/ubuntu/+source/libpam-mount/plain/debian/patches/0015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch
6
7Bug-Ubuntu: https://bugs.launchpad.net/bugs/1804408
8Last-Update: 2019-02-06
9
10---
11 src/crypto-dmc.c | 4 ++--
12 src/ehd.c | 2 +-
13 2 files changed, 3 insertions(+), 3 deletions(-)
14
15diff --git a/src/crypto-dmc.c b/src/crypto-dmc.c
16index d0ab6ca..4754c2d 100644
17--- a/src/crypto-dmc.c
18+++ b/src/crypto-dmc.c
19@@ -48,7 +48,7 @@ EXPORT_SYMBOL int ehd_is_luks(const char *path, bool blkdev)
20
21 ret = crypt_init(&cd, device);
22 if (ret == 0) {
23- ret = crypt_load(cd, CRYPT_LUKS1, NULL);
24+ ret = crypt_load(cd, crypt_get_type(cd), NULL);
25 if (ret == -EINVAL)
26 ret = false;
27 else if (ret == 0)
28@@ -106,7 +106,7 @@ static bool dmc_run(const struct ehd_mount_request *req,
29 #endif
30 }
31
32- ret = crypt_load(cd, CRYPT_LUKS1, NULL);
33+ ret = crypt_load(cd, crypt_get_type(cd), NULL);
34 if (ret == 0) {
35 ret = crypt_activate_by_passphrase(cd, mt->crypto_name,
36 CRYPT_ANY_SLOT, req->key_data, req->key_size, flags);
37diff --git a/src/ehd.c b/src/ehd.c
38index 07c8099..b550613 100644
39--- a/src/ehd.c
40+++ b/src/ehd.c
41@@ -309,7 +309,7 @@ static int ehd_init_volume_luks(struct ehd_mount_request *rq,
42 lower_dev, strerror(-ret));
43 goto out;
44 }
45- ret = crypt_format(cd, CRYPT_LUKS1, cipher, cipher_mode, NULL, NULL,
46+ ret = crypt_format(cd, crypt_get_type(cd), cipher, cipher_mode, NULL, NULL,
47 (cont->keybits + CHAR_BIT - 1) / CHAR_BIT, &format_params);
48 if (ret < 0) {
49 fprintf(stderr, "crypt_format: %s\n", strerror(-ret));
diff --git a/debian/patches/series b/debian/patches/series
index 165cd52..28cfaca 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@
110011-Fix-fd0ssh-name-according-to-version-in-hxtools.patch110011-Fix-fd0ssh-name-according-to-version-in-hxtools.patch
12013-fix-doc-target12013-fix-doc-target
13014-allow-luserconf-outside-home13014-allow-luserconf-outside-home
140015-Use-crypt_get_type-to-get-type-and-support-CRYPT_LUK.patch
diff --git a/debian/tests/control b/debian/tests/control
14new file mode 10064415new file mode 100644
index 0000000..7a02d06
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,3 @@
1Tests: local-luks
2Depends: @, cryptsetup, openssl, openssh-client, openssh-server
3Restrictions: allow-stderr, needs-root, isolation-machine
diff --git a/debian/tests/local-luks b/debian/tests/local-luks
0new file mode 1006444new file mode 100644
index 0000000..9471fd8
--- /dev/null
+++ b/debian/tests/local-luks
@@ -0,0 +1,61 @@
1#!/bin/bash
2set -uxe
3mkdir /etc/pam_mount_keys/
4echo -n alice > /etc/pam_mount_keys/alice.key
5echo "libpam-mount is working" > testfile
6
7createluks()
8{
9 local id=${1}
10 local type=${2}
11 local tdir=$(mktemp --directory)
12
13 fallocate -l 100M "/tmp/disk-l${id}.img"
14 cryptsetup luksFormat --batch-mode --verbose --force-password --key-file=/etc/pam_mount_keys/alice.key --type "${type}" "/tmp/disk-l${id}.img"
15 cryptsetup open --type "${type}" --batch-mode --verbose --key-file=/etc/pam_mount_keys/alice.key "/tmp/disk-l${id}.img" "img-luks${id}"
16 mkfs.ext4 -L "IMG-LUKS${id}" "/dev/mapper/img-luks${id}"
17 mount "/dev/mapper/img-luks${id}" "${tdir}"
18 cp testfile "${tdir}"
19 umount "/dev/mapper/img-luks${id}"
20 cryptsetup close "img-luks${id}"
21}
22
23checkluks()
24{
25 local id=${1}
26 local bckp=$(mktemp)
27
28 # backup and modify configuration
29 cp /etc/security/pam_mount.conf.xml "${bckp}"
30 sed -i -e 's/debug enable="0"/debug enable="1"/' /etc/security/pam_mount.conf.xml
31 sed -i -e "/<!-- Volume definitions -->/a<volume user='alice' path='/tmp/disk-l${id}.img' mountpoint='~/img-luks${id}' fstype='crypt' fskeycipher='none' fskeyhash='md5' fskeypath='/etc/pam_mount_keys/alice.key' />" /etc/security/pam_mount.conf.xml
32
33 # smoke tests the mount and if not working print debug from journal
34 ssh -o "StrictHostKeyChecking=no" -i test.key alice@localhost "ls -laF ~/img-luks${id}/testfile" || journalctl -xe -u ssh --no-pager
35
36 # make sure we are using an actual mount
37 ssh -o "StrictHostKeyChecking=no" -i test.key alice@localhost "mount" | grep img-luks${id}
38
39 # compare data on encrypted disk
40 ssh -o "StrictHostKeyChecking=no" -i test.key alice@localhost "cat ~/img-luks${id}/testfile" > "luks${id}"
41 cmp testfile "luks${id}"
42
43 # restore configuration
44 cp "${bckp}" /etc/security/pam_mount.conf.xml
45}
46
47# create user alice with PW alice
48sudo useradd -G users -m --password "$(openssl passwd -1 alice)" -s /bin/bash alice
49ssh-keygen -t rsa -N "" -f test.key
50mkdir -p ~alice/.ssh
51chown alice:alice ~alice/.ssh
52cp test.key.pub ~alice/.ssh/authorized_keys
53mkdir -p /home/alice/img-luks1 /home/alice/img-luks2
54chown alice:alice ~alice/.ssh/authorized_keys /home/alice/img-luks1 /home/alice/img-luks2
55
56# create LUKS devices with known content
57createluks 1 luks
58createluks 2 luks2
59
60checkluks 1
61checkluks 2

Subscribers

People subscribed via source and target branches