[Kernel-packages] [Bug 1377924] Re: ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING)
The reason for the failure seems to be in default configuration of PAM for SSH. If I understand correctly, PAM is configured to enforce session keys revocation upon termination of parent SSHD process: --- /etc/pam.d/sshd --- ... # Create a new session keyring. sessionoptional pam_keyinit.so force revoke ... --- Some environments connect using ssh and then detach from it, which probably causes session key termination. As a workaround I propose commenting out force revoke in /etc/pam.d/sshd. Note: There might be security related repercussions! ** Package changed: apparmor (Ubuntu) = pam (Ubuntu) ** Package changed: linux (Ubuntu) = x2goclient (Ubuntu) ** Changed in: x2goclient (Ubuntu) Status: Opinion = Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1377924 Title: ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING) Status in openssh package in Ubuntu: Confirmed Status in pam package in Ubuntu: Confirmed Status in x2goclient package in Ubuntu: Confirmed Bug description: This is a reincarnation of Bug #1234412. Looks like issue is not related to specific kernel versions. Currently I am observing two Trusty (14.04) machines, with very close configuration, running same kernel: 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64. One is able to mount without the problem but the other is refusing: $ mount -t ecryptfs sec sec Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING; there is something wrong with your kernel keyring. Did you build key retention support into your kernel? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1377924/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1377924] Re: ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING)
I've learned that the issue is not related to kernel version but caused
by environment under which mount is executed.
On my systems (14.04), it fails when executed inside x2go session but
manages to operate when connected via physical VT or SSH.
May be it's related to apparmor, but how x2go and ssh are different in that
perspective? They both spawned as by sshd.
Also additional environments like vnc and rdp might be affected.
Below is strace of failing attempt.
===
ecryptfs-add-passphrase --fnek works but mount fails:
===
sudo strace mount -o
no_sig_cache,ecryptfs_passthrough=no,ecryptfs_enable_filename_crypto=yes,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,passwd=dummy,ecryptfs_sig=,ecryptfs_fnek_sig=yyy
-t ecryptfs /media/storage/backup/home/.ecryptfs/user/.Private
/media/storage/backup/home/user
...
stat(/sbin/mount.ecryptfs, {st_mode=S_IFREG|0755, st_size=25880, ...}) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD,
child_tidptr=0x7fb366a0bb50) = 11423
wait4(-1, Unable to link the KEY_SPEC_USER_KEYRING into the
KEY_SPEC_SESSION_KEYRING; there is something wrong with your kernel keyring.
Did you build key retention support into your kernel?
[{WIFEXITED(s) WEXITSTATUS(s) == 251}], 0, NULL) = 11423
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=11423, si_status=251,
si_utime=0, si_stime=1} ---
exit_group(251) = ?
+++ exited with 251 +++
===
** Changed in: linux (Ubuntu)
Status: Incomplete = Opinion
** Also affects: apparmor
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1377924
Title:
ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into
the KEY_SPEC_SESSION_KEYRING)
Status in “apparmor” package in Ubuntu:
New
Status in “linux” package in Ubuntu:
Opinion
Status in “openssh” package in Ubuntu:
New
Bug description:
This is a reincarnation of Bug #1234412.
Looks like issue is not related to specific kernel versions.
Currently I am observing two Trusty (14.04) machines, with very close
configuration, running same kernel:
3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64.
One is able to mount without the problem but the other is refusing:
$ mount -t ecryptfs sec sec
Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING;
there is something wrong with your kernel keyring. Did you build key retention
support into your kernel?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1377924/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1377924] Re: ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING)
I am also getting this error, and like Eugene says, it seems to be dependent on the environment in which the mount command is executed. I attempted to mount from inside a tmux session, and the mount failed. I detached from the tmux session, issued the very same mount command in a plain ssh terminal, and the mount succeeded. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1377924 Title: ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING) Status in “apparmor” package in Ubuntu: Confirmed Status in “linux” package in Ubuntu: Opinion Status in “openssh” package in Ubuntu: Confirmed Bug description: This is a reincarnation of Bug #1234412. Looks like issue is not related to specific kernel versions. Currently I am observing two Trusty (14.04) machines, with very close configuration, running same kernel: 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64. One is able to mount without the problem but the other is refusing: $ mount -t ecryptfs sec sec Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING; there is something wrong with your kernel keyring. Did you build key retention support into your kernel? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1377924/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1377924] Re: ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING)
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openssh (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1377924 Title: ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING) Status in “apparmor” package in Ubuntu: Confirmed Status in “linux” package in Ubuntu: Opinion Status in “openssh” package in Ubuntu: Confirmed Bug description: This is a reincarnation of Bug #1234412. Looks like issue is not related to specific kernel versions. Currently I am observing two Trusty (14.04) machines, with very close configuration, running same kernel: 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64. One is able to mount without the problem but the other is refusing: $ mount -t ecryptfs sec sec Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING; there is something wrong with your kernel keyring. Did you build key retention support into your kernel? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1377924/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1377924] Re: ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING)
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: apparmor (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1377924 Title: ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING) Status in “apparmor” package in Ubuntu: Confirmed Status in “linux” package in Ubuntu: Opinion Status in “openssh” package in Ubuntu: Confirmed Bug description: This is a reincarnation of Bug #1234412. Looks like issue is not related to specific kernel versions. Currently I am observing two Trusty (14.04) machines, with very close configuration, running same kernel: 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64. One is able to mount without the problem but the other is refusing: $ mount -t ecryptfs sec sec Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING; there is something wrong with your kernel keyring. Did you build key retention support into your kernel? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1377924/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1377924] Re: ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING)
Does this issue go away if you boot an earlier kernel version? ** Changed in: linux (Ubuntu) Importance: Undecided = High -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1377924 Title: ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING) Status in “linux” package in Ubuntu: Incomplete Bug description: This is a reincarnation of Bug #1234412. Looks like issue is not related to specific kernel versions. Currently I am observing two Trusty (14.04) machines, with very close configuration, running same kernel: 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64. One is able to mount without the problem but the other is refusing: $ mount -t ecryptfs sec sec Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING; there is something wrong with your kernel keyring. Did you build key retention support into your kernel? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1377924/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1377924] Re: ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING)
Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v3.17 kernel[0]. If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'. If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'. If you are unable to test the mainline kernel, for example it will not boot, please add the tag: 'kernel-unable-to-test-upstream'. Once testing of the upstream kernel is complete, please mark this bug as Confirmed. Thanks in advance. [0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.17-utopic/ ** Tags added: kernel-da-key -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1377924 Title: ecryptfs fails to mount (Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING) Status in “linux” package in Ubuntu: Incomplete Bug description: This is a reincarnation of Bug #1234412. Looks like issue is not related to specific kernel versions. Currently I am observing two Trusty (14.04) machines, with very close configuration, running same kernel: 3.13.0-36-generic #63-Ubuntu SMP Wed Sep 3 21:30:07 UTC 2014 x86_64. One is able to mount without the problem but the other is refusing: $ mount -t ecryptfs sec sec Unable to link the KEY_SPEC_USER_KEYRING into the KEY_SPEC_SESSION_KEYRING; there is something wrong with your kernel keyring. Did you build key retention support into your kernel? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1377924/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
