-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug] pam_fscrypt hangs on login via xrdp #350
Comments
I messed around with a Go debugger (delve) to try to figure out where the issue was happening. I have little experience with Go, so I probably got one thing or another wrong, but I was able to generate this backtrace from the hung login process:
|
so something weird is happening when fscrypt is doing the password hashing with argon2. It seems like when all the memory gets allocated for the hashing, the runtime freezes. I have no idea why this would happen, but it seems to be happening in |
Maybe we need to build the PAM module in some sort of "single threaded" mode? But that might not work as we need threads to do the password hashing. |
This is the same deadlock in the Go runtime that I saw while investigating why The real bug here is that these programs ( Unfortunately, I don't see a way for |
Is there a way that pam_fscrypt can detect the situation, and peace out with a explanation if it's present? That would at least address the bad behavior, and put the onus back on the login application. As for xrdp, it apparently changed over to calling
So it's not even clear to me if (and how) this issue could be articulated to them as a bug in their handling of PAM. |
Maybe. Can you try #352 and see if it works to detect the issue with However, we can't detect the situation until Go code is already running, so it might be the case that you'll still just get a deadlock.
Well, neutrinolabs/xrdp#806 doesn't have any explanation, so it's not clear to me that it was the right thing to do. As far as I can tell, libpam has never supported the situation where a single PAM transaction is split among multiple processes. |
@josephlr, that systemd-service proposal looks pretty good. I especially appreciate this point:
@ebiggers, I'm happy to test patches. I've little experience with Go builds, but I can easily rebuild patched .deb packages from source, so there is little chance of getting that wrong. A possible solution to this (albeit not as comprehensive as the systemd-service route) might be to have pam_fscrypt fork/exec
were it not for |
Is there a plan to implement that solution? |
I have the exact same problem when trying to decrypt the filesystem vai slim. It works until "running passphrase hash for protextor 98324abff89034e" |
Anyone following this thread may be interested in this comment |
This issue may or may not relate to #323. I am investigating the use of xrdp + fscrypt.
I am observing that the pam_fscrypt module hangs after the user has authenticated, leaving the xrdp login process dead in the water. This is on Ubuntu, using a daily build of 22.04/jammy. The fscrypt packages are version 0.3.3-1, so they appear current.
I enabled the
debug
keyword on the module in/etc/pam.d/common-session
, and this is what/var/log/syslog
looks like:There, it stops. The process (xrdp-sesman) is not using CPU; it's not doing anything. Eventually, the login process times out with an error.
As this requires somewhat of a non-trivial setup to reproduce, I have put together an initialization script that will do all the work. Get a daily build of Ubuntu Live 22.04/jammy (I used a Xubuntu .iso for my testing), boot up the GUI environment, run this script as root, and then invoke xfreerdp as directed to trigger the bug.
(I can't say if the login will work once this bug is fixed; there may be other issues on the xrdp side. pam_fscrypt should at least be returning within a reasonable amount of time, however.)
The text was updated successfully, but these errors were encountered: