pam: implement a zfs_key pam module

[felixdoerre]

Implements a pam module for automatically loading zfs encryption keys for home datasets. Currently the pam module does:

• load a zfs key and mounts the dataset when a session opens
• unmounts the dataset and unloads the key when the session closes
• when the user is logged on and changes the password, the modules
  changes the encryption key.
  See also implement pam_zfs_key #9886

How Has This Been Tested?

I've tested this locally after compiling with:

CFLAGS += -Wall -pedantic
# Mark libspl and libzfs as system header to disable compiliner warnings inside these headers.
CFLAGS += -isystem /usr/include/libspl -isystem /usr/include/libzfs
# automatically discover other include libraries
CFLAGS += $(shell pkg-config --cflags libzfs)
LDFLAGS += -lcrypto $(shell pkg-config --libs libzfs) -Wl,--as-needed

pam_zfs_key.so: pam_zfs_key.c
        $(CC) $(CPPFLAGS) $(CFLAGS) -fPIC -shared $^ $(LDFLAGS) -o $@

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the ZFS on Linux code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• I have run the ZFS Test Suite with this change applied.
• All commit messages are properly formatted and contain Signed-off-by.

[felixdoerre]

@behlendorf do you already have some feedback for this? Do you have some hints on how to include this into the overall building process?
Locally (for testing on debian unstable), I have installed the module like this:

$ ls /lib/x86_64-linux-gnu/security/pam_zfs_key.so 
/lib/x86_64-linux-gnu/security/pam_zfs_key.so
$ cat /usr/share/pam-configs/zfs_key
Name: Unlock zfs datasets for user
Default: yes
Priority: 128
Auth-Type: Additional
Auth:
	optional	pam_zfs_key.so
Session-Interactive-Only: yes
Session-Type: Additional
Session:
	optional	pam_zfs_key.so
Password-Type: Additional
Password:
	optional	pam_zfs_key.so

and then installed it with pam-auth-update into the system-wide pam configuration. Where would we include such config files?

[codecov]

Codecov Report

Merging #9903 into master will decrease coverage by 13%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #9903      +/-   ##
==========================================
- Coverage      79%      66%     -13%     
==========================================
  Files         386      304      -82     
  Lines      122448   105121   -17327     
==========================================
- Hits        97036    69899   -27137     
- Misses      25412    35222    +9810

Flag	Coverage Δ
#kernel	?
#user	66% <ø> (ø)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ca7ea23...85b5f20. Read the comment docs.

[InsanePrawn]

Thanks for tackling this!

Just FYI, I came across this repository recently: https://github.com/BenKerry/zfscrypt

[felixdoerre]

I have updated the PAM module to:

• do ref-counting when a user opens multiple sessions
• do nothing for users with uid < 1000
• there is a minimal build-configuration in the automake build system, that at least builds the module. Additional work is needed to install this module correctly.
  On Debian this is required for installation:
• install the shared library to /lib/<arch-specifier>/security/pam_zfs_key.so
• install pam-config-zfs_key to /usr/share/pam-configs/zfs_key, so that this module can be automatically enabled by pam-auth-update.
  @behlendorf can you help me with the build system to install this module correctly?
  (additionally I've ensured that the code is correctly formatted)

[felixdoerre]

It seems most of the build-servers miss pam development headers. On debian they are in libpam0g-dev. How can I ensure they are installed? Or do we want the pam module to be excluded from CI?

[behlendorf]

On debian they are in libpam0g-dev. How can I ensure they are installed?

I've opened PR openzfs/zfs-buildbot#181 against the zfs-buildbot repository which adds the missing dependency. Can you just confirm that we don't need anything else besides the libpam0g-dev / pam-devel packages?

We definitely want to make sure this gets build by the CI. It would be good if we could also perform some basic testing with it. But I'm not sure how easy it would be to automate this kind of testing.

[jengelh]

Distributions might possibly put these in separate subpackages.

[felixdoerre]

so you would suggest to move them to a libpam_zfs_key and pam_zfs_key package in a new files -n-section

[felixdoerre]

Thanks @jengelh for your review! I (hopefully) resolved the missing error checks and replied with some quick follow-up questions.

[felixdoerre]

The reason for which I needed/added these new processes/forks was that they were required for mounting to work. Otherwise I would receive an error:

mount: only root can use the --no-canonicalize option

as a note: (regarding child processes) libzfs already invokes a child process on linux to do the real mount anyways:

zfs/lib/libzfs/os/linux/libzfs_mount_os.c

Line 302 in 4bc7219

do_mount(const char *src, const char *mntpt, char *opts, int flags)

so we should rewrite the zfsutil code to use libmount1 instead of spawning a real mount process?

[felixdoerre]

so you would suggest to move them to a libpam_zfs_key and pam_zfs_key package in a new files -n-section

[plumbeo]

Hi @felixdoerre, could you make unmounting the dataset and unloading the key at the end of the session optional (like pam_fscrypt does, for example)? It’s not the common case and it certainly shouldn’t be the default but It could be useful in some situations.

[valpackett]

Would it be possible to use the ZFS passphrase as the only password? i.e. password required pam_zfs_key.so and no password hash in /etc at all, and we're authenticated when the zfs dataset is successfully unlocked?

[felixdoerre]

@myfreeweb Although this is currently not implemented, I believe this this could be possible. One would call lzc_load_key with noop = B_TRUE to validate the password. However, I am not really sure how this would be communicated back to pam, and if a hybrid solution is possible (password for system users with uid < 1000 or without a home dataset in /etc/shadow and other passwords disabled in /etc/shadow and managed as zfs dataset keys) and which one would take precedence when both passwords are set.

[valpackett]

with noop = B_TRUE to validate the password

Is it currently not unlocking at password stage? If it is, I don't see why it would have to be a separate no-op check, wouldn't it be possible to directly answer "yes" when the unlock has succeeded?

if a hybrid solution is possible

Isn't that just how PAM works in general? I would expect all modules to be queried in config order, until one of them says yes.

[felixdoerre]

password checking still needs to work when the dataset is unlocked. I believe you need noop = B_TRUE to check the password when the key is already loaded.

[behlendorf]

See previous comment.

[behlendorf]

See previous comment.

[behlendorf]

It would be great if you could also rebase this on the latest version of master.

[ghost]

We can improve the FreeBSD logging later.