new desktop: first steps

Now that I have some idea of where I want to go with my new desktop, it's time to take a closer look at all the components and see if I can get them to work.

On my homecomputer, I have VMWare Server installed, which I will use to install a test-computer and test out several components.

Then, when I'm happy with how all components work together, I'll install it on my laptop.

At work I have a VMWare Workstation, which allows me to take snapshots at regular intervals. I don't seem to have that functionality in VMWare Server and I think that's bad :( But I'll try to live with it.

While I'm downloading the Ubuntu Desktop 6.10 ISO, I've been thinking about which component to start with. I will need VPN, Asterisk, subversion and an encrypted filesystem.

I decided to start with the encrypted filesystem, since it's the only component I need that doesn't require me to setup some server to test with.

On my old Debian-installation on my laptop, I use crypt-setup to encrypt an entire filesystem. This guy followed the same path and complains about not being able to resize the encrypted filesystem. You create it with a fixed size and you're stuck with it. Fair enough. But that's not the reason I would go with EncFS. When I log into Ubuntu, I want my encrypted filesystem/directory ready for use. I don't want a separate script to enable it or anything. Mounting filesystems at login is done with the PAM framework, and it so happens that EncFS has a PAM plugin

Allright, ubuntu finally installed and I created a snapshot. First thing to do to install encfs and libpam-encfs, is to enable universe and multiverse in /etc/apt/sources.list. Then run apt-get update and apt-get install encfs libpam-encfs.

Apparently, the fuse kernel module is put into /etc/modules automatically. But it doesn't hurt to modprobe it to make sure.

Now comes the fun part, trying out this encfs thing.
The main tool seems to be "encfs". Before being able to use the encfs, you need to create one. Encfs will use 2 directories: one where it stores the encrypted stuff, another where it mounts the unencrypted stuff. Both directories need to be passed as absolute locations.

In my case, I created /home/deepstar/test/encrypted and /home/deepstar/test/mounted and ran "encfs /home/deepstar/test/encrypted /home/deepstar/test/mounted".
When it asked to enter an option, I went for the paranoia one ;)
After entering a password (the same as my login password, this is important to get PAM working later on), encfs complained about "permission denied" and the kernel module not being loaded.

Apparently, I had to run this as root with sudo. When I tried again (adding sudo in front), it worked and didn't ask to create anything this time. This means the whole process was successful as non-root, but I was unable to mount it untill I did sudo.

Anyway. The permissions on this new directory are not ok since I can't go in the directory as a regular user. Root can add files in it and they are encrypted. So far so good :)

The problem with the permissions seems to be because my regular user was not part of the fuse group. I added it with "adduser deepstar fuse" and then restarted X (logging out and logging in again).

Encfs still complains, but this time because the permissions on /dev/fuse are wrong. (Who wrote this stuff anyways ?!)
"chown root.fuse /dev/fuse" will fix that, but probably only temporarily because ubuntu uses udev which regenerates /dev every time you reboot.

An interesting property of Encfs seems to be that only the owner of the filesystem can actually use it. Any other user (including root!) can't look into the unencrypted filesystem and not even query metadata like filemodes or size.

Now that the encfs exists, I can look at the PAM settings. According to the documentation in /usr/share/doc/libpam_encfs, I need to edit /etc/pam.d/common-auth. I added this line in fron of pam_unix.so:

auth sufficient pam_encfs.so


and appended "use_first_pass" to the pam_unix.so line.

Source: http://choffee.co.uk/ramble/2006/06/02/paranoia-at-home/

The original documentation also advises to unmount the filesystem on logout, but mentions that this will happen automagically after 1 minute if using the default configuration in /etc/security/pam_encfs.conf

According to the link above, I should edit /etc/security/pam_encfs.conf and change allow_other to allow_root.
Then /home/.enc should be created, mounted to /var/tmp/deepstar, unmounted.
At the next login everything should work fine, but it doesn't. I can't even login now :)

[update lots of hours later]

Allright, it got me pretty pissed now.
Here are the files that you need to check in order to get things working:


/dev/fuse ... make sure permissions and owner are correct
fuse kernel module ... should be loaded
source mountpoint ... make sure all files are owned by the user who owns the encrypted share
destination mountpoint ... make sure it is empty and owned by the user who owns the encrypted share
/etc/pam.d/common-auth ... should contain "auth sufficient pam_encfs.so" and "use_first_pass" after pam_unix.so
/etc/pam.d/common-session ... should have "session required pam_encfs.so" as first line
/etc/fuse.conf ... should have "user_allow_other" in it, without the quotes
/etc/security/pam_encfs.conf ... should include full username, source and destination paths and have allow_root instead of allow_other


In case of problems, you can login to localhost with ssh and try to mount the share manually with "encfs /home/deepstarenc /home/deepstar -- -o allow_root"
It should print out what is wrong...


OK, now things work when I log in with SSH, but not when I use gdm (graphical login screen). The problem seems to be

** (gnome-session:4289): WARNING **: Unable to lock ICE authority file: /home/deepstar/.ICEauthority


I fixed it with a tip from this site:

The trick is the right one, but the file where it is applied is not. In fact you need to edit the file

/etc/gdm/Xsession

somewhere in a convenient place (i did it right after PROGNAME=Xsession) you add:

Quote:
ICEAUTHORITY="tmp/ICEauthority-${user}"
export ICEAUTHORITY


But that tip seems to contain a typo (no / before tmp/ICEauthority)
I added these lines right after "PROGNAME=Xsession" in /etc/gdm/Xsession:

ICEAUTHORITY="/tmp/ICEauthority-${user}"
export ICEAUTHORITY


And now it works !