ZFS Encrypted ZFS HOME keys not loaded on ssh

J

jb82

Hi,
fresh installation of 14.1-RELEASE, picked encrypted ZFS home directory (user created during installation). After ssh into the newly installed machine, my user home directory is still encrypted. After
Code: 
zfs load-key zroot/home/xxx
the key shown as available but /home/xxx still owned by root:wheel. What am I missing?
 
jb82 said:
What am I missing?
Click to expand...
The zroot/home/xxx data set must be mounted.

Example, loading key and mounting data set together (as root or with root privileges as user) : zfs mount -l zroot/home/xxx

It seems automatic created ZFS encrypted user home data sets are in a experimental state for now.

>14.1 adduser(8) provides an option to create them, but the user can not mount the <pool>/home/<user> data set without elevated privileges (su(1), security/sudo, security/doas, security/super).

The user is provided with ZFS delegated "mount" permission, but when executed zfs-mount(8), permission is denied.

/usr/sbin/adduser
Rich (BB code): 
    691 # set_zfs_perms
    692 #   Give new user ownership of newly created zfs dataset.
    693 #
    694 set_zfs_perms() {
    695         if ! ${ZFSCMD} allow "${username}" create,destroy,mount,snapshot "${zhome}"; then
    696                 err "There was an error setting permissions on ZFS dataset (${zhome})."
    697                 return 1
    698         fi
    699 }

Rich (BB code): 
 # zfs allow zroot/home/xxx
---- Permissions on zroot/home/xxx ----------------------------------
Local+Descendent permissions:
    user xxx create,destroy,mount,snapshot
I haven't figured out why zfs-mount(8) returns insufficient privileges ( zfs mount -l zroot/home/<user>).
The user is in the "operator" group and vfs.usermount=1.

Furthermore, to load and unload password key, the "load-key" permission is not set. See zfs-allow(8) for details.
The "load-key" permission can be set manually, but it doesn't do any good with the "mount" permission denied, even though it's set.

Next obstacle: Decrypt and mount <pool>/home/<user> data set with the user name when login.

To configure, a pam modul must be set manually, see https://forums.freebsd.org/threads/...irectory-decrypted-at-login.86819/post-585115, and it has some drawbacks, see in "Not working".

As I said, the whole concept looks experimental.
 
Last edited:
jb82 said:
So, in other words, one may be better off if he sticks to GELI for the time being?
Click to expand...
Not necessarily. It's a question of user-friendliness and use-case.

If you follow the instructions in the link regarding the pam_zfs_key module, the inconvenience in native ZFS encrypted /home is to enter the user login password twice to decrypt the data set and log in, and unload key, unmount data set manually after log out.

On the other hand, a geli(8) encrypted Root-on-ZFS a passphrase is entered once, and encrypted again when powerd down or rebooted.

From the security point of view, both have their advantages and disadvantages, but both are production ready.

geli(8) encrypted Root-on-ZFS remains encrypted until decrypted, after that the whole file system is accessible, assuming having the necessary user permissions.

ZFS native encrypted datasets can be decrypted and encrypted again during a running system. A user (including root) without the knowledge of the users password can't access a dataset owned by the user.

When I said adduser(8) ZFS encryption is experimental, it was based on following issues_
  • the pam_zfs_key module isn't configured by default, user intervention is necessary
  • there is no documentation (as far I can tell), about the pam module. I've discovered it searching online, found in https://reviews.freebsd.org
  • on log out, the users dataset key is not unloaded, the dataset not unmounted automatically, manual intervention is necessary
  • the password on log in must be entered twice, changing password, 4 times
  • rmuser(8) (or pw(8) userdel -r ) doesn't destroy users home dataset (<pool>/home/<user>), it must be destroyed manually
 
jb82 said:
Is there any idiomatic way how to automatize this e.g. on ssh login?
Click to expand...
Eric A. Borisch said:
There is pam_zfs_key.
Click to expand...
On FreeBSD, with configured pam_zfs_key.so , a ssh(1) login doesn't load the key and mount the users home data set.

I tried adding the module to /etc/pam.d/sshd to no avail.

I've been investigating ZFS native encrypted user home directories since 13.0, when FreeBSD switched from Sun's ZFS to OpenZFS (former doesn't provide native encryption), not of necessity but of curiosity (I use geli(8) Root-on-ZFS).

One of the results I found searching then was an article (from 2011) "Oracle Solaris Blog - User home directory encryption with ZFS". The pam_zfs_key.so module mentioned in the article was written by the author for Oracle Solaris (OpenZFS pam_zfs_key.c is not a derivate of it).

In that article, for ssh(1) login, additional configuration is done in /etc/pam.conf.

So, I ran some setting in pam.conf(5), but was not successful.
 
For me GELI would be just fine and probably even easier, unfortunately, this particular machine sometimes needs to be restarted remotely and that doesn't play nice with GELI.
 
Eric A. Borisch said:
My reading of those posts is that they haven’t tried to configure it for ssh, not that they tried and failed. (He talks about “haven’t figured out how, but it’s a lower priority.”)
Click to expand...
After poking at this, it does appear to be broken for working with SSH. I can get it working with login (console login) with mount/unmount of the encrypted dataset, but with SSH it complains with "couldn't get password from PAM stack." I think this has to do with SSH's privilege separation at various steps of the authentication.
 
jb82 said:
Is there any idiomatic way how to automatize this e.g. on ssh login?
Click to expand...
Since direct "ssh user@host" login won't decrypt the users home data set, I can think of a workaround:
  • create a admin user on host machine
  • give adminuser@host root privileges for zfs-mount(8) -l option and zfs-unmount(8) -u option with security/sudo, NOPASSWD (why preferable sudo see end of post).
  • execute "ssh adminuser@host command" to decrypt user data set
  • ssh user@host
  • after terminating "ssh user@host" session encrypt data set "ssh adminuser@host command"
To shorten the commands, login shell aliases can be created, for example
alias janedec="ssh adminuser@host sudo zfs mount -l zroot/home/jane

The only flaw with security/sudo, security/doas and security/super is, when the ZFS passphrase is entered, it is echoed on terminal. "helloworld" is the passphrase:

ssh.png


If that is a problem have a look at sysutils/sshsudo to avoid echoed passphrase.

sshsudo.png


If security/sudo NOPASSWD is a problem, removing it will echo the ZFS passphrase with sysutils/sshsudo as well.
 
T-Daemon said:
When I said adduser(8) ZFS encryption is experimental, it was based on following issues_
  • the pam_zfs_key module isn't configured by default, user intervention is necessary
  • there is no documentation (as far I can tell), about the pam module. I've discovered it searching online, found in https://reviews.freebsd.org
  • on log out, the users dataset key is not unloaded, the dataset not unmounted automatically, manual intervention is necessary
  • the password on log in must be entered twice, changing password, 4 times
  • rmuser(8) (or pw(8) userdel -r ) doesn't destroy users home dataset (<pool>/home/<user>), it must be destroyed manually
Click to expand...

Just coming here from 14.2 and I just blindly said "yes" to the "would you like to encrypt your homedir?" option and realized this isn't quite plug-n-play yet.

Anyone here have this working in a reasonable way? I'm at a loss at why something so unfinished would be exposed during the install without at least a warning that there's a bunch of additional setup to make it work.
 
spork said:
Anyone here have this working in a reasonable way? I'm at a loss at why something so unfinished would be exposed during the install without at least a warning that there's a bunch of additional setup to make it work.
Click to expand...
For the time being encrypted ZFS user home is not ideal to handle (in short: it sucks).

First: For automatic decryption of a users home directory on log in, manual PAM configuration is required [1].

Second: After the user logs out from the decrypted home, the home directory stays decrypted. The user can't encrypt the home directory by themself, as for doing that they must be logged in the users account, which makes it impossible to encrypt. A third party user must zfs-unload-key(8) for the user, or the system must be shut down.

[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282957#c6

There is a differential review to document the configuration in adduser(8), but it seems this hasn't landed in the source code: https://reviews.freebsd.org/D47996
 
T-Daemon said:
For the time being encrypted ZFS user home is not ideal to handle (in short: it sucks).

First: For automatic decryption of a users home directory on log in, manual PAM configuration is required [1].

Second: After the user logs out from the decrypted home, the home directory stays decrypted. The user can't encrypt the home directory by themself, as for doing that they must be logged in the users account, which makes it impossible to encrypt. A third party user must zfs-unload-key(8) for the user, or the system must be shut down.

[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282957#c6

There is a differential review to document the configuration in adduser(8), but it seems this hasn't landed in the source code: https://reviews.freebsd.org/D47996
Click to expand...

Personally, I wouldn't want to use PAM. My encryption passphrase is stronger than my login password, and I don't want to type it every time the screensaver engages.

The point of disk and dataset encryption is to protect your data at rest, not to augment file permissions; the benefit of unloading keys seems minor.
 
You must log in or register to reply here.
Back
Top