Ubuntu
ecryptfs-utils package

ecryptfs does not work for domain users (AD, likewise/powerbroker)

Bug #1406940 reported by Dominik Gierlach
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ecryptfs-utils (Ubuntu)
Triaged
Low
Unassigned

Bug Description

Ecryptfs encryption does not work for domain users in an active directory domain, integrated with likewise open / powerbroker for the following reasons:

- domain user names contain backslashes (DOMAIN\user.name). Ecryptfs checks for valid usernames, which mustn't contain backslashes
- There is no pam hook which automatically activates encryption of the home directory of new domain users

Steps to reproduce:
- Set up AD controller, e.g. via samba4
- Set up ecryptfs-utils on an ubuntu machine
- Add ubuntu machine to domain with likewise open / powerbroker
- Login with domain user

Result:
- Home directory is unencrypted

Additional steps:
- Manually encrypt home directory of domain user

Additional result:
- On login decryption fails with message: "Username has unsupported characters"

Expected result:
Home directories of domain users can easily be encrypted and decrypted with ecryptfs

Tags: patch
Revision history for this message
Dominik Gierlach (dominik-gierlach) wrote :

Patched version of ecryptfs-utils is available here:

bzr branch lp:~dominik-gierlach/+junk/ecryptfs-enterprise
ppa:dominik-gierlach/enterprise

Changes:
- Allow backslashes in usernames
- Add pam hook and scripts (see http://askubuntu.com/questions/111803/enable-ecryptfs-for-all-new-users-even-those-authenticating-through-kerberos-an)

Revision history for this message
Dominik Gierlach (dominik-gierlach) wrote :

Possible patch for ecryptfs-utils package

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "45_44.diff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Dominik Gierlach (dominik-gierlach) wrote :

For the record: The ppa was updated to vivid.

Revision history for this message
Iain Lane (laney) wrote :

Dustin, can you review please?

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Hmm, looking at this patch and I'm quite nervous. Backslashes and dollar signs in user names -- that sounds fraught with peril.

@tyhicks, @slangesek, @pitti: could you guys review the pam portions of this patch for security and safety?

Changed in ecryptfs-utils (Ubuntu):
importance: Undecided → Wishlist
importance: Wishlist → Low
status: New → Triaged
Revision history for this message
Steve Langasek (vorlon) wrote :

nack for the pam changes.

 - Dynamic home directory creation is not specific to ecryptfs and should not be part of an encryptfs-specific pam config; there is an existing mkhomedir profile to use for this.
 - The /etc/security/ecryptfs script is not very reusable, it encodes your local policy preference to enable ecryptfs for all users logging in. It's also insecure, at a minimum because you are passing passwords to a program as commandline arguments, which are visible to all other users on the system.

Revision history for this message
Sebastien Bacher (seb128) wrote :

(unsubscribing sponsors for now, the changes need more work before being up for review again)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.