Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

zfs load-key: don't enforce minimum passphrase length #12765

Closed
wants to merge 4 commits into from

Conversation

AttilaFueloep
Copy link
Contributor

Motivation and Context

The pam_zfs_key pam(8) module does not enforce a minimum length while changing the passphrase of the users encrypted home dataset. This can lead to a situation where the key for that dataset can't be loaded with zfs-load-key(8) since it enforces a minimum length. Please see #12651 and #12656 for further details.

Please note that zfs-load-key(8) still enforces the maximum passphrase length. I think this is reasonable since it avoids a DOS condition and more recent linux pam(8) enforces a maximum password length of 512 as well [1].

Closes #12651
Closes #12656

Description

Since, as opposed to zfs-change-key(8), there is no compelling reason for zfs-load-key(8) to enforce a minimum passphrase length, remove that check. A test to verify that loading short keys succeeds was added to the pam_zfs_key tests. While there, fix a small cleanup bug.

How Has This Been Tested?

Ran the added test to verify that loading short keys fails on master and succeeds with 97ec67e applied.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Performance enhancement (non-breaking change which improves efficiency)
  • Code cleanup (non-breaking change which makes code smaller or more readable)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
  • Documentation (a change to man pages or other documentation)

Checklist:

AttilaFueloep and others added 4 commits November 14, 2021 17:36
Remove the generated pam service config file
`/etc/pam.d/pam_zfs_key_test` on test cleanup, since the tests
shouldn't alter system state.

While here, move the pam service config file name into a variable.

Signed-off-by: Attila Fülöp <[email protected]>
The pam_zfs_key pam module does not enforce a minimum password
length while changing the user password and thus the users home
dataset passphrase. To not end up with a dateset `zfs load-key`
can't load the key for, `zfs load-key` should not enforce a minimum
passphrase length. This adds a test for that.

Signed-off-by: Attila Fülöp <[email protected]>
The restriction that an encryption key must be at least
MIN_PASSPHRASE_LEN characters long make sense when changing the
encryption key, but not when loading: as this restriction is not
enforced in the libraries, it is possible to bypass zfs change-key's
restrictions and end up with a key that becomes impossible to load with
zfs load-key, for example through pam_zfs_key.

Signed-off-by: Harald van Dijk <[email protected]>
Signed-off-by: Attila Fülöp <[email protected]>
@AttilaFueloep
Copy link
Contributor Author

Picked up from #12656.

@AttilaFueloep
Copy link
Contributor Author

@felixdoerre Would you mind having a look?

@AttilaFueloep
Copy link
Contributor Author

The kernel.org build failure is a known issue and the CentOS 8 test failure seems unrelated.

@behlendorf behlendorf added the Status: Accepted Ready to integrate (reviewed, tested) label Nov 30, 2021
behlendorf pushed a commit that referenced this pull request Nov 30, 2021
The pam_zfs_key pam module does not enforce a minimum password
length while changing the user password and thus the users home
dataset passphrase. To not end up with a dateset `zfs load-key`
can't load the key for, `zfs load-key` should not enforce a minimum
passphrase length. This adds a test for that.

Reviewed-by: Felix Dörre <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Attila Fülöp <[email protected]>
Closes #12765
Closes #12651
Closes #12656
behlendorf pushed a commit that referenced this pull request Nov 30, 2021
The restriction that an encryption key must be at least
MIN_PASSPHRASE_LEN characters long make sense when changing the
encryption key, but not when loading: as this restriction is not
enforced in the libraries, it is possible to bypass zfs change-key's
restrictions and end up with a key that becomes impossible to load with
zfs load-key, for example through pam_zfs_key.

Reviewed-by: Felix Dörre <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Harald van Dijk <[email protected]>
Closes #12765
behlendorf pushed a commit that referenced this pull request Nov 30, 2021
Reviewed-by: Felix Dörre <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Attila Fülöp <[email protected]>
Closes #12765
nicman23 pushed a commit to nicman23/zfs that referenced this pull request Aug 22, 2022
Remove the generated pam service config file
`/etc/pam.d/pam_zfs_key_test` on test cleanup, since the tests
shouldn't alter system state.

While here, move the pam service config file name into a variable.

Reviewed-by: Felix Dörre <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Attila Fülöp <[email protected]>
Closes openzfs#12765
nicman23 pushed a commit to nicman23/zfs that referenced this pull request Aug 22, 2022
The pam_zfs_key pam module does not enforce a minimum password
length while changing the user password and thus the users home
dataset passphrase. To not end up with a dateset `zfs load-key`
can't load the key for, `zfs load-key` should not enforce a minimum
passphrase length. This adds a test for that.

Reviewed-by: Felix Dörre <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Attila Fülöp <[email protected]>
Closes openzfs#12765
Closes openzfs#12651
Closes openzfs#12656
nicman23 pushed a commit to nicman23/zfs that referenced this pull request Aug 22, 2022
The restriction that an encryption key must be at least
MIN_PASSPHRASE_LEN characters long make sense when changing the
encryption key, but not when loading: as this restriction is not
enforced in the libraries, it is possible to bypass zfs change-key's
restrictions and end up with a key that becomes impossible to load with
zfs load-key, for example through pam_zfs_key.

Reviewed-by: Felix Dörre <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Harald van Dijk <[email protected]>
Closes openzfs#12765
nicman23 pushed a commit to nicman23/zfs that referenced this pull request Aug 22, 2022
Reviewed-by: Felix Dörre <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Attila Fülöp <[email protected]>
Closes openzfs#12765
nicman23 pushed a commit to nicman23/zfs that referenced this pull request Aug 22, 2022
Remove the generated pam service config file
`/etc/pam.d/pam_zfs_key_test` on test cleanup, since the tests
shouldn't alter system state.

While here, move the pam service config file name into a variable.

Reviewed-by: Felix Dörre <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Attila Fülöp <[email protected]>
Closes openzfs#12765
nicman23 pushed a commit to nicman23/zfs that referenced this pull request Aug 22, 2022
The pam_zfs_key pam module does not enforce a minimum password
length while changing the user password and thus the users home
dataset passphrase. To not end up with a dateset `zfs load-key`
can't load the key for, `zfs load-key` should not enforce a minimum
passphrase length. This adds a test for that.

Reviewed-by: Felix Dörre <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Attila Fülöp <[email protected]>
Closes openzfs#12765
Closes openzfs#12651
Closes openzfs#12656
nicman23 pushed a commit to nicman23/zfs that referenced this pull request Aug 22, 2022
The restriction that an encryption key must be at least
MIN_PASSPHRASE_LEN characters long make sense when changing the
encryption key, but not when loading: as this restriction is not
enforced in the libraries, it is possible to bypass zfs change-key's
restrictions and end up with a key that becomes impossible to load with
zfs load-key, for example through pam_zfs_key.

Reviewed-by: Felix Dörre <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Harald van Dijk <[email protected]>
Closes openzfs#12765
nicman23 pushed a commit to nicman23/zfs that referenced this pull request Aug 22, 2022
Reviewed-by: Felix Dörre <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Attila Fülöp <[email protected]>
Closes openzfs#12765
@ggzengel
Copy link
Contributor

I have an old pool with short keys and can't load them.
When will this patch be merged?
What can I do to enter a valid passphrase?

# zfs version
zfs-2.1.5-1~bpo11+1
zfs-kmod-2.1.5-1~bpo11+1
# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:        11
Codename:       bullseye

@felixdoerre
Copy link
Contributor

This patch was already merged, and specifically the changes you seek are contained in master in commit 85638aa. However this change was not backported to zfs-2.1 and therefore isn't contained in any zfs release yet. Interestingly the problem of having an old pool with short key didn't come up before (this pr is dedicated to short keys being set/entered with the pam module). You could use the pam module to work around that:
Create a user with the corresponding home and short key as password, install the pam_zfs_key module, login to that user, and the dataset should be unlocked. Sadly I am not aware of any other workarounds.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Status: Accepted Ready to integrate (reviewed, tested)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

pam_zfs_key can set passwords that do not pass validation
5 participants