-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zfs load-key: don't enforce minimum passphrase length #12765
Conversation
Remove the generated pam service config file `/etc/pam.d/pam_zfs_key_test` on test cleanup, since the tests shouldn't alter system state. While here, move the pam service config file name into a variable. Signed-off-by: Attila Fülöp <[email protected]>
The pam_zfs_key pam module does not enforce a minimum password length while changing the user password and thus the users home dataset passphrase. To not end up with a dateset `zfs load-key` can't load the key for, `zfs load-key` should not enforce a minimum passphrase length. This adds a test for that. Signed-off-by: Attila Fülöp <[email protected]>
The restriction that an encryption key must be at least MIN_PASSPHRASE_LEN characters long make sense when changing the encryption key, but not when loading: as this restriction is not enforced in the libraries, it is possible to bypass zfs change-key's restrictions and end up with a key that becomes impossible to load with zfs load-key, for example through pam_zfs_key. Signed-off-by: Harald van Dijk <[email protected]>
Signed-off-by: Attila Fülöp <[email protected]>
Picked up from #12656. |
@felixdoerre Would you mind having a look? |
The kernel.org build failure is a known issue and the CentOS 8 test failure seems unrelated. |
The pam_zfs_key pam module does not enforce a minimum password length while changing the user password and thus the users home dataset passphrase. To not end up with a dateset `zfs load-key` can't load the key for, `zfs load-key` should not enforce a minimum passphrase length. This adds a test for that. Reviewed-by: Felix Dörre <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Attila Fülöp <[email protected]> Closes #12765 Closes #12651 Closes #12656
The restriction that an encryption key must be at least MIN_PASSPHRASE_LEN characters long make sense when changing the encryption key, but not when loading: as this restriction is not enforced in the libraries, it is possible to bypass zfs change-key's restrictions and end up with a key that becomes impossible to load with zfs load-key, for example through pam_zfs_key. Reviewed-by: Felix Dörre <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Harald van Dijk <[email protected]> Closes #12765
Reviewed-by: Felix Dörre <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Attila Fülöp <[email protected]> Closes #12765
Remove the generated pam service config file `/etc/pam.d/pam_zfs_key_test` on test cleanup, since the tests shouldn't alter system state. While here, move the pam service config file name into a variable. Reviewed-by: Felix Dörre <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Attila Fülöp <[email protected]> Closes openzfs#12765
The pam_zfs_key pam module does not enforce a minimum password length while changing the user password and thus the users home dataset passphrase. To not end up with a dateset `zfs load-key` can't load the key for, `zfs load-key` should not enforce a minimum passphrase length. This adds a test for that. Reviewed-by: Felix Dörre <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Attila Fülöp <[email protected]> Closes openzfs#12765 Closes openzfs#12651 Closes openzfs#12656
The restriction that an encryption key must be at least MIN_PASSPHRASE_LEN characters long make sense when changing the encryption key, but not when loading: as this restriction is not enforced in the libraries, it is possible to bypass zfs change-key's restrictions and end up with a key that becomes impossible to load with zfs load-key, for example through pam_zfs_key. Reviewed-by: Felix Dörre <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Harald van Dijk <[email protected]> Closes openzfs#12765
Reviewed-by: Felix Dörre <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Attila Fülöp <[email protected]> Closes openzfs#12765
Remove the generated pam service config file `/etc/pam.d/pam_zfs_key_test` on test cleanup, since the tests shouldn't alter system state. While here, move the pam service config file name into a variable. Reviewed-by: Felix Dörre <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Attila Fülöp <[email protected]> Closes openzfs#12765
The pam_zfs_key pam module does not enforce a minimum password length while changing the user password and thus the users home dataset passphrase. To not end up with a dateset `zfs load-key` can't load the key for, `zfs load-key` should not enforce a minimum passphrase length. This adds a test for that. Reviewed-by: Felix Dörre <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Attila Fülöp <[email protected]> Closes openzfs#12765 Closes openzfs#12651 Closes openzfs#12656
The restriction that an encryption key must be at least MIN_PASSPHRASE_LEN characters long make sense when changing the encryption key, but not when loading: as this restriction is not enforced in the libraries, it is possible to bypass zfs change-key's restrictions and end up with a key that becomes impossible to load with zfs load-key, for example through pam_zfs_key. Reviewed-by: Felix Dörre <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Harald van Dijk <[email protected]> Closes openzfs#12765
Reviewed-by: Felix Dörre <[email protected]> Reviewed-by: Brian Behlendorf <[email protected]> Signed-off-by: Attila Fülöp <[email protected]> Closes openzfs#12765
I have an old pool with short keys and can't load them.
|
This patch was already merged, and specifically the changes you seek are contained in master in commit 85638aa. However this change was not backported to zfs-2.1 and therefore isn't contained in any zfs release yet. Interestingly the problem of having an old pool with short key didn't come up before (this pr is dedicated to short keys being set/entered with the pam module). You could use the pam module to work around that: |
Motivation and Context
The pam_zfs_key pam(8) module does not enforce a minimum length while changing the passphrase of the users encrypted home dataset. This can lead to a situation where the key for that dataset can't be loaded with zfs-load-key(8) since it enforces a minimum length. Please see #12651 and #12656 for further details.
Please note that zfs-load-key(8) still enforces the maximum passphrase length. I think this is reasonable since it avoids a DOS condition and more recent linux pam(8) enforces a maximum password length of 512 as well [1].
Closes #12651
Closes #12656
Description
Since, as opposed to zfs-change-key(8), there is no compelling reason for zfs-load-key(8) to enforce a minimum passphrase length, remove that check. A test to verify that loading short keys succeeds was added to the pam_zfs_key tests. While there, fix a small cleanup bug.
How Has This Been Tested?
Ran the added test to verify that loading short keys fails on master and succeeds with 97ec67e applied.
Types of changes
Checklist:
Signed-off-by
.