14

About a month ago I updated my 16.04 LTS server to 18.04.1 LTS. The upgrade went fine. However, since the upgrade, whenever a user logs in, there is a message displayed in dmesg or on the local console (but not to the user's SSH session) that reads:

[890802.820519] Could not find key with description: [HEXSTRING]
[890802.820537] process_request_key_err: No key
[890802.820538] Could not find valid key in user session keyring for sig specified in mount option: [HEXSTRING]
[890802.820557] One or more global auth toks could not properly register; rc = [-2]
[890802.820558] Error parsing options; rc = [-2]

After much Googling, I found this related question and managed to figure out that it's a backup of the user's home drive taken when the upgrade occurred.

I should note that users still have access to their home drives and they do not have a problem logging in, this is just an annoyance message that I am trying to clean up.

I attempted to add the passphrase to the keyring using the accepted answer in the linked question:

$ /usr/bin/ecryptfs-manager

eCryptfs key management menu
-------------------------------
    1. Add passphrase key to keyring
    2. Add public key to keyring
    3. Generate new public/private keypair
    4. Exit

Make selection: 1

    Mount-wide passphrase:
    Confirm passphrase:
    Using the default salt value

That key was already in the keyring.

So, the key is already in the keyring but I still get the error message when a user logs in.

How can I prevent this notification/error from occurring?

Andy
  • 233
  • 1
  • 6
  • 16
  • Does the key signature that can't be found match the key signature in use? Is it the same one in /home/.ecryptfs/user/.ecryptfs/Private.sig ? – Xen2050 Sep 27 '18 at 05:10
  • @Xen2050 Yes, they match. Private.sig has two keys and one of those matches the "Could not find key with description" on displayed. – Andy Sep 27 '18 at 12:45
  • I'm not sure... unless something's trying to mount a little too fast, then trying again and succeeding (since everything seems to work anyway)... so it sounds like a bug? Could just erase the offending lines from syslog... or what path/name does the "backup of the user's home drive" have? Maybe it's trying to mount the backup and failing (keys could've changed)? eCryptfs has a verbose mode, but it logs secret values to the system log – Xen2050 Sep 29 '18 at 04:22
  • I suspect that this ecryptfs incident could be problematic when you have two users and want to switch between those. It is only a speculation at this stage. Please free to have a look at https://askubuntu.com/q/1371906/446253 for more info on that other incident @DustinKirkland – XavierStuvw Oct 28 '21 at 15:56

2 Answers2

4

It looks like this bug first reported in Ubuntu 17.10: ecryptfs-mount-private fails to initialize ecryptfs keys

The error there is like your own:

[ 1265.695388] Could not find key with description: [<correct key ID>]
[ 1265.695393] process_request_key_err: No key
[ 1265.695394] Could not find valid key in user session keyring for sig specified in mount option: [<correct key ID>]
[ 1265.695395] One or more global auth toks could not properly register; rc = [-2]
[ 1265.695396] Error parsing options; rc = [-2]

You should subscribe to the bug report and make sure you mark it affects you too.

Read the messages posted by other users. There are solutions that work for some and not others.

Community
  • 1
WinEunuuchs2Unix
  • 102,282
0

On Ubuntu 18.04 lts, Does this work for anyone?

exec /usr/bin/startfluxbox

and if you get a msg asking you to try running the interactive ecryptfs-mount-private try doing that.

it should yield something like:

Inserted auth tok with sig into the user session keyring INFO: Your private driectory has been mounted

user2290820
  • 101