From ce51ecb3123a47bacce83a33b5a1e4000ac22855 Mon Sep 17 00:00:00 2001 From: Chris Lindee Date: Fri, 28 Jan 2022 01:50:29 -0600 Subject: [PATCH] PAM: Give multiple opportunities to unlock dataset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If an encrypted ZFS dataset is not unlocked and mounted on the first login session - as might be the case when a passphrase is not used for authentication - try again on subsequent sessions, whenever the needed tokens are provided. This change comes with performance considerations: checking whether the dataset is already mounted requires iterating through /proc/self/mounts, making the check Ο(n) for n mounts. The prior implementation checked a count value within a file, for far less runtime variability. Signed-off-by: Chris Lindee --- contrib/pam_zfs_key/pam_zfs_key.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/contrib/pam_zfs_key/pam_zfs_key.c b/contrib/pam_zfs_key/pam_zfs_key.c index 9702189f67..1f0487e04f 100644 --- a/contrib/pam_zfs_key/pam_zfs_key.c +++ b/contrib/pam_zfs_key/pam_zfs_key.c @@ -377,6 +377,10 @@ decrypt_mount(pam_handle_t *pamh, const char *ds_name, pam_syslog(pamh, LOG_ERR, "dataset %s not found", ds_name); return (-1); } + if (zfs_prop_get_int(ds, ZFS_PROP_MOUNTED)) { + zfs_close(ds); + return (0); + } pw_password_t *key = prepare_passphrase(pamh, ds, passphrase, NULL); if (key == NULL) { zfs_close(ds); @@ -756,11 +760,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, return (PAM_SUCCESS); } - int counter = zfs_key_config_modify_session_counter(pamh, &config, 1); - if (counter != 1) { - zfs_key_config_free(&config); - return (PAM_SUCCESS); - } + (void) zfs_key_config_modify_session_counter(pamh, &config, 1); const pw_password_t *token = pw_get(pamh); if (token == NULL) {