Package: libpam-mount Version: 0.9.23-1 Followup-For: Bug #302024
It seems to me that pam_mount first tries to mount every volume given in "/etc/security/pam_mount.conf" two times. Perhaps because of the two entries in "/etc/pam.d/SERVICE" after "@include common-auth" and "@include common-session"? After first login /var/run/pam_mount/ruediger is set to "2". Detailed debug output of login and logout behaviour follows: >----------------------------------------------------------------------------- May 30 13:05:42 snoodles login[9415]: pam_mount: reading options_allow... May 30 13:05:43 snoodles login[9415]: pam_mount: reading options_require... May 30 13:05:43 snoodles login[9415]: pam_mount: back from global readconfig May 30 13:05:43 snoodles login[9415]: pam_mount: per-user configurations not allowed by pam_mount.conf May 30 13:05:43 snoodles login[9415]: pam_mount: real and effective user ID are 0 and 0. May 30 13:05:43 snoodles login[9415]: pam_mount: checking sanity of volume record (/dev/vg1/ruediger) May 30 13:05:43 snoodles login[9415]: pam_mount: about to perform mount operations May 30 13:05:43 snoodles login[9415]: pam_mount: information for mount: May 30 13:05:43 snoodles login[9415]: pam_mount: -------- May 30 13:05:43 snoodles login[9415]: pam_mount: (defined by globalconf) May 30 13:05:43 snoodles login[9415]: pam_mount: user: ruediger May 30 13:05:43 snoodles login[9415]: pam_mount: server: May 30 13:05:43 snoodles login[9415]: pam_mount: volume: /dev/vg1/ruediger May 30 13:05:43 snoodles login[9415]: pam_mount: mountpoint: /home/ruediger May 30 13:05:43 snoodles login[9415]: pam_mount: options: cipher=aes,hash=sha512,keysize=256 May 30 13:05:43 snoodles login[9415]: pam_mount: fs_key_cipher: aes-256-ecb May 30 13:05:43 snoodles login[9415]: pam_mount: fs_key_path: /home/ruediger.key May 30 13:05:43 snoodles login[9415]: pam_mount: use_fstab: 0 May 30 13:05:43 snoodles login[9415]: pam_mount: -------- May 30 13:05:43 snoodles login[9415]: pam_mount: checking to see if /dev/mapper/_dev_vg1_ruediger is already mounted at /home/ruediger May 30 13:05:43 snoodles login[9415]: pam_mount: checking for encrypted filesystem key configuration May 30 13:05:43 snoodles login[9415]: pam_mount: decrypting FS key using system auth. token and aes-256-ecb May 30 13:05:43 snoodles login[9415]: pam_mount: about to start building mount command May 30 13:05:43 snoodles login[9415]: pam_mount: command: /bin/mount [-t] [crypt] [-ocipher=aes,hash=sha512,keysize=256] [/dev/vg1/ruediger] [/home/ruediger] May 30 13:05:43 snoodles login[9749]: pam_mount: setting uid to 0 May 30 13:05:43 snoodles login[9749]: pam_mount: real and effective user ID are 0 and 0. May 30 13:05:43 snoodles login[9749]: pam_mount: real and effective group ID are 1000 and 1000. May 30 13:05:43 snoodles login[9415]: pam_mount: mount errors (should be empty): May 30 13:05:43 snoodles login[9415]: pam_mount: pam_mount: setting uid to 0 May 30 13:05:43 snoodles login[9415]: pam_mount: pam_mount: real and effective user ID are 0 and 0. May 30 13:05:43 snoodles login[9415]: pam_mount: pam_mount: real and effective group ID are 1000 and 1000. May 30 13:05:43 snoodles login[9415]: pam_mount: waiting for mount May 30 13:05:43 snoodles login[9415]: pam_mount: clean system authtok (0) May 30 13:05:43 snoodles login[9415]: pam_mount: command: /usr/sbin/pmvarrun [-u] [ruediger] [-d] [-o] [1] May 30 13:05:43 snoodles login[9761]: pam_mount: setting uid to 0 May 30 13:05:43 snoodles login[9761]: pam_mount: real and effective user ID are 0 and 0. May 30 13:05:43 snoodles login[9761]: pam_mount: real and effective group ID are 1000 and 1000. May 30 13:05:43 snoodles login[9415]: pam_mount: pmvarrun says login count is 92 May 30 13:05:43 snoodles login[9415]: pam_mount: done opening session May 30 13:05:43 snoodles login[9415]: (pam_unix) session opened for user ruediger by LOGIN(uid=0) May 30 13:05:43 snoodles login[9415]: pam_mount: user is ruediger May 30 13:05:43 snoodles login[9415]: pam_mount: reading options_allow... May 30 13:05:43 snoodles login[9415]: pam_mount: reading options_require... May 30 13:05:43 snoodles login[9415]: pam_mount: back from global readconfig May 30 13:05:43 snoodles login[9415]: pam_mount: per-user configurations not allowed by pam_mount.conf May 30 13:05:43 snoodles login[9415]: pam_mount: real and effective user ID are 0 and 0. May 30 13:05:43 snoodles login[9415]: pam_mount: checking sanity of volume record (/dev/vg1/ruediger) May 30 13:05:43 snoodles login[9415]: pam_mount: about to perform mount operations May 30 13:05:43 snoodles login[9415]: pam_mount: information for mount: May 30 13:05:43 snoodles login[9415]: pam_mount: -------- May 30 13:05:43 snoodles login[9415]: pam_mount: (defined by globalconf) May 30 13:05:43 snoodles login[9415]: pam_mount: user: ruediger May 30 13:05:43 snoodles login[9415]: pam_mount: server: May 30 13:05:43 snoodles login[9415]: pam_mount: volume: /dev/vg1/ruediger May 30 13:05:43 snoodles login[9415]: pam_mount: mountpoint: /home/ruediger May 30 13:05:43 snoodles login[9415]: pam_mount: options: cipher=aes,hash=sha512,keysize=256 May 30 13:05:43 snoodles login[9415]: pam_mount: fs_key_cipher: aes-256-ecb May 30 13:05:43 snoodles login[9415]: pam_mount: fs_key_path: /home/ruediger.key May 30 13:05:43 snoodles login[9415]: pam_mount: use_fstab: 0 May 30 13:05:43 snoodles login[9415]: pam_mount: -------- May 30 13:05:43 snoodles login[9415]: pam_mount: checking to see if /dev/mapper/_dev_vg1_ruediger is already mounted at /home/ruediger May 30 13:05:43 snoodles login[9415]: pam_mount: /dev/vg1/ruediger already seems to be mounted at /home/ruediger, skipping May 30 13:05:43 snoodles login[9415]: pam_mount: clean system authtok (0) May 30 13:05:43 snoodles login[9415]: pam_mount: command: /usr/sbin/pmvarrun [-u] [ruediger] [-d] [-o] [1] May 30 13:05:43 snoodles login[9762]: pam_mount: setting uid to 0 May 30 13:05:43 snoodles login[9762]: pam_mount: real and effective user ID are 0 and 0. May 30 13:05:43 snoodles login[9762]: pam_mount: real and effective group ID are 1000 and 1000. May 30 13:05:43 snoodles login[9415]: pam_mount: pmvarrun says login count is 93 May 30 13:05:43 snoodles login[9415]: pam_mount: done opening session May 30 13:05:46 snoodles login[9415]: pam_mount: received order to close things May 30 13:05:46 snoodles login[9415]: pam_mount: real and effective user ID are 0 and 0. May 30 13:05:46 snoodles login[9415]: pam_mount: user is ruediger May 30 13:05:46 snoodles login[9415]: pam_mount: command: /usr/sbin/pmvarrun [-u] [ruediger] [-d] [-o] [-1] May 30 13:05:46 snoodles login[9771]: pam_mount: setting uid to 0 May 30 13:05:46 snoodles login[9771]: pam_mount: real and effective user ID are 0 and 0. May 30 13:05:46 snoodles login[9771]: pam_mount: real and effective group ID are 1000 and 1000. May 30 13:05:46 snoodles login[9415]: pam_mount: pmvarrun says login count is 92 May 30 13:05:46 snoodles login[9415]: pam_mount: ruediger seems to have other remaining open sessions May 30 13:05:46 snoodles login[9415]: pam_mount: pam_mount execution complete May 30 13:05:46 snoodles login[9415]: (pam_unix) session closed for user ruediger May 30 13:05:46 snoodles login[9415]: pam_mount: received order to close things May 30 13:05:46 snoodles login[9415]: pam_mount: real and effective user ID are 0 and 0. May 30 13:05:46 snoodles login[9415]: pam_mount: user is ruediger May 30 13:05:46 snoodles login[9415]: pam_mount: command: ðøù·ðøù·n/pmvarrun [0Õ^F^H\210øù·^P] [\210øù·\210øù·]\200^G%!] [\210øù·\210øù·\210øù·^Q] [EMAIL PROTECTED] [°Þ^F^HERATION)] May 30 13:05:46 snoodles login[9772]: pam_mount: setting uid to 0 May 30 13:05:46 snoodles login[9772]: pam_mount: real and effective user ID are 0 and 0. May 30 13:05:46 snoodles login[9772]: pam_mount: real and effective group ID are 1000 and 1000. May 30 13:05:46 snoodles login[9415]: pam_mount: error executing /usr/sbin/pmvarrun May 30 13:05:46 snoodles login[9415]: pam_mount: going to unmount May 30 13:05:46 snoodles login[9415]: pam_mount: information for mount: May 30 13:05:46 snoodles login[9415]: pam_mount: -------- May 30 13:05:46 snoodles login[9415]: pam_mount: (defined by globalconf) May 30 13:05:46 snoodles login[9415]: pam_mount: user: ruediger May 30 13:05:46 snoodles login[9415]: pam_mount: server: May 30 13:05:47 snoodles login[9415]: pam_mount: volume: /dev/vg1/ruediger May 30 13:05:47 snoodles login[9415]: pam_mount: mountpoint: /home/ruediger May 30 13:05:47 snoodles login[9415]: pam_mount: options: cipher=aes,hash=sha512,keysize=256 May 30 13:05:47 snoodles login[9415]: pam_mount: fs_key_cipher: aes-256-ecb May 30 13:05:47 snoodles login[9415]: pam_mount: fs_key_path: /home/ruediger.key May 30 13:05:47 snoodles login[9415]: pam_mount: use_fstab: 0 May 30 13:05:47 snoodles login[9415]: pam_mount: -------- May 30 13:05:47 snoodles login[9415]: pam_mount: command: \210øù·\210øù·\210øù·^Q [EMAIL PROTECTED] May 30 13:05:47 snoodles login[9773]: pam_mount: setting uid to 0 May 30 13:05:47 snoodles login[9773]: pam_mount: real and effective user ID are 0 and 0. May 30 13:05:47 snoodles login[9773]: pam_mount: real and effective group ID are 1000 and 1000. May 30 13:05:47 snoodles login[9415]: pam_mount: Failed to execute child process "\210øù·\210øù·\210øù·^Q" (No such file or directory) May 30 13:05:47 snoodles login[9415]: pam_mount: could not fill May 30 13:05:47 snoodles login[9415]: pam_mount: command: /usr/bin/umount.crypt [/home/ruediger] May 30 13:05:47 snoodles login[9774]: pam_mount: setting uid to 0 May 30 13:05:47 snoodles login[9774]: pam_mount: real and effective user ID are 0 and 0. May 30 13:05:47 snoodles login[9774]: pam_mount: real and effective group ID are 1000 and 1000. May 30 13:05:47 snoodles login[9415]: pam_mount: umount errors (should be empty): May 30 13:05:47 snoodles login[9415]: pam_mount: pam_mount: setting uid to 0 May 30 13:05:47 snoodles login[9415]: pam_mount: pam_mount: real and effective user ID are 0 and 0. May 30 13:05:47 snoodles login[9415]: pam_mount: pam_mount: real and effective group ID are 1000 and 1000. May 30 13:05:47 snoodles login[9415]: pam_mount: waiting for umount >----------------------------------------------------------------------------- My /etc/security/pam_mount.conf: >----------------------------------------------------------------------------- # Turn on if you want to debug why some volume cannot be mounted etc. # This can be overriden by user's local configuration # # Format: debug [ 1 | 0 ] # Local user configuration can override this. debug 1 mkmountpoint 1 # Loopback device to use to run fsck on loopback filesystems. fsckloop /dev/loop7 # Users' local configuration file (if there is none, comment out this # parameter). Will be read as ~/<file> # # Note: you must include either options_allow or options_deny to use # this directive. I recommend also including options_require. # # Individual users may define additional volumes to mount if allowed # by pam_mount.conf (usually ~/.pam_mount.conf). The volume keyword is # the only valid keyword in these per-user configuration files. If the # luserconf parameter is set in pam_mount.conf, allowing user-defined # volume, then users may mount and unmount any volumes they specify. # The mount operation is executed under the user account, not with # root permissions. # IMPORTANT: right now only smb and ncp mounts work in ~/.pam_mount.conf # since they do not require root privileges! All other mount types # have to be in the global configuration file. # Please only file bugs about this if you can exactly show and prevent # the security implications of user-specified mount commands. # # Format: luserconf <file> # luserconf .pam_mount.conf # These directives determine which options may be specified in a user config # file (luserconf). You must include one of these directives if you have a # luserconf directive. You may not include both directives. # # If you have an options_allow directive, then the options listed in that # directive wil be allowed, and all others rejected. If you have an # options_deny directive, then the options listed will be denied, and all others # permitted. # # You may use the wildcard '*' to match all options. # options_allow nosuid,nodev,loop,encryption # options_deny suid,dev # options_allow * # options_deny * # # I recommend not permitting the suid and dev options. # The options listed in this directive are required for all volumes from a # user config file. That is, any volume specified in a user config file that # does not include these options will be ignored. # # Note: you must make sure that a required option is permitted (either by # including it in options_allow, or by not including it in options_deny). # # I recommend requiring at least nosuid and nodev. # # This is ignored completely if the volume is configured to get its options # and mount point from /etc/fstab. # options_require nosuid,nodev # Commands to mount/unmount volumes. They can take parameters, as shown. # # If you change the -p0 argument for lclmount, you'll need to modify the # source in mount.c (it sends the password to the stdin file descriptor # of the child process -- look for STDIN_FILENO). lsof /usr/sbin/lsof %(MNTPT) fsck /sbin/fsck -p %(FSCKTARGET) losetup /sbin/losetup -p0 "%(before=\"-e\" CIPHER)" "%(before=\"-k\" KEYBITS)" %(FSCKLOOP) %(VOLUME) unlosetup /sbin/losetup -d %(FSCKLOOP) cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)" smbmount /usr/bin/smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)" ncpmount /usr/bin/ncpmount %(SERVER)/%(USER) %(MNTPT) -o "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)" smbumount /usr/bin/smbumount %(MNTPT) ncpumount /usr/bin/ncpumount %(MNTPT) # Linux supports lazy unmounting (-l). May be dangerous for encrypted volumes. # May also break loopback mounts because loopback devices are not freed. # Need to unmount mount point not volume to support SMB mounts, etc. umount /bin/umount %(MNTPT) # On OpenBSD try "/usr/local/bin/mount_ehd" (included in pam_mount package). lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o\" OPTIONS)" cryptmount /bin/mount -t crypt "%(before=\"-o\" OPTIONS)" %(VOLUME) %(MNTPT) nfsmount /bin/mount %(SERVER):%(VOLUME) %(MNTPT) "%(before=\"-o\" OPTIONS)" # --bind may be a Linuxism. FIXME: find BSD equivalent. mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT) #mntcheck /bin/mount # For BSD's (don't have /etc/mtab) pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION) # Volumes that will be mounted when user triggers pam_mount module # (usually at login). # # Format: # volume <user> [smb|ncp|nfs|local] <server> <volume> <mount point> <mount options> <fs key cipher> <fs key path> # # Note that if the mount command has specified an option, eg %(KEYBITS) # and you don't specify a value, a warning is printed in the log. The # warning can usually be ignored, except when the option is mandatory. # # General examples: # # smb mounts require the "smbfs" Debian package # smb mounts work also in user-specified config file ~/.pam_mount.conf # volume user smb krueger public /home/user/krueger - - - # # ncp mounts require the "ncpfs" Debian package # ncp mounts work also in user-specified config file ~/.pam_mount.conf # volume user ncp krueger public /home/user/krueger user=user.context - - # # Linux encrypted home directory examples, using dm_crypt: # # crypt mounts require a kernel with CONFIG_BLK_DEV_DM and CONFIG_DM_CRYPT # enabled as well as all the used ciphers (eg. CONFIG_CRYPTO_AES_586, # CONFIG_CRYPTO_TWOFISH, etc.) # crypt mounts require the "cryptsetup" Debian package. # crypt mounts must be in the global config file /etc/security/pam_mount.conf # volume user crypt - /dev/sda2 /home/user cipher=aes aes-256-ecb /home/user.key # # Linux encrypted home directory examples, using cryptoloop: # # cryptoloop mounts require a kernel with CONFIG_BLK_DEV_CRYPTOLOOP enabled # cryptoloop mounts must be in the global config file # /etc/security/pam_mount.conf # volume user local - /dev/hda123 /home/user loop,encryption=aes - - # volume user local - /home/user.img /home/user loop,user,exec,encryption=aes,keybits=256 - - # volume user local - /home/user.img - - - - # volume user local - /home/user.img - - aes-256-ecb /home/user4.key # # The last two examples need a line like the following in # /etc/fstab: # # /home/user4.img /home/user4 xfs user,loop,encryption=aes,keybits=256,noauto 0 0 # # OpenBSD encrypted home directory example (see also lclmount above): # volume user local - /home/user.img /home/user svnd0 - - # # Volatile tmpfs mount with restricted size # (thanks to Mike Hommey for this example) # # volume test local - /tmpfs/test /home/test "size=10M,uid=test,gid=users,mode=0700 -t tmpfs" - - # # Details: # Local user configuration (~/.pam_mount.conf) can extend this. # # If there are no servers, mount options, fs key ciphers, etc. you must # supply a "-" # # See http://www.tldp.org/HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html # to learn how to create a encrypted loopback filesystem. # # If the volume's password is different than the user's login password, # the following technique may be used (see also README): # # 1. Create a file containing the volume's password (FS key). If you are # using pam_mount to mount an loopback encrypted volume, this password # should may generated by /dev/urandom. # # Simple example: # echo <volume password> | openssl enc -aes-256-ecb > /home/user.key # Encrypt this file using the user's login password as the key. # # Verbose loopback encrypted volume example: # a. dd if=/dev/urandom of=/home/user.img bs=1M count=<image size in MB> # b. dd if=/dev/urandom bs=1c count=<keysize / 8> | openssl enc \ # -<fs key cipher> > /home/user.key # Encrypt this file using the user's login password as the key. # c. modprobe -q cryptoloop # d. openssl enc -d -<fs key cipher> -in /home/user.key | losetup -e aes \ # -k <keysize> -p0 /dev/loop0 /home/user.img # e. mkfs -t ext2 /dev/loop0 # f. losetup -d /dev/loop0 # # 3. In pam_mount.conf: # a. Set the fs key cipher variable to the cipher used (ie: aes-256-ecb). # b. Set the fs key path variable to the key's path (ie: /home/user.key) # 4. If a user changes his login password, regenerate the efsk that # was created in step 1b. A script named passwdehd is provided to do this. # # If fs_key_cipher is -, then the user's login password is also the volume's # password. # Template (or wildcard) volumes # # If user is "*", "&" will be replaced by name of the user logging on in the # volume, mount point, mount options and fs key path fields. "~/*" will be # replaced with "<user's homedir>/*." # # volume * smb krueger & /home/& uid=&,gid=&,dmask=0750 - - # volume * smb krueger homes /home/&/remote - - - # volume * local - /home/&.img - - aes-256-ecb /etc/ehd/& # Windows 2000, which requires a domain specified, example (thanks John Knox): # volume * smb viper & /home/& uid=&,gid=&,dmask=0750,workgroup=WINDOWS_DOMAIN - - # An NCP example: # volume user ncp SERVER /USERS/Department/user /home/user user=user.full.context,uid=user,gid=user,symlinks - - # Windows 2000, which requires a domain specified, example (thanks John Knox): # volume * smb viper & /home/& uid=&,gid=&,dmask=0750,workgroup=WINDOWS_DOMAIN - - # HOMEs volume ruediger crypt - /dev/vg1/ruediger /home/ruediger cipher=aes,hash=sha512,keysize=256 aes-256-ecb /home/ruediger.key >----------------------------------------------------------------------------- -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (510, 'testing'), (210, 'unstable'), (110, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.11.10 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages libpam-mount depends on: ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libglib2.0-0 2.6.4-1 The GLib library of C routines ii libssl0.9.7 0.9.7e-3 SSL shared libraries ii mount 2.12p-4 Tools for mounting and manipulatin ii zlib1g 1:1.2.2-4 compression library - runtime -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
