View previous topic :: View next topic |
Author |
Message |
turtles Veteran
Joined: 31 Dec 2004 Posts: 1655
|
Posted: Thu Sep 27, 2012 9:55 pm Post subject: How is pam_mount supposed to work? |
|
|
Been reading up on a few things like man pam_mount, pam_mount docs and the various stuff on the wiki's
Looking for some more information on pam_mount and LUKS
Say for example a user has a encrypted /home with dm_crypt and LUKS
pam_mount does not know the LUKS passphrase the drive was encrypted with.
Pam_mount will ask the user for the LUKS passphrase during boot mount filesystems?
Then the /home will be unlocked and mounted and the user will be authenticated as logged in? Without the user needing to use there login password?
Then what is the login manager to do? The user could just automagicly startx?
Or does it work the other way? pam_mount does keep a key to the drive and the user password unlocks the drive?
Then where is the drives passphrase stored and how? I am not seeing this in the pam_mout docs.
What if the user logs in over ssh?
What is the minimum required /etc/pam.d/service for pam_mount to work?
The manpage states pam_mount wrote: | you must include two entries in the system's applicable /etc/pam.d/service config files | Then has Code: |
auth required pam_securetty.so auth required pam_pwdb.so shadow nullok auth required pam_nologin.so +++ auth optional pam_mount.so account required pam_pwdb.so password required pam_cracklib.so password required pam_pwdb.so shadow nullok use_authtok session required pam_pwdb.so session optional pam_console.so +++ session optional pam_mount.so |
Which two and where does one begin and another end? This doesn't look anything like mine.
I guess they are using the +++ signs like a diff? So this is what I need to add and nothing else?
Code: | session optional pam_mount.so | and Code: | auth optional pam_mount.so |
OK Then pam_mount wrote: | When "sufficient" is used in the second column, you must make sure that pam_mount is added before this entry. |
Looking at
/etc/security/pam_mount.conf.xml
and its docs
Last question the /home dir should not be in /etc/fstab or what will happen?
How does pam_mount deal with a case where the drive has already been mounted?
From my experementing with it it seems to go into a infinite loop pretty easily.
Also it seems like the user passwords are weaker than the LUKS passphrase in general so whay would pam_mount store a LUKS passphrase somewhere?? If another user with root privileges can access the system (liveUSB) and compile a corrupted version of pam_mount then the drive could be unlocked.
Just not wrapping my head around it.
Thanks in advance
EDIT: I just played around with it and I think one of the LUKS keys has to equal the password so just make a really strong password.
And if you su to the users account from root the partition is not mounted.
The asking for a password during disk mounting is not provided by pam mount but something to do with fstab. Having a entry in fstab will cause a infinite loop of some kind.
Still not sure about unmounting. _________________ Donate to Gentoo |
|
Back to top |
|
|
ulenrich Veteran
Joined: 10 Oct 2010 Posts: 1480
|
Posted: Fri Sep 28, 2012 1:12 pm Post subject: |
|
|
With just one user active for a workstation "pam_mount" is a little bit of an overdrive. Without you just /etc/crypttab:
cr6 /dev/sda6 none luks,timeout=444,tries=3
You then /etc/fstab:
/dev/mapper/cr6 /home ext4 auto,defaults 0 2
And then autologin for example kdm in /usr/share/config/kdmrc
AutoLoginEnable=true
AutoLoginUser=YOURNAME
But pam_mount can take advantage of all luks features e.g. multiple passwords for an encrypted partition. Or just mount a special encrypted /home/USERNAME partition for each user. Thus the adminitrator root cannot look into your private data (if not at place at same time). |
|
Back to top |
|
|
turtles Veteran
Joined: 31 Dec 2004 Posts: 1655
|
Posted: Sun Oct 07, 2012 12:22 am Post subject: |
|
|
Well I have been tinkering with settings in /etc/pam.d/
Setting the 2 settings listed in the pam_mount man page:
Code: | session optional pam_mount.so
auth optional pam_mount.so |
in
Makes for lots of noise during su's but works with kdm
Setting it in system-services works on non X-login but not with kdm.
Setting it in both creates no conflicts.
Now there are 2 other files kde and kde-np
owned indirectly by KDM:
Code: | * Searching for /etc/pam.d/kde ...
kde-base/kdebase-pam-7 (/etc/pam.d/kde)
lapcat pam.d # equery depends kde-base/kdebase-pam-7
* These packages depend on kde-base/kdebase-pam-7:
kde-base/kcheckpass-4.8.5 (pam ? >=kde-base/kdebase-pam-7)
|
Looking at kde's docs:
http://docs.kde.org/stable/en/kde-workspace/kdm/configuring-your-system-for-kdm.html
http://www.gentoo.org/proj/en/desktop/kde/kde4-guide.xml
Not finding any documentation.
Any idea what these two files are for? Which one is needed for pam_mount on login to kdm?
Edit: From what I can tell adding those two lines to the kde file allows pam_mount to work with kdm.
So its system-services & kde files.
Now for the unmounting..... _________________ Donate to Gentoo |
|
Back to top |
|
|
feystorm Tux's lil' helper
Joined: 29 Jan 2004 Posts: 96
|
Posted: Sat Nov 24, 2012 3:10 am Post subject: |
|
|
Just replying to add some info on how to properly set this up.
Every time I go and build a new machine, I never remember all the nuances to setting up LUKS home dirs so I end up looking it up. But then all the info I find is wrong and I end up doing it the hard way anyway
For pam_mount there are a few things required to do this properly:
First edit /etc/security/pam_mount.conf.xml
Add the following options to the <pam_mount> section:
Code: | <logout wait="200000" hup="1" term="1" kill="1" />
<ofl>/bin/fuser -s -M -m %(MNTPT) -k -%(SIGNAL)</ofl>
<volume user="YOURUSERNAMEHERE" fstype="crypt" path="/PATH/TO/DEVICE" mountpoint="~" />
|
The <volume> should be pretty normal. However the other stuff is for unmounting the volume.
The <logout> bit tells it to unmount the volume when you log out. The hup, term, and kill are whether it should send those signals to processes that are using the volume. The wait is how many microseconds to wait between each signal (it goes hup->term->kill).
The <ofl> is the command to use to signal the processes. I use fuser, but you can use lsof if you wish
Next, update /etc/pam.d/system-login
This file is included by any authentication system which logs a user in. This includes kdm, gdm, console, ssh, etc. You don't want to use system-auth or system-services as the volume should only be mounted when a user logs in. By putting it system-auth, it will cause any authentications to try and mount (eg, sudo, or su). By putting it in system-services, cron (and others) will break.
There are a few changes you should make here.
1) Add "auth optional pam_mount.so" immediately below the "auth include system-auth" line.
This line causes pam_mount to use your login password and mount the volume. It uses the password obtained from earlier on in the pam stack (usually pam_unix.so which is in the system-auth)
2) Change "auth include system-auth" to "auth substack system-auth".
This is because the system-auth stack can have an "auth sufficient" directive, which will tell pam to jump out of the rest of the auth stack. Since pam_mount.so is after "system-auth", an "auth sufficient" directive will skip it. By changing system_auth to a substack, the "auth sufficient" directive merely jumps out of the substack and continues on with pam_mount.so.
3) Add "session optional pam_mount.so" after the very last "session include" directive.
This line tells pam_mount.so to keep track of the number of login sessions for each user. When a session is closed, if there are 0 sessions left open for the user, it unmounts the volume. We place it at the very end so that the volume is unmounted as the very last action. This is so that if anything else in the pam session stack needs access to the home directory, it's still there.
Note that this will kill any backgrounded processes you have running once all your sessions are closed. If you have a screen session running and it's holding the mount open, it'll get killed. You theoretically could work around this by putting the "session optional pam_mount.so" in system-auth instead of system-login, but I haven't tried this, and don't know if pam_mount will behave in that scenario.
Just for reference, this is my system-login file:
Code: |
auth required pam_tally2.so onerr=succeed
auth required pam_shells.so
auth required pam_nologin.so
auth substack system-auth
auth optional pam_mount.so
auth optional pam_gnome_keyring.so
account required pam_access.so
account required pam_nologin.so
account include system-auth
account required pam_tally2.so onerr=succeed
password include system-auth
password optional pam_gnome_keyring.so
session optional pam_loginuid.so
session required pam_env.so
session optional pam_lastlog.so
session include system-auth
session optional pam_ck_connector.so nox11
session optional pam_gnome_keyring.so auto_start
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so
session optional pam_mount.so
|
And for completeness, but it shouldn't matter, my system-auth (which is modified as I use sssd):
Code: |
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account optional pam_permit.so
password required pam_cracklib.so difok=1 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_env.so
session optional pam_unix.so
session optional pam_sss.so
|
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|