Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] pam_mount failing via ssh: Conversation error_
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1759
Location: PB, Germany

PostPosted: Mon Mar 02, 2015 12:45 pm    Post subject: [SOLVED] pam_mount failing via ssh: Conversation error_ Reply with quote

Recently I merged the latest pambase updates into my system-auth with pam_mount setting. Things began to fail like xdm and now ssh login:
Code:
Mon Feb 16 11:45:29 2015 >>> sys-auth/pambase-20150213
Now I have this merged result of the system-auth:
Code:
auth            required        pam_env.so
auth            optional        pam_mount.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so
account         required        pam_unix.so
account         optional        pam_permit.so
password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        optional        pam_permit.so
session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_permit.so
session         optional        pam_mount.so

Now I've seen ssh login does not work anymore:
Code:
Mar 02 13:35:31 [sshd] (pam_mount.c:522): mount of /dev/disk/by-uuid/91fc8930-02d1-449e-b645-648325004e6e failed_
Mar 02 13:35:31 [sshd] (pam_mount.c:173): conv->conv(...): Conversation error_
Mar 02 13:35:31 [sshd] (pam_mount.c:477): warning: could not obtain password interactively either_
Mar 02 13:35:31 [sshd] SSH: Server;Ltype: Kex;Remote: 192.168.42.106-35194;Enc: aes128-ctr;MAC: umac-64-etm@openssh.com;Comp: none
Mar 02 13:39:41 [1squashmount_flush] squashmount flush finished.
Mar 02 13:39:41 [fcron] Job run-parts /etc/cron.hourly terminated (exit status: 1)

Maybe these issues are related? What is wrong with that system-auth?
I even thought if I would need pam at all, but I guess using pam_mount I can't get around without pam?

As pam has changed in the years, is this old 2007 post still valid? linuxquestions.org...pam_mount-problems-in-ssh-on-gentoo-553741/..

Best regards,
Massimo
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770


Last edited by Massimo B. on Thu Oct 08, 2015 8:47 am; edited 1 time in total
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1759
Location: PB, Germany

PostPosted: Wed Oct 07, 2015 6:37 am    Post subject: Reply with quote

Again encountering this issue, I find my own posts in the net, unanswered...

My current setup, working for local logins but pam_mount failing for ssh logins:

/etc/pam.d/sshd:
auth       include      system-remote-login
account    include      system-remote-login
password   include      system-remote-login
session    include      system-remote-login

/etc/pam.d/system-remote-login:
auth            include         system-login
account         include         system-login
password        include         system-login
session         include         system-login

/etc/pam.d/system-login:

auth            required        pam_tally2.so onerr=succeed
auth            required        pam_shells.so
auth            required        pam_nologin.so
auth            include         system-auth
account         required        pam_access.so
account         required        pam_nologin.so
account         include         system-auth
account         required        pam_tally2.so onerr=succeed
password        include         system-auth
session         optional        pam_loginuid.so
session         required        pam_env.so
session         optional        pam_lastlog.so silent
session         include         system-auth
session         optional        pam_ck_connector.so nox11
session         optional        pam_motd.so motd=/etc/motd
session         optional        pam_mail.so

/etc/pam.d/system-auth:

auth            required        pam_env.so
auth            optional        pam_mount.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            optional        pam_permit.so
account         required        pam_unix.so
account         optional        pam_permit.so
password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        optional        pam_permit.so
session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_permit.so
session         optional        pam_mount.so

Code:
Oct 07 08:15:36 [sshd] Accepted publickey for massimo from 94.... port 37063 ssh2: RSA SHA256:QXc...
Oct 07 08:15:36 [sshd] pam_unix(sshd:session): session opened for user massimo by (uid=0)
Oct 07 08:15:36 [sshd] (pam_mount.c:173): conv->conv(...): Conversation error_
Oct 07 08:15:36 [sshd] (pam_mount.c:477): warning: could not obtain password interactively either_
Oct 07 08:15:38 [sshd] (mount.c:68): Messages from underlying mount program:_
Oct 07 08:15:38 [sshd] (mount.c:72): crypt_activate_by_passphrase: Operation not permitted_
Oct 07 08:15:38 [sshd] (pam_mount.c:522): mount of /dev/disk/by-uuid/cfd4... failed_

Any idea?
As for the linuxquestions links above, my includes are quite right, doing the same auths as the local login. And Kerberos I don't use afaik.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1759
Location: PB, Germany

PostPosted: Wed Oct 07, 2015 6:58 am    Post subject: Reply with quote

Correction, I was using login by key, but also deleting the key on the target and entering pam_mount password, the log looks like this:
Code:

Oct 07 09:09:12 [sshd] Accepted keyboard-interactive/pam for massimo from 94... port 37277 ssh2
Oct 07 09:09:12 [sshd] pam_unix(sshd:session): session opened for user massimo by (uid=0)
Oct 07 09:09:12 [sshd] (pam_mount.c:173): conv->conv(...): Conversation error_
Oct 07 09:09:12 [sshd] (pam_mount.c:477): warning: could not obtain password interactively either_
Oct 07 09:09:14 [sshd] (mount.c:68): Messages from underlying mount program:_
Oct 07 09:09:14 [sshd] (mount.c:72): crypt_activate_by_passphrase: Operation not permitted_
Oct 07 09:09:14 [sshd] (pam_mount.c:522): mount of /dev/disk/by-uuid/cfd... failed_
Oct 07 09:09:16 [kernel]  sdb: unknown partition table

Login remote as user via SSH: $HOME is not mounted
su - to root and su - back to my user makes the $HOME mounted as real local logins.
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Back to top
View user's profile Send private message
Massimo B.
Veteran
Veteran


Joined: 09 Feb 2005
Posts: 1759
Location: PB, Germany

PostPosted: Thu Oct 08, 2015 8:46 am    Post subject: Reply with quote

Working now with
/etc/ssh/sshd_config:
ChallengeResponseAuthentication no

What does this "challenge-response authentication" mean for sshd any why does it forward the password to pam_mount only with that disabled?

EDIT: Answered in ../pam-mount/../bugs.txt
_________________
HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum