View previous topic :: View next topic |
Author |
Message |
kwisatz_haderais Tux's lil' helper
Joined: 28 Sep 2004 Posts: 143
|
Posted: Tue May 22, 2007 7:47 pm Post subject: |
|
|
The only order of "auth lines" in system-auth that worked for me (without login asking for the password twice) is the following:
Code: | auth required pam_env.so
auth optional pam_mount.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so |
|
|
Back to top |
|
|
Mirza n00b
Joined: 22 Nov 2005 Posts: 5
|
Posted: Sun Jun 03, 2007 6:27 pm Post subject: |
|
|
kwisatz_haderais wrote: | The only order of "auth lines" in system-auth that worked for me (without login asking for the password twice) is the following:
Code: |
auth required pam_env.so
auth optional pam_mount.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so |
|
This is finally working for me. Thanks.
Are there any possible security considerations when changing
Code: | auth required pam_unix.so likeauth nullok use_first_pass |
to
Code: | auth sufficient pam_unix.so likeauth nullok use_first_pass |
I don't know what is difference between "sufficient" and "required", because I am not able to log in at all when I am using "required" for pam_unix in the above configuration.
M. |
|
Back to top |
|
|
schachti Advocate
Joined: 28 Jul 2003 Posts: 3765 Location: Gifhorn, Germany
|
Posted: Mon Sep 03, 2007 4:12 pm Post subject: Re: Automatically mount dm-crypt encrypted home with pam_mou |
|
|
tuxophil wrote: | Code: | echo $KEY | openssl aes-256-ecb > /home/frodo.key |
|
How can I decrypt this key? I have a fsck error when pam_mount tries to open my encrypted home, so I have to do fsck by hand (and to do so, I have to use cryptsetup with the decrypted key).
EDIT: Solution:
Code: |
openssl aes-256-ecb -d -in /home/frodo.key | cryptsetup create frodo /dev/loop1
|
It's not part of the man page of openssl, otherwise I would not have asked. _________________ Never argue with an idiot. He brings you down to his level, then beats you with experience.
How-To: Daten verschlüsselt auf DVD speichern. |
|
Back to top |
|
|
pillgrim n00b
Joined: 23 Sep 2007 Posts: 1
|
Posted: Sun Sep 23, 2007 1:48 pm Post subject: Re: Automatically mount dm-crypt encrypted home with pam_mou |
|
|
I've spent several hours trying to get this working on my box with pam_mount = 0.19, so here is howto for those who still experiences problems running pam_mount >= 0.19 with xml config files and LUKS:
1. generate key as mentionned in this topic
Code: | KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79` |
2. save key. When prompted for password - use your login password
Code: | echo $KEY | openssl aes-256-ecb > /home/ag.key |
3. prepare file from /dev/zero (it is much faster than /dev/urandom)
Code: |
dd if=/dev/zero of=/home/ag.img bs=1M count=10240 |
4. attach file to a loopback device
Code: | losetup /dev/loop0 /home/ag.img |
5. format it for LUKS
Code: | openssl aes-256-ecb -d -in /home/ag.key | cryptsetup -v -c aes -s 256 luksFormat /dev/loop0 |
6. open it
Code: | openssl aes-256-ecb -d -in /home/ag.key | cryptsetup luksOpen /dev/loop0 ag |
7. make filesystem of your choice
Code: | mkreiserfs /dev/mapper/ag |
8. close it
Code: | cryptsetup luksClose ag |
9. remove loopback
Code: | losetup -d /dev/loop0 |
10. emege pam_mount for it
11. setup /etc/pam.d/system-auth, mine looks like this
Code: |
auth required pam_env.so
# this is important
auth optional pam_mount.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so nullok md5 shadow use_authtok use_first_pass
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
# this is important too
session optional pam_mount.so
|
12. put the following lines into /etc/security/pam_mount.conf.xml
Code: |
<volume path="/home/ag.img"
mountpoint="/home/ag2"
fstype="crypt"
options="loop"
fskeypath="/home/ag.key"
fskeycipher="aes-256-ecb" />
|
Everything worked for me |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1771 Location: PB, Germany
|
Posted: Sun Nov 18, 2007 8:20 pm Post subject: |
|
|
After following the PAM upgrade-0.99 guide I was able to get PAM working with the new pam_mount-0.29.
Now some question about 0.29:
- The ebuild brings /sbin/umount.crypt and there I'd like to add some modifications like "$FUSER" -km "$1". But that script is just never called. /etc/security/pam_mount.conf.xml doesn't give a hint to an unmount script for crypted devices.
- How can I get pam_mount working with sshd? With this PAM configuration login and su work with pam_mount while ssh login doesn't:
/etc/pam.d/system-auth: | auth required pam_env.so
auth optional pam_mount.so
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so use_first_pass
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional pam_mount.so |
/etc/pam.d/sshd: | auth required pam_shells.so
auth required pam_nologin.so
auth include system-auth
account include system-auth
password include system-auth
session include system-auth | ssh would be useful since I use unison to synchronize home directories. unison connects via ssh and home is only mounted after user login (using pam_mount and luks). Would be fine if ssh login would do that too. _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770
Last edited by Massimo B. on Fri Feb 15, 2008 6:42 pm; edited 1 time in total |
|
Back to top |
|
|
swingman Tux's lil' helper
Joined: 19 Mar 2003 Posts: 88 Location: Sweden
|
Posted: Sun Jan 06, 2008 8:30 am Post subject: |
|
|
After much hassle, I sort of got this to work. It mounts nicely, and unmounts, but doesn't clean up everything.
Before login:
Quote: |
bf@hallucinator ~ $ ls /dev/mapper/
control crypt-swap crypt-tmp
bf@hallucinator ~ $ sudo /sbin/losetup -a
bf@hallucinator ~ $
|
After login:
Quote: |
bf@hallucinator ~ $ ls /dev/mapper/
_dev_sda7 control crypt-swap crypt-tmp temporary-cryptsetup-28660
bf@hallucinator ~ $ sudo /sbin/losetup -a
/dev/loop/0: [000c]:2041 (/dev/sda7)
bf@hallucinator ~ $
|
After logout, I get:
Quote: |
bf@hallucinator ~ $ ls /dev/mapper/
control crypt-swap crypt-tmp temporary-cryptsetup-28660
bf@hallucinator ~ $ sudo /sbin/losetup -a
/dev/loop/0: [000c]:2041 (/dev/sda7)
bf@hallucinator ~ $
|
/dev/mapper-cryptsetup-$$ uses /dev/loop/0 for /dev/sda7, just like /dev/mapper/_dev_sda7 does.
Since temporary-cryptsetup-$$ leaks it is impossible to remove /dev/loop/0.
I guess temparory-cryptsetup-$$ should've gone already in the login step.
How to find out what's wrong, and how to fix it?
_
/Bjorn |
|
Back to top |
|
|
swingman Tux's lil' helper
Joined: 19 Mar 2003 Posts: 88 Location: Sweden
|
Posted: Sun Jan 06, 2008 9:03 am Post subject: |
|
|
More info from syslog with debug enabled in pam_mount.
Quote: |
Jan 6 09:53:14 hallucinator login[29502]: pam_tally(login:auth): unknown option: no_magic_root
Jan 6 09:53:14 hallucinator login[29502]: pam_mount(pam_mount.c:202) enter read_password
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(pam_mount.c:311) saving authtok for session code
Jan 6 09:53:16 hallucinator login[29502]: pam_tally(login:account): option deny=0 allowed in auth phase only
Jan 6 09:53:16 hallucinator login[29502]: pam_tally(login:account): unknown option: no_magic_root
Jan 6 09:53:16 hallucinator login[29502]: pam_tally(login:setcred): unknown option: no_magic_root
Jan 6 09:53:16 hallucinator login[29502]: pam_unix(login:session): session opened for user dd by LOGIN(uid=0)
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(pam_mount.c:460) Entered pam_mount sessionstage
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(pam_mount.c:481) back from global readconfig
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(pam_mount.c:483) per-user configurations not allowed by pam_mount.conf.xml
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(misc.c:56) Session open: (uid=0, euid=0, gid=1011, egid=1011)
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(rdconf2.c:209) checking sanity of volume record (/dev/sda7)
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(pam_mount.c:535) about to perform mount operations
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:409) information for mount:
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:410) ----------------------
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:411) (defined by globalconf)
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:412) user: dd
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:413) server:
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:414) volume: /dev/sda7
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:415) mountpoint: /local_home
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:416) options: loop,
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:417) fs_key_cipher:
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:418) fs_key_path:
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:419) use_fstab: 0
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:420) ----------------------
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:182) realpath of volume "/local_home" is "/local_home"
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:186) checking to see if /dev/mapper/_dev_sda7 is already mounted at /local_home
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:873) checking for encrypted filesystem key configuration
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(mount.c:899) about to start building mount command
Jan 6 09:53:16 hallucinator login[29502]: pam_mount(misc.c:285) command: mount [-t] [crypt] [-o loop,] [/dev/sda7] [/local_home]
Jan 6 09:53:16 hallucinator login[29982]: pam_mount(misc.c:56) set_myuid<pre>: (uid=0, euid=0, gid=1011, egid=1011)
Jan 6 09:53:16 hallucinator login[29982]: pam_mount(misc.c:56) set_myuid<post>: (uid=0, euid=0, gid=1011, egid=1011)
Jan 6 09:53:16 hallucinator device-mapper: ioctl: unable to remove open device temporary-cryptsetup-29996
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(mount.c:104) mount errors:
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(mount.c:107) Failed to setup dm-crypt key mapping.
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(mount.c:107) Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/loop0 contains at least 261 sectors.
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(mount.c:107) Failed to read from key storage
Jan 6 09:53:17 hallucinator device-mapper: ioctl: unable to remove open device temporary-cryptsetup-29996
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(mount.c:107) Command successful.
Jan 6 09:53:17 hallucinator ReiserFS: dm-3: found reiserfs format "3.6" with standard journal
Jan 6 09:53:17 hallucinator ReiserFS: dm-3: using ordered data mode
Jan 6 09:53:17 hallucinator ReiserFS: dm-3: journal params: device dm-3, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
Jan 6 09:53:17 hallucinator ReiserFS: dm-3: checking transaction log (dm-3)
Jan 6 09:53:17 hallucinator ReiserFS: dm-3: Using r5 hash to sort names
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(mount.c:933) waiting for mount
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(pam_mount.c:134) clean system authtok (0)
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(misc.c:285) command: pmvarrun [-u] [dd] [-o] [1]
Jan 6 09:53:17 hallucinator login[30021]: pam_mount(misc.c:56) set_myuid<pre>: (uid=0, euid=0, gid=1011, egid=1011)
Jan 6 09:53:17 hallucinator login[30021]: pam_mount(misc.c:56) set_myuid<post>: (uid=0, euid=0, gid=1011, egid=1011)
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(pam_mount.c:425) pmvarrun says login count is 1
Jan 6 09:53:17 hallucinator login[29502]: pam_mount(pam_mount.c:548) done opening session (ret=0)
|
What gives?
_
/Bjorn |
|
Back to top |
|
|
swingman Tux's lil' helper
Joined: 19 Mar 2003 Posts: 88 Location: Sweden
|
Posted: Wed Jan 09, 2008 7:39 pm Post subject: |
|
|
Solved it. Had an old cryptsetup, with a documented race vis-a-vis HAL, and on top of that I really shouldn't have had option="loop" in pam_mount.conf.xml.
Now it's just the matter of PAM lowering priv from root too early when leaving from "su", which makes it impossible to unmount. Grr.
_
/Bjorn |
|
Back to top |
|
|
grimm26 Guru
Joined: 23 May 2004 Posts: 313 Location: Chicagoland, IL
|
Posted: Mon Feb 11, 2008 4:04 am Post subject: |
|
|
For some reason this does not work for me. I have followed the steps. I have sys-auth/pam_mount-0.32 and sys-fs/cryptsetup-1.0.5-r1 and the right stuff for dmcrypt in the kernel. I can do everyting fine manually, but I cannot get pam_mount to mount a homedir for a test user that I set up.
from /etc/security/pam_mount.conf.xml
Code: |
<volume path="/home/protected"
mountpoint="/home/mktest"
fstype="crypt"
options="loop,cipher=aes"
fskeypath="/home/protected.key"
fskeycipher="aes-256-ecb" />
|
/home/protected is my encrypted loop file and I want it to mount into /home/mktest. I can login with mktest and I see this in messages:
Code: | b 10 21:34:15 qa4437-11 login[14432]: pam_mount(pam_mount.c:202) enter read_password
Feb 10 21:34:19 qa4437-11 login[14432]: pam_mount(pam_mount.c:311) saving authtok for session code
Feb 10 21:34:20 qa4437-11 login[14432]: pam_unix(login:session): session opened for user mktest by (uid=0)
| but the loop is not created or mounted. and then when I logout.
Code: |
Feb 10 21:38:06 qa4437-11 login[14432]: pam_unix(login:session): session closed for user mktest
Feb 10 21:38:06 qa4437-11 login[14432]: pam_mount(pam_mount.c:134) clean system authtok (0)
|
Any ideas? _________________ "Blessed is he who finds happiness in his own foolishness, for he will always be happy". |
|
Back to top |
|
|
schachti Advocate
Joined: 28 Jul 2003 Posts: 3765 Location: Gifhorn, Germany
|
Posted: Mon Feb 11, 2008 7:19 am Post subject: |
|
|
Try to set
Code: |
<debug enable="1" />
|
in your config file to get more detailled output. _________________ Never argue with an idiot. He brings you down to his level, then beats you with experience.
How-To: Daten verschlüsselt auf DVD speichern. |
|
Back to top |
|
|
grimm26 Guru
Joined: 23 May 2004 Posts: 313 Location: Chicagoland, IL
|
Posted: Mon Feb 11, 2008 2:49 pm Post subject: |
|
|
I did. That's how I got the messages that I did post. I didn't see anything else from pam_mount, though. _________________ "Blessed is he who finds happiness in his own foolishness, for he will always be happy". |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1771 Location: PB, Germany
|
Posted: Fri Feb 15, 2008 8:07 pm Post subject: pam_mount with ssh |
|
|
Massimo B. wrote: | - ...login and su work with pam_mount while ssh login doesn't...
|
..according to Guschtel on the channel this should fix it: /etc/pam.d/system-auth: | #%PAM-1.0
auth required pam_env.so
auth required pam_unix.so try_first_pass likeauth nullok
# added
auth sufficient pam_mount.so use_first_pass
# end added
auth required pam_deny.so
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok md5 shadow
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
# added
session optional pam_mount.so
# end added |
/etc/ssh/sshd_config: | UsePAM yes
## Changed 2008-02-15
## IMPORTANT for PAM_MOUNT
PasswordAuthentication yes
ChallengeResponseAuthentication no
--
#UsePrivilegeSeparation yes
## Changed 2008-02-15
## IMPORTANT for PAM_MOUNT
UsePrivilegeSeparation no
#PermitUserEnvironment no |
_________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
Guschtel n00b
Joined: 29 Dec 2005 Posts: 5
|
Posted: Fri Feb 15, 2008 8:26 pm Post subject: |
|
|
When only setting "PrivilegeSeparation no" one gets this error:
Code: | pam_mount(pam_mount.c:460) Entered pam_mount session stage
pam_mount(pam_mount.c:481) back from global readconfig
pam_mount(pam_mount.c:483) per-user configurations not allowed by pam_mount.conf.xml
pam_mount(pam_mount.c:512) error trying to retrieve authtok from auth code
pam_mount(pam_mount.c:202) enter read_password
pam_mount(pam_mount.c:170) conv->conv(...): Conversation error
pam_mount(pam_mount.c:515) error trying to read password
pam_mount(pam_mount.c:548) done opening session (ret=7) |
This is solved by the two other Config directives, see also pam_mount FAQ:
Code: | bzcat /usr/share/doc/pam_mount-0.32/faq.txt.bz2 | grep -2 PasswordAuthentication
Since you have OpenSSH 3.9p1, you can set
"ChallengeResponseAuthentication no" and
"PasswordAuthentication yes" in sshd_config and it ought to
work (with or without privsep). |
Setting "UsePrivilegeSeparation yes" disables pam_mount for me. |
|
Back to top |
|
|
PssD n00b
Joined: 19 Jan 2006 Posts: 13
|
Posted: Sun Mar 09, 2008 3:25 pm Post subject: passwdehd |
|
|
hello,
maybe its trivial but changing my password took me quite some time.
somehow my /usr/bin/passwdehd doesn`t like /etc/security/pam_mount.conf.xml.
changing pam_mount.conf in the script to pam_mount.conf.xml didn`t help (is there a new version of passwdehd available?).
Quote: | "If a user changes his login password, regenerate the efsk that was created in step 1b." |
(pam_mount.conf.xml)
so:
Quote: |
openssl enc -d -aes-256-ecb -in /home/key.key -out /secure/key.txt
[old password]
mv /home/key.key /home/old.key
openssl enc -e -aes-256-ecb -in /secure/key.txt -out /home/key.key
[new passwd]
|
did it.
thanks for this nice howto (will change password more often from now on ) |
|
Back to top |
|
|
driden91 Apprentice
Joined: 26 Jul 2004 Posts: 232 Location: paris
|
Posted: Sat May 16, 2009 1:48 pm Post subject: |
|
|
hello
after an upgrade pam_mount doesn't work :
Code: | Password:
pam_mount(mount.c:67): Command failed: device-mapper: reload ioctl failed: Invalid argument
pam_mount(pam_mount.c:537): mount of /dev/sda7 failed |
with debug enable :
Code: | pam_mount(pam_mount.c:458): pam_mount 1.24: entering session stage
reenter password for pam_mount:
pam_mount(misc.c:38): Session open: (uid=0, euid=0, gid=1008, egid=1008)
pam_mount(mount.c:172): Mount info: globalconf, user=driden91 <volume fstype="crypt" server="(null)" path="/dev/sda7" mountpoint="/home/driden91" cipher="aes-256-ecb" fskeypath="/home/driden91.key" fskeycipher="aes-256-ecb" fskeyhash="(null)" options="cipher=aes" /> fstab=0
command: [mount] [-t] [crypt] [-o cipher=aes] [/dev/sda7] [/home/driden91]
pam_mount(misc.c:38): set_myuid<pre>: (uid=0, euid=0, gid=1008, egid=1008)
pam_mount(misc.c:38): set_myuid<post>: (uid=0, euid=0, gid=1008, egid=1008)
Password:
pam_mount(mount.c:64): mount messages:
pam_mount(mount.c:67): Command failed: device-mapper: reload ioctl failed: Invalid argument
Filesystem Type 1K-blocks Used Available Use% Mounted on
rootfs rootfs 1036124 868324 167800 84% /
/dev/root reiserfs 1036124 868324 167800 84% /
proc proc 0 0 0 - /proc
rc-svcdir tmpfs 1024 68 956 7% /lib64/rc/init.d
sysfs sysfs 0 0 0 - /sys
udev tmpfs 10240 120 10120 2% /dev
devpts devpts 0 0 0 - /dev/pts
shm tmpfs 1029408 0 1029408 0% /dev/shm
/dev/sda5 reiserfs 8393656 8206584 187072 98% /usr
/dev/sda6 reiserfs 2104376 213788 1890588 11% /var
usbfs usbfs 0 0 0 - /proc/bus/usb
pam_mount(pam_mount.c:537): mount of /dev/sda7 failed
command: [pmvarrun] [-u] [driden91] [-o] [1]
pam_mount(misc.c:38): set_myuid<pre>: (uid=0, euid=0, gid=1008, egid=1008)
pam_mount(misc.c:38): set_myuid<post>: (uid=0, euid=0, gid=1008, egid=1008)
pmvarrun(pmvarrun.c:248): parsed count value 0
pam_mount(pam_mount.c:418): pmvarrun says login count is 1
pam_mount(pam_mount.c:548): done opening session (ret=0) |
what is the problem ?
regards _________________ l'ange des tenebres vit la lumiere au fond de la nature humaine.... |
|
Back to top |
|
|
mattst88 Developer
Joined: 28 Oct 2004 Posts: 422
|
Posted: Mon Jan 18, 2010 4:02 am Post subject: |
|
|
I just got this error.
Code: | bad pad on end of encrypted file |
And I fortunately just figured it out. I was encrypting my keyfile with aes-256-cbc; encrypting it with aes-256-ecb allows it to work properly. I googled and saw this error in a couple places with no solution, so I thought I'd be nice to post the solution somewhere. _________________ My Wiki page |
|
Back to top |
|
|
Havin_it Veteran
Joined: 17 Jul 2005 Posts: 1247 Location: Edinburgh, UK
|
Posted: Mon Apr 26, 2010 3:54 pm Post subject: |
|
|
Apologies if someone has already mentioned this, but although it's no longer supported, a simple-ish hack can enable TrueCrypt to be used with this too. Here's my /etc/security/pam_mount.conf.xml, with "mememe" as the user:
Code: | <?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="0" />
<!-- Volume definitions -->
<cryptmount>tc-nl --text --protect-hidden=no --keyfiles="" %(VOLUME) %(MNTPT)</cryptmount>
<cryptumount>truecrypt --text -d</cryptumount>
<!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>
<logout wait="0" hup="0" term="0" kill="0" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="0" remove="false" />
<volume user="mememe" fstype="crypt" path="/path/to/truecrypt-image" mountpoint="/home/%(USER)" />
</pam_mount> |
You can change the truecrypt options as desired in the <cryptmount> element. You also need to create the script here called "tc-nl" somewhere in your path - this is because of something truecrypt does with newlines that pam_mount doesn't like (this is not my work, and I lost the source :shrug: )
The tc-nl script is very simple:
Code: | #!/bin/sh
# Helper for truecrypt via pam_mount
(cat; echo)| truecrypt $* |
dm-crypt is better to use in many ways, but I have a dual-boot setup and while Windows tools do exist for dm-crypt/luks mounting, they are nowhere near as robust as TrueCrypt. Hope this helps someone. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|