pam_mount(8)

1pam_mount(8)                System Manager's Manual               pam_mount(8)
2
3
4

NAME

6       pam_mount - A PAM module that can mount volumes for a user session
7

OVERVIEW

9       This  module is aimed at environments with SMB (Samba or Windows NT) or
10       NCP (Netware or Mars-NWE) servers that Unix users wish to access trans‐
11       parently. It facilitates access to private volumes of these types well.
12       The module also supports  mounting  home  directories  using   loopback
13       encrypted filesystems. The module was originally written for use on the
14       GNU/Linux operating system but has since been modified to work on  sev‐
15       eral flavors of BSD.
16
17       ·   Every user can access his own volumes
18
19       ·   The user needs to type the password just once (at login)
20
21       ·   The mounting process is transparent to the users
22
23       ·   There is no need to keep the login passwords in any additional file
24
25       ·   The   volumes  are  unmounted  upon  logout,  so  it  saves  system
26           resources, avoiding the need of listing every every possibly useful
27           remote   volume  in /etc/fstab or in an automount/supermount config
28           file. This is also necessary for securing encrypted filesystems.
29
30       pam_mount "understands" SMB, NCP, and any type of filesystem  that  can
31       be  mounted using the standard mount command. If someone has a particu‐
32       lar need for a different filesystem, feel free to ask me to include  it
33       and send me patches.
34
35       If  you  intend  to  use  pam_mount to protect volumes on your computer
36       using an encrypted filesystem system, please know that there  are  many
37       other  issues  you  need to consider in order to protect your data. For
38       example, you probably want to disable or encrypt  your  swap  partition
39       (the cryptoswap can help you do this). Do not assume a system is secure
40       without carefully considering potential threats.
41

NASTY DETAILS

43       The  primary  configuration  file   for   the   pam_mount   module   is
44       pam_mount.conf.  On  most  platforms  this file is read from /etc/secu‐
45       rity/pam_mount.conf. On OpenBSD pam_mount reads its configuration  file
46       from  /etc/pam_mount.conf.  pam_mount.conf contains many comments docu‐
47       menting its use.
48
49       In addition, you must include two entries in  the  system's  applicable
50       /etc/pam.d/SERVICE config files, as the following example shows:
51
52                  auth     required  pam_securetty.so
53                  auth     required  pam_pwdb.so shadow nullok
54                  auth     required  pam_nologin.so
55              +++ auth     optional  pam_mount.so use_first_pass
56                  account  required  pam_pwdb.so
57                  password required  pam_cracklib.so
58                  password required  pam_pwdb.so shadow nullok use_authtok
59                  session  required  pam_pwdb.so
60                  session  optional  pam_console.so
61              +++ session  optional  pam_mount.so
62
63       If  you use pam_ldap, pam_winbind, or any other authentication services
64       that make use of PAM's sufficient keyword then model your configuration
65       on the following:
66
67              account sufficient  pam_ldap.so
68              auth    required    pam_mount.so
69              auth    sufficient  pam_ldap.so use_first_pass
70              auth    required    pam_unix.so use_first_pass
71              session optional    pam_mount.so
72
73       This allows the following:
74
75       1.  pam_mount  will prompt for a password and export it to the PAM sys‐
76           tem.
77
78       2.  pam_ldap will use the password from  the  PAM  system  to  try  and
79           authenticate the user. If this succedes, the user will be authenti‐
80           cated. If it fails, pam_unix will try to authenticate.
81
82       3.  pam_unix will try to authenticate the user if  pam_ldap  fails.  If
83           pam_unix fails, then the authentication will be refused.
84
85       If  your volume has a different password than your system account, then
86       encrypt the password to the volume you wish mounted using  your  system
87       password  as  the  key  and  store  it somewhere on your system's local
88       filesystem. pam_mount supports transparently decrypting this filesystem
89       key, as long as the cipher used is supported by openssl. Given:
90
91       sk     system key, the key or password used to log into the system
92
93       fsk    filesystem  key,  the  key that allows you to use the filesystem
94              you wish pam_mount to mount for you
95
96       E and D
97              an openssl supported synchronous encryption/decryption algorithm
98
99       efsk   encrypted filesystem key, efsk = E_sk (fsk), stored somewhere on
100              the local filesystem (ie: /home/user.key)
101
102       pam_mount  will read efsk from the local filesystem, perform fsk = D_sk
103       (efsk) and use fsk to mount the filesystem. If you change  your  system
104       password,  simply  regenerate efsk using efsk = E_sk (fsk). If you want
105       to mount this volume  by  hand,  use  something  like  openssl  enc  -d
106       -aes-256-ecb  -in  /home/user.key | mount -p0 /home/user. More informa‐
107       tion about this technique is included in pam_mount.conf.
108
109       A script  named  mkehd  is  provided  with  pam_mount  to  help  create
110       encrypted  home  directories.  If  you  have  an entry for a user using
111       encrypted home directories in pam_mount.conf, mkehd will create  neces‐
112       sary filesystem images and possibly encrypted filesystem keys.
113
114       Individual  users  may define additional volumes to mount if allowed by
115       pam_mount.conf (usually ~/.pam_mount.conf). The volume keyword  is  the
116       only valid keyword in these per-user configuration files. If the luser‐
117       conf parameter is set in pam_mount.conf, allowing user-defined  volume,
118       then users may mount and unmount any volume they own at any mount point
119       they own. On some filesystem configurations this may be a security flaw
120       so  user-defined  volumes are not allowed by the example pam_mount.conf
121       distributed with pam_mount.
122
123       In general, you will leave all the first (general) parameters  as  pro‐
124       vided  by default. You only have to provide the user/volume list in the
125       end of the file, following the examples.
126
127       To ensure that your system and, possibly, the  remote  server  are  all
128       properly configured, you should try to mount all or some of the volumes
129       by  hand,  using  the  same  commands  and  mount  points  provided  in
130       pam_mount.conf.  This  will  save  you a lot of grief, since it is more
131       difficult to debug the mounting process via pam_mount.
132
133       If you can mount the volumes by  hand  but  it  is  not  happening  via
134       pam_mount,  you may want to enable the "debug" option in pam_mount.conf
135       to see what is happening.
136
137       Verify if the user owns the mount point and has sufficient  permissions
138       over  that.  pam_mount  will  verify  this and will refuse to mount the
139       remote volume if the user does not own that directory.
140
141       If pam_mount is having trouble unmounting  volumes  upon  logging  out,
142       enable   the   debug   variable   and   check   the  lsof  variable  in
143       pam_mount.conf. This causes pam_mount to run lsof upon logging out  and
144       write lsof's output to the system's logs.
145

AUTHORS

147       W. Michael Petullo <mike@flyn.org>
148
149       Jan Engelhardt <jengelh [at] gmx de> (current maintainer)
150
151
152
153                                                                  pam_mount(8)