Hi all, I am a bit confused about the usage of pam_mount. Here is my /etc/pam.d/system-auth: auth required pam_env.so auth required pam_mount.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_mount.so If pam_mount.so is listed in the session definition I will be asked for the password a second time during SSH login: At this stage the share is already mounted. I can just remove the: session optional pam_mount.so from system-auth which seem to work fine. Even the share is unmounted successfully on logout. So my question is: what is the session entry used for within pam_mount (as the usage is suggested in the man page and in the docs)? Best Regards Marcus
Marcus Moeller wrote:> Hi all, > > I am a bit confused about the usage of pam_mount. > > Here is my /etc/pam.d/system-auth: > > auth required pam_env.so > auth required pam_mount.so >add use_first_pass to this??> auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_krb5.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so sha512 shadow nullok > try_first_pass use_authtok > password sufficient pam_krb5.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_mkhomedir.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_krb5.so > session optional pam_mount.so > > If pam_mount.so is listed in the session definition I will be asked > for the password a second time during SSH login: > > At this stage the share is already mounted. > > I can just remove the: > > session optional pam_mount.so > > from system-auth which seem to work fine. Even the share is unmounted > successfully on logout. > > So my question is: what is the session entry used for within pam_mount > (as the usage is suggested in the man page and in the docs)? > > Best Regards > Marcus > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >-------------- next part -------------- A non-text attachment was scrubbed... Name: rkampen.vcf Type: text/x-vcard Size: 196 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20100216/0c162897/attachment.vcf>
Hi.>> I am a bit confused about the usage of pam_mount. >> >> Here is my /etc/pam.d/system-auth: >> >> auth ? ? ? ?required ? ? ?pam_env.so >> auth ? ? ? ?required ? ? ?pam_mount.so >> > > add use_first_pass to this??In auth stage the pam_mount requests it's passwd from stdin and passes it to the other modules.>> If pam_mount.so is listed in the session definition I will be asked >> for the password a second time during SSH login:As noted, the second password request is called in session stage which does not accept pass options (and should not even ask for a password afaik)>> So my question is: what is the session entry used for within pam_mount >> (as the usage is suggested in the man page and in the docs)?Best Regards Marcus