LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-14-2007, 09:14 AM   #1
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Rep: Reputation: 30
pam_mount problems in ssh on gentoo


I use encrypted home directories through dm-crypt / pam_mount. If I log in on terminal or through KDM, all works well. I decided to start using remote access to this machines as well, so I added the following two lines to /etc/pam.d/sshd:
Code:
auth       optional     /lib/security/pam_mount.so use_first_pass
session    optional     /lib/security/pam_mount.so
When I ssh in now, the directory does not mount, and I see the following errors in syslog:
Code:
May 14 13:04:16 foohostname sshd[5374]: Accepted keyboard-interactive/pam for foouser from 123.45.67.89 port 1527 ssh2
May 14 13:04:16 foohostname sshd(pam_unix)[5380]: session opened for user foouser by (uid=0)
May 14 13:04:16 foohostname sshd[5380]: pam_mount(pam_mount.c:413) error trying to retrieve authtok from auth code
May 14 13:04:16 foohostname sshd[5380]: pam_mount(pam_mount.c:159) conv->conv(...): Conversation error
May 14 13:04:16 foohostname sshd[5380]: pam_mount(pam_mount.c:416) error trying to read password
Any hints?

Thanks!

Last edited by whysyn; 05-14-2007 at 01:09 PM.
 
Old 05-17-2007, 08:08 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Is the placement of the lines in the PAM sshd stack right?
Doesn't it need first_pass on both lines?
Did you try adding a debug statement?
 
Old 05-17-2007, 11:47 AM   #3
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Original Poster
Rep: Reputation: 30
here is my entire /etc/pam.d/sshd file, which compared with the (working) examples on kdm & login has the same lines added in the same order:
Code:
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     pam_shells.so
auth       required     pam_nologin.so
auth       optional     /lib/security/pam_mount.so use_first_pass
account    include      system-auth
password   include      system-auth
session    include      system-auth
session    optional     /lib/security/pam_mount.so
Debug is enabled, only output I get is the five lines I pasted initially...

Thanks!
 
Old 05-20-2007, 05:02 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
The "can't get pass" thing could mean four things or a combination of those:
- placement of the pam_mount lines (and args) in the sshd PAM stack,
- OpenSSH's privsep (as in disabling PrivilegeSeparation: heed the warnings about that),
- OpenSSH not using PAM (enabling PAM in sshd_config),
- next to that you can't use SSH's pubkeyauth since the private key resides in encrypted ~/.ssh.
Spose you'll have to test some combinations...
 
Old 12-06-2007, 11:25 AM   #5
kawhyte
LQ Newbie
 
Registered: Nov 2007
Posts: 7

Rep: Reputation: 0
I'm having a similar but different problem on RHEL 4.
I have pam_mount working with commenting out the following in /etc/ssh/sshd_config

# Kerberos options
# KerberosAuthentication yes
# KerberosOrLocalPasswd yes
# KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
# GSSAPIAuthentication yes
# GSSAPICleanupCredentials yes
# GSSAPICleanupCredentials yes

If I add these lines back in my directory doesn't mount through pam_mount.
However, with them commented, I get root ownership of my kerberos ticket and can't read/update it with klist. Which is needed as some file systems are only accessible via kerberos tickets...

My GUI login and my console login work fine and have proper ownership of kerberos tickets and mount my directory.

Are you reading the /var/log/messages or /var/log/secure file?
I didn't see debug in your /etc/pam.d/sshd
However the pam_mount debug actually is set in: /etc/security/pam_mount.conf.xml
or similar location.

Best of luck.
When my server is back I'm going to see what I can find/do with pam_mount to correct my issue. I'd rather hack it than sshd ... :-)
 
Old 12-11-2007, 11:23 AM   #6
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Original Poster
Rep: Reputation: 30
I'm not using kerberos at all as far as I know...

I managed to get this working properly on a Fedora 8 box. su -l, console, gdm, and ssh all properly mount/unmount my directories at this point. IIRC all of the pam_mount stuff moved to /etc/pam.d/system-auth and it is just included by everything else. One or two little changes in sshd_conf and I was home free. I can post configs when I get home if you'd like.

I also managed to solve problem of having to double-enter my password by switching the order of the pam_mount lines versus the other lines.

It was a total lucky hack, but everything seems happy. I'm not trying to become a pam expert, I have my hands full on other projects =)
 
Old 12-20-2007, 05:19 PM   #7
kawhyte
LQ Newbie
 
Registered: Nov 2007
Posts: 7

Rep: Reputation: 0
Files modified to make this work properly...

In /etc/pam.d/system-auth:

Quote:
session optional /lib/security/$ISA/pam_mount.so
session required /lib/security/$ISA/pam_limits.so
session sufficient /lib/security/$ISA/pam_unix.so
session sufficient /lib/security/$ISA/pam_krb5.so
In /etc/ssh/sshd_config:

Quote:
# Kerberos options
# KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
# GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
# GSSAPICleanupCredentials yes
In /etc/pam.d/sshd:

Quote:
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth optional pam_mount.so use_first_pass
auth required pam_nologin.so

account required pam_stack.so service=system-auth

password required pam_stack.so service=system-auth

session required pam_stack.so service=system-auth
session optional pam_mkhomedir.so silent
Similar mods to /etc/pam.d/gdm and /etc/pam.d/login as to /etc/pam.d/sshd.

Hope this might help someone.
I find PAM a little complex and mostly trial and error, but maybe with more experience will understand and be able to do it better.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
pam_mount configuration MediMania Linux - Networking 0 03-28-2006 05:19 AM
pam_mount + pam_winbind + pam_krb5. All in one (?) Thakowbbery Linux - Networking 2 06-15-2005 07:49 AM
Installing Pam_mount in suse 9.3 bschneider SUSE / openSUSE 8 05-02-2005 06:04 PM
How to setup pam_mount? mauro_haller Linux - Networking 0 03-08-2004 10:26 PM
Can't SSH into Gentoo from win2k breakerfall Linux - Networking 19 09-16-2003 06:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration