You are not logged in.

Pages: 1

#1 2012-03-25 12:01:18

Schirase
Member
Registered: 2010-02-14
Posts: 6

[SOLVED] pam_mount will not mount truecrypt volume on login.

Hello.

I did system upgrade yesterday and encountered some problems with mounting my Truecrypt volume with pam_mount. I use pam_mount to mount my encrypted /home partionion at login. After first reboot and loging in I was dropped to / directory, with my /home partition clearly not mounted. I acknowledged the message from udev in pacman, that in some circumstances adding 'loop' to MODULES array in /etc/mkintcpio.conf is required and for a moment I thought it was it, but I tried this and it didn't help. Suprisingly, after another reboot I was placed im my home directory afer login, but it appears to be empty - I can see only dotfiles of few programs I used after the upgrade:

$ls -A ~/
.bash_history .links .qingy .viminfo .wicd

but my /home partition is obviously still not mounted. My relevant config files:

/etc/security/pam_mount.conf.xml

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
	See pam_mount.conf(5) for a description.
-->

<pam_mount>

		<!-- debug should come before everything else,
		since this file is still processed in a single pass
		from top-to-bottom -->

<debug enable="0" />

		<!-- Volume definitions -->

		<!-- pam_mount parameters: General tunables -->

<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="0" term="0" kill="0" />


		<!-- pam_mount parameters: Volume-related -->

<cryptmount>truecrypt --text --protect-hidden=no --keyfiles="/etc/home.key" %(VOLUME) %(MNTPT)</cryptmount>
<cryptumount>truecrypt -d</cryptumount>
<volume user="schirase" fstype="crypt" path="/dev/sda7" mountpoint="/home" options="fsck,relatime" />
<mkmountpoint enable="1" remove="true" />

</pam_mount>

/etc/pam.d/login

#%PAM-1.0
auth		required	pam_securetty.so
auth		requisite	pam_nologin.so
auth		required	pam_unix.so nullok
auth		required	pam_tally.so onerr=succeed file=/var/log/faillog
auth		optional	pam_mount.so
# use this to lockout accounts for 10 minutes after 3 failed attempts
#auth		required	pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
account		required	pam_access.so
account		required	pam_time.so
account		required	pam_unix.sof
#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password	optional	pam_mount.so
#password	required	pam_unix.so sha512 shadow use_authtok
session		required	pam_unix.so
session		optional	pam_mount.so
session		required	pam_env.so
session		required	pam_motd.so
session		required	pam_limits.so
session		optional	pam_mail.so dir=/var/spool/mail standard
session		optional	pam_lastlog.so
session		optional	pam_loginuid.so
-session	optional	pam_ck_connector.so nox11
-session	optional	pam_systemd.so

/etc/pam.d/qingy

#%PAM-1.0

auth       required	/lib/security/pam_securetty.so
auth       required	/lib/security/pam_unix.so
auth       required	/lib/security/pam_nologin.so
account    required	/lib/security/pam_unix.so
password   required	/lib/security/pam_unix.so
session    required	/lib/security/pam_unix.so
session    optional	/lib/security/pam_console.so

Any ideas how to make it work again?

[EDIT] OK, I've looked into it a little more and I realised that I should try loging in without qingy. I tried on agetty console and it worked as before. It looks like qingy upgrade changed my /etc/pam.d/qingy file into default one. The one above is and obviously unsuitable for use with pam_mount and I failed to see that at first. It should look similar to the example file for slim in the wiki article on pam_mount:

#%PAM-1.0

auth       required    /lib/security/pam_securetty.so
auth       required    /lib/security/pam_unix.so
auth       optional     /lib/security/pam_mount.so
auth       required    /lib/security/pam_nologin.so
account    required    /lib/security/pam_unix.so
password   required    /lib/security/pam_unix.so
password   optional     /lib/security/pam_mount.so
session    required    /lib/security/pam_unix.so
session       optional     /lib/security/pam_mount.so
session    optional    /lib/security/pam_console.so

Sorry for the trouble, maybe at least it will help someone.

Last edited by Schirase (2012-03-25 17:49:21)

Offline

Pages: 1

Board footer

Powered by FluxBB