You are not logged in.

Pages: 1

#1 2020-09-01 16:48:46

dvnll
Member
Registered: 2015-06-02
Posts: 2

pam_mount and sshfs

Hello,

I have a problem concerning pam_mount and sshfs. I am not sure if
this is right board, so I am sorry if you have to move this.

There is a client whichs authenticates against an ldap server. This
works fine. In a next step I wanted to mount an remote directory as
an users home directory via sshfs.

I created an ssh configuration file in /etc/ssh/ssd_config.

Host example-com
    Hostname example.com
    Port 22

As described in the wiki [0] I edited the file /etc/security/pam_mount.conf.xml

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
	See pam_mount.conf(5) for a description.
-->

<pam_mount>

<!-- [...] -->

<debug enable="2" />

<volume
		fstype="fuse"
		path="sshfs#example-com:/srv/homes/%(USER)"
		mountpoint="/home/%(USER)"
		options="reconnect,idmap=user,password_stdin,noatime,uid=%(USERUID),gid=%(USERGID)"
		ssh="0" noroot="1"
  />
<fusemount>mount.fuse3 %(VOLUME) %(MNTPT) -o %(OPTIONS)</fusemount>

<mkmountpoint enable="1" remove="true" />

<!-- [...] -->

</pam_mount>

When I log on the client the pam_mount module asks me for a password,
exactly as expected. I can authenticate successfully and pam_mount tries
to mount the home directory.


Is the terminals output

[pam_mount.c:568] pam_mount 2.16: entering session stage
(mount.c:251) Mount info: globalconf, user=exampleuser <volume fstype="fuse" server="(null)" path="sshfs#example-com:/srv/homes/exampleuser" mountpoint="/home/exampleuser" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhas="(null)" options="reconnect,idmap=user,password_stdin,noatime,uid=10300,gid=10000" />
(mount.c:660) Password will be sent do helper as-is.
command: 'mount.fuse3' 'sshfsfs#example-com:/srv/homes/exampleuser' '-o' 'reconnect,idmap=user,password_stdin,noatime,uid=10300,gid=10000'
(spawn.c:136) setting uid to user exampleuser

After this it gets stucked and after some time it fails am I have to try to
login again.  In the meamtime I had a look into /etc/mtab and found a
corresponding entry:

example-com:/srv/homes/exampleuser /home/exampleuser fuse.sshfs rw,nosuid,nodev,noatime,user_id=10300,group_id=10000 0 0

I copied this line into /etc/fstab (and modify the mount target etc) and tried
to mount it. I got this error message:

fuse: unknown option(s): `-o user_id=10300,group_id=10000'

According to man mount.fuse3

 user_id=N 
              group_id=N Specifies the numeric uid/gid of the mount owner.
       
              This option should not be specified by the filesystem owner. It is set by libfuse (or, if  lib‐
              fuse is not used, must be set by the filesystem itself).

this should not be set.

After removing this options in the fstab I can mount it without any problem.

I was wondering where these options were appended an who I have to deal with
them.  I had a look in the source code of pam_mount [1] und libfuse [2] but
got no good idea how to disable behaviour.

Maybe I missed an option. I would be realy glad if you could help me resolving
this issue.

Moving from sshfs to nfs/ cifs or something else is not possible because of other
constraints.

If you need any more information please feel free to ask.

Thanks a lot for reading this and your help,
dvnll


[0] https://wiki.archlinux.org/index.php/Pam_mount
[1] http://pam-mount.sourceforge.net/
[2] https://github.com/libfuse/libfuse

Offline

#2 2020-09-02 07:17:41

chaseleif
Member
From: Texas
Registered: 2020-08-01
Posts: 18

Re: pam_mount and sshfs

This is linked to from one of their github pages: https://github.com/libfuse/sshfs/issues/92
It's a little old, but it looks like a related issue and there are two other follow-up links with more info too.

Offline

#3 2020-09-02 08:48:18

dvnll
Member
Registered: 2015-06-02
Posts: 2

Re: pam_mount and sshfs

Hello chaseleif,

Thanks for your answer, but I think this is not related. This issue
you mentioned is about how fuse2/ fuse3 both on the same system.

Om my client there is no fuse2 package installed. When installing sshfs
there is an explicit dependency on fuse3 and I called the mount.fuse3
as you can see in the xml file.

If there would be an option or a workaround how to get rid of these the
options "user_id" and "group_id" I would be fine, but I dont even see
where its appended. In the terminals output it is all as I expected, but
in the mtab file there are these two extra parameters.
I assume this is happening inside pam_mount but I cant find this in the
source code. Am I looking at the right place?

Offline

#4 2020-09-03 05:31:17

chaseleif
Member
From: Texas
Registered: 2020-08-01
Posts: 18

Re: pam_mount and sshfs

I've not done what you're trying to do.
This page goes over making the xml file in pretty good detail: http://pam-mount.sourceforge.net/pam_mount.conf.5.html

This is one of the two examples in the sourceforge docs for the sshfs/ccgfs volume line:

<volume fstype="fuse" path="sshfs#%(USER)@fileserver:" mountpoint="~" />

Do you have a username with an '@' in the path?

There's also this about that ssh= option:

ssh="0" or ssh="1"
The ssh option enables an input hack wrapper (zerossh, see pmt-fd0ssh(1)) for this volume to hand the password to ssh over an ssh-specific mechanism. Enable this option for any mount involving the SSH binary, e.g. ccgfs or sshfs. Do not enable it for anything else or the login will most likely hang.

Last edited by chaseleif (2020-09-03 05:41:20)

Offline

Pages: 1

Board footer

Powered by FluxBB