You are not logged in.

#1 2010-01-04 03:35:34

chancho
Member
From: Hong Kong
Registered: 2006-07-14
Posts: 114

pam_mount howto

i am trying to use pam_mount to mount a nfs shared dir in the server. however, i don't know what should i do. should i install pam_mount on both sides (server and client) ? once installed, how to activate the pam_mount ? any help ?

Offline

#2 2010-01-05 07:14:18

chancho
Member
From: Hong Kong
Registered: 2006-07-14
Posts: 114

Re: pam_mount howto

ok, so i try to install pam_mount in the client side,
/etc/pam.d/gdm :
auth            required                pam_mount.so try_first_pass
auth            requisite       pam_nologin.so
auth            required        pam_env.so
auth            required        pam_unix.so
auth            optional        pam_gnome_keyring.so
account         required        pam_unix.so
session required                pam_mount.so
session         required        pam_limits.so
session         required        pam_unix.so
session         optional        pam_gnome_keyring.so auto_start
password        required        pam_unix.so

i also enable per user conf file ~/.pam_mount.conf.xml

now i can mount the share dir from nfs server, but i have to login twice (once for pam_mount, once for gdm).
another question is, how to set up nfs server, so every user can mount its own dir and there may be 100 users.

Offline

#3 2010-01-07 04:35:09

delerious010
Member
From: Montreal
Registered: 2008-10-07
Posts: 72

Re: pam_mount howto

For the password issue, the FAQ states :

  51 Q.  Why am I prompted for a password twice after installing pam_mount?
  52 
  53 A.  Like most PAM modules, pam_mount prompts the user for a password.
  54     When used with another auth type module, such as pam_unix2, this
  55     may result in both modules prompting for a password. In order to
  56     get a more desirable behavior, instruct the second module to use
  57     the first password entered by using the use_first_pass option.

I've not used pam mount before, but if it's anything like tying LDAP into PAM, which it should be,  you probably want to use "use_first_pass" in your auth directives.

If that doesn't work, I'd probably have a look at the following configuration options which may cause this undesired situation : http://pam-mount.git.sourceforge.net/gi … ptions.txt

As for the NFS server ... you're probably going to want to read through the following to get an idea of how security works in NFS : http://nfs.sourceforge.net/nfs-howto/ar01s06.html

In short, any IP allowed to connect to the NFS mount can mount the export. Then, NFS expects the >client side< to declare the user's UID/GID. As far as NFS is concerned, if the >client< host says that user "bob" is UID 0/GID 0, then "bob" is. From a security point of view, and to make sure that user's can all map "UID/GID" to "Uname/Gname" properly ( last reason more for convenience than anything else ) you're talking about centralized authentication ( LDAP ) or a nightmare.

Or, another option, is simply to mount the ( example ) /home export to /mnt/home and then have pam_mount do a "bind" mount of a subdirectory of /mnt/home. Easier, not as pretty, has it's own faults and still exposes you to security issues ( unless your user's are all chroot-ed and even then ).

Offline

#4 2010-01-07 05:58:52

chancho
Member
From: Hong Kong
Registered: 2006-07-14
Posts: 114

Re: pam_mount howto

actually i made a typo in my config file, but i tried both "try_first_pass" and "use_first_pass", i got the same result. and the error log shown "  gdm-session-worker[1857]: pam_mount(pam_mount.c:100): unknown pam_mount option "use_first_pass"

Offline

Board footer

Powered by FluxBB