[Pkg-shadow-devel] Re: problem with CLOSE_SESSION
Bénédicte et Éric ROUGIER
eric.rougier at tiscali.fr
Wed Jun 14 21:26:47 UTC 2006
It may works with gdm, then that ok for me. I tried it tomorow.
Also, my debug info :
(Thanks a lot)
After a logon (with debug=1)
pam_mount: reading options_allow...
pam_mount: reading options_require...
pam_mount: back from global readconfig
pam_mount: per-user configurations not allowed by pam_mount.conf
pam_mount: real and effective user ID are 0 and 0.
pam_mount: checking sanity of volume record (Classes)
pam_mount: about to perform mount operations
pam_mount: information for mount:
pam_mount: ----------------------
pam_mount: (defined by globalconf)
pam_mount: user: rougiere
pam_mount: server: se3
pam_mount: volume: Classes
pam_mount: mountpoint: /home/rougiere/Classes
pam_mount: options: uid=rougiere,gid=rougiere,fmask=650,dmask=0750
pam_mount: fs_key_cipher:
pam_mount: fs_key_path:
pam_mount: use_fstab: 0
pam_mount: ----------------------
pam_mount: realpath of volume "/home/rougiere/Classes" is
"/home/rougiere/Classes"
pam_mount: checking to see if //se3/Classes is already mounted at
/home/rougiere/Classes
pam_mount: checking for encrypted filesystem key configuration
pam_mount: about to start building mount command
pam_mount: command: /usr/bin/smbmount [//se3/Classes]
[/home/rougiere/Classes] [-o]
[username=rougiere,uid=rougiere,gid=rougiere,fmask=650,dmask=07
pam_mount: mount errors (should be empty):
pam_mount: pam_mount: setting uid to 0
pam_mount: pam_mount: real user/group IDs are 0/1000, effective is 0/1000
pam_mount: waiting for mount
Sys. de fich. 1K-blocs Occupé Disponible Capacité Monté sur
/dev/sda1 75434976 8845700 62757376 13% /
varrun 253392 172 253220 1% /var/run
varlock 253392 4 253388 1% /var/lock
udev 253392 76 253316 1% /dev
devshm 253392 0 253392 0% /dev/shm
lrm 253392 18856 234536 8%
/lib/modules/2.6.15-23-386/volatile
se3:/home 36854064 9801544 27052520 27% /home
//se3/Classes 36853760 3176448 33677312 9%
/home/rougiere/Classes
pam_mount: checking sanity of volume record (Docs)
pam_mount: about to perform mount operations
pam_mount: information for mount:
pam_mount: ----------------------
pam_mount: (defined by globalconf)
pam_mount: user: rougiere
pam_mount: server: se3
pam_mount: volume: Docs
pam_mount: mountpoint: /home/rougiere/Partages
pam_mount: options: uid=rougiere,gid=rougiere,fmask=650,dmask=0750
pam_mount: fs_key_cipher:
pam_mount: fs_key_path:
pam_mount: use_fstab: 0
pam_mount: ----------------------
pam_mount: realpath of volume "/home/rougiere/Partages" is
"/home/rougiere/Partages"
pam_mount: checking to see if //se3/Docs is already mounted at
/home/rougiere/Partages
pam_mount: checking for encrypted filesystem key configuration
pam_mount: about to start building mount command
pam_mount: command: /usr/bin/smbmount [//se3/Docs]
[/home/rougiere/Partages] [-o]
[username=rougiere,uid=rougiere,gid=rougiere,fmask=650,dmask=0750
pam_mount: mount errors (should be empty):
pam_mount: pam_mount: setting uid to 0
pam_mount: pam_mount: real user/group IDs are 0/1000, effective is 0/1000
pam_mount: waiting for mount
Sys. de fich. 1K-blocs Occupé Disponible Capacité Monté sur
/dev/sda1 75434976 8845704 62757372 13% /
varrun 253392 172 253220 1% /var/run
varlock 253392 4 253388 1% /var/lock
udev 253392 76 253316 1% /dev
devshm 253392 0 253392 0% /dev/shm
lrm 253392 18856 234536 8%
/lib/modules/2.6.15-23-386/volatile
se3:/home 36854064 9801544 27052520 27% /home
//se3/Classes 36853760 3176448 33677312 9%
/home/rougiere/Classes
//se3/Docs 36853760 3176448 33677312 9%
/home/rougiere/Partages
pam_mount: checking sanity of volume record (Progs)
pam_mount: about to perform mount operations
pam_mount: information for mount:
pam_mount: ----------------------
pam_mount: (defined by globalconf)
pam_mount: user: rougiere
pam_mount: server: se3
pam_mount: volume: Progs
pam_mount: mountpoint: /home/rougiere/Progs
pam_mount: options: uid=rougiere,gid=rougiere,fmask=650,dmask=0750
pam_mount: fs_key_cipher:
pam_mount: fs_key_path:
pam_mount: use_fstab: 0
pam_mount: ----------------------
pam_mount: realpath of volume "/home/rougiere/Progs" is
"/home/rougiere/Progs"
pam_mount: checking to see if //se3/Progs is already mounted at
/home/rougiere/Progs
pam_mount: checking for encrypted filesystem key configuration
pam_mount: about to start building mount command
pam_mount: command: /usr/bin/smbmount [//se3/Progs]
[/home/rougiere/Progs] [-o]
[username=rougiere,uid=rougiere,gid=rougiere,fmask=650,dmask=0750]
pam_mount: mount errors (should be empty):
pam_mount: pam_mount: setting uid to 0
pam_mount: pam_mount: real user/group IDs are 0/1000, effective is 0/1000
pam_mount: waiting for mount
Sys. de fich. 1K-blocs Occupé Disponible Capacité Monté sur
/dev/sda1 75434976 8845704 62757372 13% /
varrun 253392 172 253220 1% /var/run
varlock 253392 4 253388 1% /var/lock
udev 253392 76 253316 1% /dev
devshm 253392 0 253392 0% /dev/shm
lrm 253392 18856 234536 8%
/lib/modules/2.6.15-23-386/volatile
se3:/home 36854064 9801544 27052520 27% /home
//se3/Classes 36853760 3176448 33677312 9%
/home/rougiere/Classes
//se3/Docs 36853760 3176448 33677312 9%
/home/rougiere/Partages
//se3/Progs 36853760 3176448 33677312 9% /home/rougiere/Progs
pam_mount: clean system authtok (0)
pam_mount: command: /usr/sbin/pmvarrun [-u] [rougiere] [-d] [-o] [1]
pam_mount: setting uid to 0
pam_mount: real user/group IDs are 0/1000, effective is 0/1000
pmvarrun: parsed count value 6
pam_mount: pmvarrun says login count is 7
pam_mount: done opening session
Last login: Wed Jun 14 23:11:43 2006 on pts/1
Linux edubuntu 2.6.15-23-386 #1 PREEMPT Tue May 23 13:49:40 UTC 2006
i686 GNU/Linux
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
After logout
pam_mount: received order to close things
pam_mount: real and effective user ID are 0 and 0.
pam_mount: command: /usr/sbin/pmvarrun [-u] [rougiere] [-d] [-o] [-1]
pam_mount: setting uid to 0
pam_mount: real user/group IDs are 0/1000, effective is 0/1000
pmvarrun: parsed count value 7
pam_mount: pmvarrun says login count is 6
pam_mount: rougiere seems to have other remaining open sessions
pam_mount: pam_mount execution complete
pam_mount: Clean global config (0)
pam_mount: clean system authtok (0)
/etc/pam.d/login
#
# The PAM configuration file for the Shadow `login' service
#
# NOTE: If you use a session module (such as kerberos or NIS+)
# that retains persistent credentials (like key caches, etc), you
# need to enable the `CLOSE_SESSIONS' option in /etc/login.defs
# in order for login to stay around until after logout to call
# pam_close_session() and cleanup.
#
# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth required pam_issue.so issue=/etc/issue
# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth requisite pam_securetty.so
# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so
# This module parses /etc/environment (the standard for setting
# environ vars) and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# (Replaces the `ENVIRON_FILE' setting from login.defs)
auth required pam_env.so readenv=1
# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
@include common-auth
# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please uncomment and edit /etc/security/group.conf if you
# wish to use this.
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth optional pam_group.so
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account required pam_access.so
# Standard Un*x account and session
@include common-account
@include common-session
# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
#session required pam_limits.so
# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session optional pam_lastlog.so
# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session optional pam_motd.so
# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). You
# can also enable a MAIL environment variable from here, but it
# is better handled by /etc/login.defs, since userdel also uses
# it to make sure that removing a user, also removes their mail
# spool file.
session optional pam_mail.so standard noenv
@include common-password
@include common-pammount
#@include common-session
/etc/security/pam_mount
# Turn on if you want to debug why some volume cannot be mounted etc.
# This can be overriden by user's local configuration
#
# Format: debug [ 1 | 0 ]
# Local user configuration can override this.
debug 0
# Create mountpoint if it does not exist yet. This is a good thing.
mkmountpoint 1
# Loopback device to use to run fsck on loopback filesystems.
fsckloop /dev/loop7
#------------------------------------------------------------------------------
# Users' local configuration file (if there is none, comment this
# parameter out). Will be read as ~/<file>
#
# Note: you must include either options_allow or options_deny to use
# this directive. I recommend also including options_require.
#
# Individual users may define additional volumes to mount if allowed
# by pam_mount.conf (usually ~/.pam_mount.conf). The volume keyword is
# the only valid keyword in these per-user configuration files. If the
# luserconf parameter is set in pam_mount.conf, allowing user-defined
# volumes, users may mount and unmount any volumes they specify.
# The mount operation is executed under the user account, not with
# root permissions.
#
# Format: luserconf <file>
#
#luserconf .pam_mount.conf
#------------------------------------------------------------------------------
# These directives determine which options may be specified in a user config
# file (luserconf). You must include one of these directives if you have a
# luserconf directive. You may not include both directives.
#
# If you have an options_allow directive, then the options listed in that
# directive wil be allowed, and all others rejected. If you have an
# options_deny directive, then the options listed will be denied, and
all others# permitted.
#
# You may use the wildcard '*' to match all options.
# I recommend not permitting the suid and dev options.
#
options_allow nosuid,nodev,loop,encryption,fsck
#options_deny suid,dev
#options_allow *
#options_deny *
# The options listed in this directive are required for all volumes from a
# user config file. That is, any volume specified in a user config file that
# does not include these options will be ignored.
#
# Note: you must make sure that a required option is permitted (either by
# including it in options_allow, or by not including it in options_deny).
#
# I recommend requiring at least nosuid and nodev.
#
# This is ignored completely if the volume is configured to get its options
# and mount point from /etc/fstab.
#
options_require nosuid,nodev
#------------------------------------------------------------------------------
# Commands to mount/unmount volumes. They can take parameters, as shown.
#
# If you change the -p0 argument for lclmount, you'll need to modify the
# source in mount.c (it sends the password to the stdin file descriptor
# of the child process -- look for STDIN_FILENO).
#
lsof /usr/sbin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKTARGET)
losetup /sbin/losetup -p0 "%(before=\"-e\" CIPHER)" "%(before=\"-k\"
KEYBITS)" %(FSCKLOOP) %(VOLUME)
unlosetup /sbin/losetup -d %(FSCKLOOP)
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o
"username=%(USER)%(before=\",\" OPTIONS)"
smbmount /usr/bin/smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o
"username=%(USER)%(before=\",\" OPTIONS)"
ncpmount /usr/bin/ncpmount %(SERVER)/%(USER) %(MNTPT) -o
"pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"
smbumount /usr/bin/smbumount %(MNTPT)
ncpumount /usr/bin/ncpumount %(MNTPT)
# Linux supports lazy unmounting (-l). May be dangerous for encrypted
volumes.
# May also break loopback mounts because loopback devices are not freed.
# Need to unmount mount point not volume to support SMB mounts, etc.
umount /bin/umount %(MNTPT)
# On OpenBSD try "/usr/local/bin/mount_ehd" (included in pam_mount package).
lclmount /bin/mount -p0 -t %(FSTYPE) %(VOLUME) %(MNTPT) "%(before=\"-o\"
OPTIONS)"
cryptmount /bin/mount -t crypt "%(before=\"-o\" OPTIONS)" %(VOLUME) %(MNTPT)
nfsmount /bin/mount %(SERVER):%(VOLUME) %(MNTPT) "%(before=\"-o\" OPTIONS)"
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
# For BSD: mntagain mount_null %(PREVMNTPT) %(MNTPT)
# For Solaris: mntagain mount -F lofs %(PREVMNTPT) %(MNTPT)
mntcheck /bin/mount # For BSD's (don't have /etc/mtab)
pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION)
#------------------------------------------------------------------------------
# Volumes that will be mounted when user triggers the pam_mount module
# (usually at login).
#
# Format (one line):
# volume <user> <type> <server> <volume> <mount point>
# <mount options> <fs key cipher> <fs key path>
#
# <user> is a user for which a volume rule applies.
# "*" selects all users, "@xyz" selects all users which have xyz as their
# primary group.
#
# - If such a wildcard (* or @) is used, the '&' wildcard becomes available
# for <volume>, <mount point>, <mount options> and <fs key path>, and
# expands to the username that was used for login.
# - '~' expands to the user's home directory as present in the passwd
# database, but ONLY if it is the first char. (Like in bash; /import/~
does
# not equal /import/home/jengelh!)
# Examples see below.
#
# <type> can be any filesystem type. If /bin/mount or the kernel does not
# support it, you will get an error. You can use the special keyword "auto"
# which automatically lets the kernel choose a matching filesystem. Note
# that you the kernel's auto feature only works with filesystems listed in
# /proc/filesystem, so you will have to load the necessary modules *first*
# for them to be recognized with "auto".
#
# The "cifs", "smbfs" and "ncpfs" types override the identically-named
kernel
# filesystems and use the smbmount/ncpmount programs, as defined above,
# instead of `mount -t smbfs ...`.
#
# Note that if the mount command has specified an option, e.g. %(KEYBITS)
# and you don't specify a value, a warning is printed in the log. The
# warning can usually be ignored, except when the option is mandatory.
#
# SMB mounts require the `smbmount` and `smbumount` programs,
# NCP `ncpmount` and `ncpumount`. Both SMB and NCP work in
~/.pam_mount.conf.
#
# General examples:
# volume user smbfs krueger public /home/user/krueger - - -
# volume user ncpfs krueger public /home/user/krueger
user=user.context - -
# volume * smbfs krueger & /home/& uid=&,dmask=0750 - -
# volume * smbfs krueger homes /home/&/remote - - -
# Useful for pam_chroot:
# volume * auto - /bin /home/&/bin - - -
# For FUSE mounts, example sshfs:
# volume * fuse - "sshfs#&@fileserver:" /home/& - - -
# Or...
# volume * fuse - "sshfs#&@fileserver:" ~ - - -
# Some more examples:
# volume * auto - /home/&.img - - aes-256-ecb /etc/ehd/&
# Windows 2000, which requires a domain specified, example (thanks John
Knox):
# volume * smbfs viper & /home/&
uid=&,gid=&,dmask=0750,workgroup=WINDOWS_DOMAIN - -
# An NCP example:
# volume user ncpfs SERVER /USERS/Department/user /home/user
user=user.full.context,uid=user,gid=user,symlinks - -
# An example using spaces:
# volume * smbfs krueger 'Home\ Directories' /home/& - - -
#------------------------------------------------------------------------------
# Linux encrypted home directory examples, using dm_crypt:
#
# crypt mounts require a kernel with CONFIG_BLK_DEV_DM and CONFIG_DM_CRYPT
# enabled as well as all the used ciphers (e.g. CONFIG_CRYPTO_AES_586,
# CONFIG_CRYPTO_TWOFISH, etc.).
# crypt mounts must be in the global config file
/etc/security/pam_mount.conf
# volume user crypt - /dev/sda2 /home/user cipher=aes,fsck aes-256-ecb
/home/user.key
#
# Linux encrypted home directory examples, using dm_crypt:
# volume user crypt - /dev/sda2 /home/user cipher=aes aes-256-ecb
/home/user.key
# cryptoloop mounts require a kernel with CONFIG_BLK_DEV_CRYPTOLOOP enabled.
# cryptoloop mounts must be in the global config
/etc/security/pam_mount.conf
# Linux encrypted home directory examples, using cryptoloop:
#
# volume user auto - /dev/hda123 /home/user loop,encryption=aes - -
# volume user auto - /home/user.img /home/user
loop,user,exec,encryption=aes,keybits=256 - -
# volume user auto - /home/user.img - - - -
# volume user auto - /home/user.img - - aes-256-ecb /home/user4.key
# The last two examples (^^) need a line like the following in
# /etc/fstab:
# /home/user4.img /home/user4 xfs
user,loop,encryption=aes,keybits=256,noauto 0 0
# OpenBSD encrypted home directory example (see also lclmount above):
# volume user auto - /home/user.img /home/user svnd0 - -
# Volatile tmpfs mount with restricted size
# (thanks to Mike Hommey for this example)
# volume test tmpfs - /tmpfs/test /home/test
"size=10M,uid=test,gid=users,mode=0700 -t tmpfs" - -
# Details:
# Local user configuration (~/.pam_mount.conf) can extend this.
#
# If there are no servers, mount options, fs key ciphers, etc. you must
# supply a lone dash, i.e. "-"
#
# See http://www.tldp.org/HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html
# to learn how to create a encrypted loopback filesystem.
#
# If the volume's password is different than the user's login password,
# the following technique may be used (see also README):
#
# {...} are placeholders, insert the proper value there!
#
# 1. Create a file containing the volume's password (FS key). If you are
# using pam_mount to mount an loopback encrypted volume, this password
# should may generated by /dev/urandom.
#
# Simple example:
# echo {volume password} | openssl enc -aes-256-ecb >/home/user.key
# Encrypt this file using the user's login password as the key.
#
# Verbose loopback encrypted volume example:
# a. dd if=/dev/urandom of=/home/user.img bs=1M count={image size
in MB}
# b. dd if=/dev/urandom bs=1c count={keysize/8} | \
# openssl enc -{fs key cipher} >/home/user.key
# Encrypt this file using the user's login password as the key.
# c. modprobe -q cryptoloop
# d. openssl enc -d -{fs key cipher} -in /home/user.key | \
# losetup -e aes -k {keysize} -p0 /dev/loop0 /home/user.img
# e. mkfs -t ext2 /dev/loop0
# f. losetup -d /dev/loop0
#
# 3. In pam_mount.conf:
# a. Set the fs key cipher variable to the cipher used (ie:
aes-256-ecb).# b. Set the fs key path variable to the key's path
(ie: /home/user.key)
# 4. If a user changes his login password, regenerate the efsk that
# was created in step 1b. A script named passwdehd is provided to
do this.
#
# If fs_key_cipher is -, then the user's login password is also the volume's
# password.
volume * smbfs se3 Classes ~/Classes uid=&,gid=&,fmask=650,dmask=0750 - -
volume * smbfs se3 Docs ~/Partages uid=&,gid=&,fmask=650,dmask=0750 - -
#volume root nfs se3 /var/se3/Docs ~/Partages uid=root,gid=root - -
volume * smbfs se3 Progs ~/Progs uid=&,gid=&,fmask=650,dmask=0750 - -
Nicolas François a écrit :
>On Wed, Jun 14, 2006 at 10:15:16PM +0200, nicolas.francois at centraliens.net wrote:
>
>
>>On Wed, Jun 14, 2006 at 05:37:17PM +0200, eric.rougier at tiscali.fr wrote:
>>
>>
>>>Yes, when I logout after a logon with the command line login, the moint
>>>point witch was mounted with pam-mount wasn't unmount.
>>>
>>>
>>Then, I don't really see what's happening.
>>
>>Do you have any logs?
>>maybe you can also enable debug (setting "debug 1" in the pam_mount
>>configuration file should do that).
>>
>>Does it work with other programs?
>>
>>What does your PAM's configuration for login looks like?
>>What does your pam_mount configuration looks like?
>>
>>
>
>Also, do you think it can be related to http://bugs.debian.org/370526
>
>Kind Regards,
>
>
More information about the Pkg-shadow-devel
mailing list