8

I used the pam-auth-update tool in order to enable some pam configuration profiles:

 PAM configuration 
 PAM profiles to enable:
    [*] encfs encrypted home directories           
    [*] Unix authentication                             
    [*] Mount volumes for user                         
    [*] GNOME Keyring Daemon - Login keyring management  
    [*] ConsoleKit Session Management

All the features work as expected, but there's one thing -- the Mount volumes for user option seems to affect the su command.

I added the following line to /etc/security/pam_mount.conf.xml file:

<volume user="morfik" fstype="fuse" path="encfs#/media/Server/Dropbox.encfs/Dropbox/encrypted" mountpoint="/media/Server/Dropbox" />

and when I type in a terminal su morfik (as root), there's shouldn't be any password prompt, but instead I see this:

# su morfik
reenter password for pam_mount:

If I unchecked the Mount volumes for user option in the menu above, everything seems to be file and the reenter password disappears. I tried to play with /etc/pam.d/ files, but I don't have any experience with PAM, and I wasn't able to make it work.

Does anyone know what has to be changed in these files?

UPDATE#1

This is the content of /etc/pam.d directory:

# ls -al /etc/pam.d/
total 104K
drwxr-xr-x   2 root root 4.0K Mar 21 16:21 ./
drwxr-xr-x 153 root root  12K Mar 21 16:11 ../
-rw-r--r--   1 root root  197 Sep  8  2013 atd
-rw-r--r--   1 root root  384 May 25  2012 chfn
-rw-r--r--   1 root root   92 May 25  2012 chpasswd
-rw-r--r--   1 root root  581 May 25  2012 chsh
-rw-r--r--   1 root root 1.2K Mar 20 17:35 common-account
-rw-r--r--   1 root root 1.3K Mar 20 17:35 common-auth
-rw-r--r--   1 root root 1.5K Mar 20 17:35 common-password
-rw-r--r--   1 root root 1.3K Mar 20 17:35 common-session
-rw-r--r--   1 root root 1.2K Mar 20 17:35 common-session-noninteractive
-rw-r--r--   1 root root  527 Jul  3  2012 cron
-rw-r--r--   1 root root   69 Jul 16  2013 cups-daemon
-rw-r--r--   1 root root 4.8K Mar  5 10:18 login
-rw-r--r--   1 root root   92 May 25  2012 newusers
-rw-r--r--   1 root root  520 Jul 22  2008 other
-rw-r--r--   1 root root  147 Feb 13 07:15 passwd
-rw-r--r--   1 root root  255 Oct 15 18:40 polkit-1
-rw-r--r--   1 root root   84 Dec 27 12:40 samba
-rw-r--r--   1 root root 2.1K Feb 15 03:11 sshd
-rw-r--r--   1 root root 2.3K May 25  2012 su
-rw-r--r--   1 root root   95 Jan 15 22:58 sudo
-rw-r--r--   1 root root  108 Oct 19 23:42 xscreensaver

There's no file /etc/pam.d/system-auth.

I checked what files have pam_mount in their content, and I got this:

# egrep -i pam_mount *
common-auth:auth        optional        pam_mount.so
common-session:session  optional        pam_mount.so

The content of the files:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    sufficient              pam_encfs.so 
auth    [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional    pam_mount.so 
# end of pam-auth-update config

and:

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]         pam_permit.so
# here's the fallback if no module succeeds
session requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required    pam_unix.so 
session optional    pam_mount.so 
session optional            pam_ck_connector.so nox11
# end of pam-auth-update config

UPDATE#2

I'm using Debian testing. I tried to change the position of pam_mount, but it's always the same. I've read some sections of the manual, and there was something like: 

 When "sufficient" is used in the second column, you must make sure that
   pam_mount is added before this entry. Otherwise pam_mount will not  get
   executed  should  a  previous  PAM module succeed. Also be aware of the
   "include" statements. These make PAM look into the specified  file.  If
   there is a "sufficient" statement, then the pam_mount entry must either
   be in the included file before the "sufficient" statement or before the
   "include" statement.

I even added pam_mount to the /etc/pam.d/su file to check if this makes any difference, but it doesn't matter. If pam_mount if first, like they say, instead of a password prompt, I get pam_mount password prompt when I log to my system, and it still asks for password when I try su morfik

Improve this question
2
  • Have you solved this yet? Commented Apr 2, 2016 at 17:22
  • Actually I stopped using encfs long time ago, and I didn't solve the problem in the past. I've just installed the appropriate PAM module, and when I "su" to the user in question from root, there's no password prompt. But when I add a volume line to the /etc/security/pam_mount.conf.xml file, the prompt starts to appear. Commented Apr 3, 2016 at 8:51

2 Answers 2

Reset to default
2

Ran into the same problem.

Turns out the problem is solved by adding the disable_interactive option next to pam_mount.so in the config files ( /etc/pam.d/common-{auth,session}).

It comes right after pam_mount.so and the options are separated with spaces (from the so file name and between each two options).

When the pam_mount.so code gets executed upon a login, it'll receive the password from the top of the stack and use that password to decrypt your volume.

When you're doing su from a root session, no password is required and therefore pam_mount.so will not get any password. So, without the disable_interactive option, it will try to obtain the password.

Fortunately, as you can see from https://sourceforge.net/p/pam-mount/pam-mount/ci/master/tree/src/pam_mount.c , line 493, pam_mount will try to proceed even without a password, which is good, because the password isn't needed if the volume is already unlocked and mounted.

Improve this answer
1
  • I tested partially the parameter because I don't use encfs anymore. I just created the dirs and installed appropriate PAM modules. After adding "disable_interactive" to the two files, it actually stopped from showing the password prompt. I'm not sure whether the "mount failed" message is because of the password or because there's no "encfs directory". Anyways I was managed to switch user without a password. So I accept this answer. Commented Apr 3, 2016 at 9:06
1

Total guess but have a look at your /etc/pam.d/* files and make sure that any PAM configurations related to pam_mount are setup as follows:

auth optional pam_mount.so
...
auth include system-auth use_first_pass
...
session optional pam_mount.so

This would seem to be backed up by the pam_mount.conf man page:

excerpt

Messages
   <msg-authpw>pam_mount password:</msg-authpw>
        When  pam_mount cannot obtain a password through PAM, or is 
        configured to not do so in the first place, and is configured to ask 
        for a password interactively as a replacement, this prompt  will be 
        shown.

   <msg-sessionpw>reenter...:</msg-sessionpw>
        In  case  the  'session' PAM block does not have the password (e.g. 
        on su from root to user), it will ask again. This prompt can also be 
        customized.

NOTE: The order of the /etc/pam.d/* configuration files is also referenced here in this ArchLinux Wiki topic titled: Pam mount.

References

Improve this answer
2
  • @MikhailMorfikov - I'm not sure if you're using Debian or Ubuntu but if you take a look at the man page for pam_mount there are several examples on how to structure your PAM order using this module. Can you take a look at that and compare it to your /etc/pam.d/* files? I'm expecting that you need to change around he PAM stacks. Can you run this: strace -s 2000 -o su.log su morfik so we can see which rules are tripping it up? Commented Mar 23, 2014 at 11:06
  • I updated the question. Commented Mar 23, 2014 at 16:20

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.