# How is pam_mount supposed to work?

## turtles

Been reading up on a few things like man pam_mount, pam_mount docs and the various stuff on the wiki's

Looking for some more information on pam_mount and LUKS

Say for example a user has a encrypted /home with dm_crypt and LUKS

pam_mount does not know the LUKS passphrase the drive was encrypted with.

Pam_mount will ask the user for the LUKS passphrase during boot mount filesystems? 

Then the /home will be unlocked and mounted and the user will be authenticated as logged in? Without the user needing to use there login password?

Then what is the login manager to do? The user could just automagicly startx?

Or does it work the other way? pam_mount does keep a key to the drive and the user password unlocks the drive?

Then where is the drives passphrase stored and how? I am not seeing this in the pam_mout docs.

What if the user logs in over ssh?

What is the minimum required /etc/pam.d/service for pam_mount to work?

The manpage states  *pam_mount  wrote:*   

>  you must include two entries in the system's applicable /etc/pam.d/service config files

  Then has 

```

auth required pam_securetty.so auth required pam_pwdb.so shadow nullok auth required pam_nologin.so +++ auth optional pam_mount.so account required pam_pwdb.so password required pam_cracklib.so password required pam_pwdb.so shadow nullok use_authtok session required pam_pwdb.so session optional pam_console.so +++ session optional pam_mount.so
```

Which two and where does one begin and another end? This doesn't look anything like mine.

I guess they are using the +++ signs like a diff? So this is what I need to add and nothing else?

```
 session optional pam_mount.so
```

 and 

```
auth optional pam_mount.so
```

OK Then  *pam_mount  wrote:*   

>  When "sufficient" is used in the second column, you must make sure that pam_mount is added before this entry.

 

Looking at 

/etc/security/pam_mount.conf.xml

and its docs

Last question the /home dir should not be in /etc/fstab or what will happen?

How does pam_mount deal with a case where the drive has already been mounted?

From my experementing with it it seems to go into a infinite loop pretty easily.

Also it seems like the user passwords are weaker than the LUKS passphrase in general so whay would pam_mount store a LUKS passphrase somewhere?? If another user with root privileges can access the system (liveUSB) and compile a corrupted version of pam_mount then the drive could be unlocked.

Just not wrapping my head around it.

Thanks in advance

EDIT: I just played around with it and I think one of the LUKS keys has to equal the  password so just make a really strong password. 

And if you su to the users account from root the partition is not mounted.

The asking for a password during disk mounting is not provided by pam mount but something to do with fstab. Having a entry in fstab will cause a infinite loop of some kind.

Still not sure about unmounting.

----------

## ulenrich

With just one user active for a workstation "pam_mount" is a little bit of an overdrive. Without you just /etc/crypttab:

cr6          /dev/sda6  none       luks,timeout=444,tries=3

You then /etc/fstab:

/dev/mapper/cr6 /home  ext4  auto,defaults  0  2

And then autologin for example kdm in /usr/share/config/kdmrc

AutoLoginEnable=true

AutoLoginUser=YOURNAME

But pam_mount can take advantage of all luks features e.g. multiple passwords for an encrypted partition. Or just mount a special encrypted /home/USERNAME partition for each user. Thus the adminitrator root cannot look into your private data (if not at place at same time).

----------

## turtles

Well I have been tinkering with settings in /etc/pam.d/

Setting the 2 settings listed in the pam_mount man page:

```
 session optional pam_mount.so      

auth optional pam_mount.so
```

 in 

```
system-auth
```

Makes for lots of noise during su's but works with kdm

Setting it in system-services works on non X-login but not with kdm.

Setting it in both creates no conflicts.

Now there are 2 other files kde and kde-np

owned indirectly by KDM:

```
  * Searching for /etc/pam.d/kde ... 

kde-base/kdebase-pam-7 (/etc/pam.d/kde)

lapcat pam.d # equery depends kde-base/kdebase-pam-7

 * These packages depend on kde-base/kdebase-pam-7:

kde-base/kcheckpass-4.8.5 (pam ? >=kde-base/kdebase-pam-7)

```

Looking at kde's docs:

http://docs.kde.org/stable/en/kde-workspace/kdm/configuring-your-system-for-kdm.html

http://www.gentoo.org/proj/en/desktop/kde/kde4-guide.xml

Not finding any documentation.

Any idea what these two files are for?  Which one is needed for pam_mount on login to kdm?

Edit: From what I can tell adding those two lines to the kde file allows pam_mount to work with kdm.

So its system-services & kde files.

Now for the unmounting.....

----------

## feystorm

Just replying to add some info on how to properly set this up.

Every time I go and build a new machine, I never remember all the nuances to setting up LUKS home dirs so I end up looking it up. But then all the info I find is wrong and I end up doing it the hard way anyway   :Sad: 

For pam_mount there are a few things required to do this properly:

First edit /etc/security/pam_mount.conf.xml

Add the following options to the <pam_mount> section:

```
<logout wait="200000" hup="1" term="1" kill="1" />

<ofl>/bin/fuser -s -M -m %(MNTPT) -k -%(SIGNAL)</ofl>

<volume user="YOURUSERNAMEHERE" fstype="crypt" path="/PATH/TO/DEVICE" mountpoint="~" />

```

The <volume> should be pretty normal. However the other stuff is for unmounting the volume.

The <logout> bit tells it to unmount the volume when you log out. The hup, term, and kill are whether it should send those signals to processes that are using the volume. The wait is how many microseconds to wait between each signal (it goes hup->term->kill).

The <ofl> is the command to use to signal the processes. I use fuser, but you can use lsof if you wish

Next, update /etc/pam.d/system-login

This file is included by any authentication system which logs a user in. This includes kdm, gdm, console, ssh, etc. You don't want to use system-auth or system-services as the volume should only be mounted when a user logs in. By putting it system-auth, it will cause any authentications to try and mount (eg, sudo, or su). By putting it in system-services, cron (and others) will break.

There are a few changes you should make here.

1) Add "auth optional pam_mount.so" immediately below the "auth include system-auth" line.

This line causes pam_mount to use your login password and mount the volume. It uses the password obtained from earlier on in the pam stack (usually pam_unix.so which is in the system-auth)

2) Change "auth include system-auth" to "auth substack system-auth".

This is because the system-auth stack can have an "auth sufficient" directive, which will tell pam to jump out of the rest of the auth stack. Since pam_mount.so is after "system-auth", an "auth sufficient" directive will skip it. By changing system_auth to a substack, the "auth sufficient" directive merely jumps out of the substack and continues on with pam_mount.so.

3) Add "session optional pam_mount.so" after the very last "session include" directive.

This line tells pam_mount.so to keep track of the number of login sessions for each user. When a session is closed, if there are 0 sessions left open for the user, it unmounts the volume. We place it at the very end so that the volume is unmounted as the very last action. This is so that if anything else in the pam session stack needs access to the home directory, it's still there.

Note that this will kill any backgrounded processes you have running once all your sessions are closed. If you have a screen session running and it's holding the mount open, it'll get killed. You theoretically could work around this by putting the "session optional pam_mount.so" in system-auth instead of system-login, but I haven't tried this, and don't know if pam_mount will behave in that scenario.

Just for reference, this is my system-login file:

```

auth         required        pam_tally2.so onerr=succeed

auth         required        pam_shells.so 

auth         required        pam_nologin.so 

auth         substack        system-auth

auth         optional        pam_mount.so

auth         optional        pam_gnome_keyring.so

                                 

account      required        pam_access.so 

account      required        pam_nologin.so 

account      include         system-auth

account      required        pam_tally2.so onerr=succeed 

password     include         system-auth

password     optional        pam_gnome_keyring.so

 

session      optional        pam_loginuid.so

session      required        pam_env.so 

session      optional        pam_lastlog.so 

session      include         system-auth

session      optional        pam_ck_connector.so nox11

session      optional        pam_gnome_keyring.so auto_start

session      optional        pam_motd.so motd=/etc/motd

session      optional        pam_mail.so

session      optional        pam_mount.so

```

And for completeness, but it shouldn't matter, my system-auth (which is modified as I use sssd):

```

auth         required        pam_env.so 

auth         sufficient      pam_unix.so try_first_pass likeauth nullok 

auth         sufficient      pam_sss.so use_first_pass

auth         required        pam_deny.so

 

account      required        pam_unix.so 

account      sufficient      pam_localuser.so

account      [default=bad success=ok user_unknown=ignore] pam_sss.so

account      optional        pam_permit.so

 

password     required        pam_cracklib.so difok=1 minlen=8 dcredit=2 ocredit=2 retry=3 

password     sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow 

password     sufficient      pam_sss.so use_authtok

password     required        pam_deny.so

 

session      required        pam_limits.so 

session      required        pam_env.so 

session      optional        pam_unix.so 

session      optional        pam_sss.so

```

----------

