# pam_mount: have to enter password twice

## JohnN

My encrypted home directories were working just fine until I decided to download kdm and dependencies and use pam_mount with that. That still hasn't worked out, and I went back to console login. However, ever since, the first time I enter my password I get the following error:

 *Quote:*   

> pam_mount: error trying to retrieve authtok from auth code

 

When I enter it second time, it logs me in. What could be going on?

Here's what I have in /etc/pam.d/login:

 *Quote:*   

> auth       required     pam_securetty.so
> 
> auth       include      system-auth
> 
> auth       required     pam_tally.so file=/var/log/faillog onerr=succeed no_magic_root
> ...

 

I configured /etc/security/pam_mount.conf as per the excellent instructions in the Gentoo forum:  https://forums.gentoo.org/viewtopic-t-274651-highlight-pammount.html

----------

## nullkey

I solved that problem by changing those

```

auth include system-auth

...

password include system-auth

...

session include system-auth

```

lines to

```

auth required /lib/security/pam_stack.so service=system-auth

...

password required /lib/security/pam_stack.so service=system-auth

...

session required /lib/security/pam_stack.so service=system-auth

```

and rebooted (login must be restarted, and reboot is easy way to do that).

I'm not sure if it has some side effects, but for me it is still working.   :Rolling Eyes: 

----------

## JohnN

Thanks! I always wondered why my pam configuration didn't use pam_stack, but, as I said, it was working before. Your changed solved the problem perfectly.

----------

## hippysurfer

I am getting the same problem but from /etc/pam.d/su:

```

auth       sufficient   /lib/security/pam_rootok.so

auth       required     /lib/security/pam_wheel.so use_uid

auth       required     /lib/security/pam_stack.so service=system-auth

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth

session    optional     /lib/security/pam_xauth.so

session    optional     /lib/security/pam_mount.so

```

The pam_mount FAQ says that the problem can be caused by the pam_mount line being after a 'sufficient' line, so I have tried putting the pam_mount line at the top. But that made no difference.

Everytime I su I get:

```

bash-2.05b$ su - guest

Password:

pam_mount: error trying to retrieve authtok from auth code

reenter password:  

```

Does anyone have any ideas?

Regards

[/quote]

----------

## Massimo B.

 *nullkey wrote:*   

> I solved that problem

 Thank you. forums.gentoo.org are great because most of the time my strange problemes are already solved.

Will pam_mount come into the official portage tree?

----------

## firesox

Hi there,

I want to refresh this thread, because I have the same issue. The solution here mentioned won't work for me (and for many others I guess), because the Redhat patches were removed from the PAM package, so there is no pam_stack anymore.

My problem is, that I have to add the password twice. Logging into KDE, pam_mount isn't parsed, because I suppose, that KDE, if having one valid password, just starts up without asking for a second one needed by pam_mount.

Here is my system-auth:

```
#%PAM-1.0

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_krb5.so use_first_pass likeauth

auth       required     pam_deny.so

auth       optional     pam_mount.so use_first_pass

account    required     pam_unix.so

account    sufficient   pam_krb5.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   sufficient   pam_krb5.so use_first_pass

password   required     pam_deny.so

session    required     pam_mkhomedir.so silent skel=/etc/skel umask=022

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_krb5.so

session    optional     pam_mount.so
```

And my /etc/pam.d/login

```
#%PAM-1.0

auth       required     pam_securetty.so

auth       include      system-auth

auth       required     pam_tally.so file=/var/log/faillog onerr=succeed no_magic_root

auth       required     pam_shells.so

auth       required     pam_nologin.so

account    required     pam_access.so

account    include      system-auth

account    required     pam_tally.so deny=0 file=/var/log/faillog onerr=succeed no_magic_root

password   include      system-auth

session    include      system-auth

session    required     pam_env.so

session    optional     pam_lastlog.so

session    optional     pam_motd.so motd=/etc/motd

session    optional     pam_mail.so

# If you want to enable pam_console, uncomment the following line

# and read carefully README.pam_console in /usr/share/doc/pam*

#session    optional    pam_console.so
```

Thanks for any help.

----------

## firesox

It works, moved the pam_mount in the first chapter of the system-auth up like this:

```
auth       required     pam_env.so

auth       optional     pam_mount.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_krb5.so use_first_pass likeauth

auth       required     pam_deny.so
```

If there are problems with SSH, it might help to set the following options in /etc/ssh/sshd_config:

```
ChallengeResponseAuthentication no

PasswordAuthentication yes
```

But another problem: pam_mount isn't unmounting the shares during logout. Any hint?

----------

## Massimo B.

 *firesox wrote:*   

> But another problem: pam_mount isn't unmounting the shares during logout. Any hint?

 Yes, that's a common problem when applications still access the mount area, I remember. So logout maybe doesn't go to a secure status and you're crypted home is still open.

----------

## firesox

 *paoleela wrote:*   

> logout maybe doesn't go to a secure status and you're crypted home is still open.

 

I have no encrypted home, they are samba shares, but I think, it's the same effect. In fact, I'm not accessing the share, just logging in, checking success with a "mount" and logging out - and the shares will last.

----------

## Massimo B.

There was a workaround with  -l  Lazy unmount  but you can't be sure it's unmounted.

----------

## firesox

Tried the lazy one, but no luck. The output from pam_mount produces the following errors upon logging out:

```
pam_mount(misc.c:346) error setting uid to 0

pam_mount(mount.c:487) umount errors (should be empty):

pam_mount(mount.c:100) pam_mount(misc.c:341) set_myuid(pre): real uid/gid=3000:5000, effective uid/gid=3000:5000

pam_mount(mount.c:100) pam_mount(misc.c:346) error setting uid to 0

pam_mount(mount.c:100) You are not allowed to umount /home/user/data

pam_mount(mount.c:490) waiting for umount

pam_mount(pam_mount.c:558) unmount of user failed
```

It seems, that I have no rights as user to unmount the shares. Any hint, what will do the trick by not setting an suid bit on a mount command?

Edit: I found this as an explanation, why an umount doesn't work.

 *Quote:*   

> See how when login executes pam_mount's session closing code it does so with a
> 
> UID and EUID of 3000 [in my case]? Login is giving up its root privileges too early (like
> 
> Debian's login does). Pam_mount can't unmount arbitrary volumes running with an
> ...

 

Do anyone know how to accomplish closing a session as root?

Edit 2: I've found out, that a logout from a virtual terminal (ttyX) will unmount the shares, but not after a SSH session.

----------

