为什么pam_mount要求输入密码?


8

我使用该pam-auth-update工具来启用一些pam配置配置文件:

 PAM configuration 
 PAM profiles to enable:
    [*] encfs encrypted home directories           
    [*] Unix authentication                             
    [*] Mount volumes for user                         
    [*] GNOME Keyring Daemon - Login keyring management  
    [*] ConsoleKit Session Management

所有功能都按预期工作,但有一件事情-该Mount volumes for user选项似乎会影响su命令。

我在/etc/security/pam_mount.conf.xml文件中添加了以下行:

<volume user="morfik" fstype="fuse" path="encfs#/media/Server/Dropbox.encfs/Dropbox/encrypted" mountpoint="/media/Server/Dropbox" />

当我输入终端su morfik(以root用户身份)时,不应出现任何密码提示,但我看到的是:

# su morfik
reenter password for pam_mount:

如果我未选中Mount volumes for user上面菜单中的选项,则所有内容似乎都已归档,并且reenter password消失了。我尝试使用/etc/pam.d/文件,但是我对PAM没有任何经验,也无法使其工作。

有人知道这些文件中需要更改的内容吗?

更新#1

这是/etc/pam.d目录的内容:

# ls -al /etc/pam.d/
total 104K
drwxr-xr-x   2 root root 4.0K Mar 21 16:21 ./
drwxr-xr-x 153 root root  12K Mar 21 16:11 ../
-rw-r--r--   1 root root  197 Sep  8  2013 atd
-rw-r--r--   1 root root  384 May 25  2012 chfn
-rw-r--r--   1 root root   92 May 25  2012 chpasswd
-rw-r--r--   1 root root  581 May 25  2012 chsh
-rw-r--r--   1 root root 1.2K Mar 20 17:35 common-account
-rw-r--r--   1 root root 1.3K Mar 20 17:35 common-auth
-rw-r--r--   1 root root 1.5K Mar 20 17:35 common-password
-rw-r--r--   1 root root 1.3K Mar 20 17:35 common-session
-rw-r--r--   1 root root 1.2K Mar 20 17:35 common-session-noninteractive
-rw-r--r--   1 root root  527 Jul  3  2012 cron
-rw-r--r--   1 root root   69 Jul 16  2013 cups-daemon
-rw-r--r--   1 root root 4.8K Mar  5 10:18 login
-rw-r--r--   1 root root   92 May 25  2012 newusers
-rw-r--r--   1 root root  520 Jul 22  2008 other
-rw-r--r--   1 root root  147 Feb 13 07:15 passwd
-rw-r--r--   1 root root  255 Oct 15 18:40 polkit-1
-rw-r--r--   1 root root   84 Dec 27 12:40 samba
-rw-r--r--   1 root root 2.1K Feb 15 03:11 sshd
-rw-r--r--   1 root root 2.3K May 25  2012 su
-rw-r--r--   1 root root   95 Jan 15 22:58 sudo
-rw-r--r--   1 root root  108 Oct 19 23:42 xscreensaver

没有文件/etc/pam.d/system-auth

我检查了内容中包含的文件pam_mount,然后得到了:

# egrep -i pam_mount *
common-auth:auth        optional        pam_mount.so
common-session:session  optional        pam_mount.so

文件内容:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth    sufficient              pam_encfs.so 
auth    [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional    pam_mount.so 
# end of pam-auth-update config

和:

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]         pam_permit.so
# here's the fallback if no module succeeds
session requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required    pam_unix.so 
session optional    pam_mount.so 
session optional            pam_ck_connector.so nox11
# end of pam-auth-update config

更新#2

我正在使用Debian测试。我尝试更改的位置pam_mount,但始终相同。我已经阅读了手册的某些部分,内容如下:

 When "sufficient" is used in the second column, you must make sure that
   pam_mount is added before this entry. Otherwise pam_mount will not  get
   executed  should  a  previous  PAM module succeed. Also be aware of the
   "include" statements. These make PAM look into the specified  file.  If
   there is a "sufficient" statement, then the pam_mount entry must either
   be in the included file before the "sufficient" statement or before the
   "include" statement.

我什pam_mount至将/etc/pam.d/su文件添加到文件中以检查是否有任何区别,但这无关紧要。如果pam_mount像他们所说的那样,如果不是密码提示,那么pam_mount password登录到系统时会提示我,但尝试时仍然会要求输入密码su morfik


你解决了吗?
PSkocik '16

实际上,我很久以前就停止使用encfs,过去我也没有解决问题。我刚刚安装了适当的PAM模块,并且当我从根目录“ su”到有问题的用户时,没有密码提示。但是,当我向/etc/security/pam_mount.conf.xml文件添加音量行时,提示开始出现。
米哈伊尔·莫尔菲科夫

Answers:


2

遇到同样的问题。

事实证明,通过在配置文件()中添加disable_interactive选项可以解决该问题。pam_mount.so/etc/pam.d/common-{auth,session}

它紧随其后pam_mount.so,并且选项之间用空格分隔(与so文件名以及每两个选项之间)。

pam_mount.so代码能够顺利通过登录执行时,它会从堆栈的顶部收到的密码,并使用该密码解密你的音量。

当你正在做的su从根会话,不需要密码,因此pam_mount.so不会得到任何密码。因此,如果没有该disable_interactive选项,它将尝试获取密码。

幸运的是,正如您从https://sourceforge.net/p/pam-mount/pam-mount/ci/master/tree/src/pam_mount.c中看到的那样,第493行pam_mount即使没有密码也会尝试继续操作,很好,因为如果已解锁并安装该卷,则不需要密码。


我测试了部分参数,因为我不再使用encfs了。我刚刚创建了目录并安装了适当的PAM模块。在将“ disable_interactive”添加到两个文件后,它实际上停止显示密码提示。我不确定“挂载失败”消息是由于密码还是因为没有“ encfs目录”。无论如何,我都设法不用密码来切换用户。所以我接受这个答案。
米哈伊尔·莫尔菲科夫

1

完全可以猜测,但请查看您的/etc/pam.d/*文件,并确保与之相关的所有PAM配置pam_mount都按以下方式进行设置:

auth optional pam_mount.so
...
auth include system-auth use_first_pass
...
session optional pam_mount.so

pam_mount.conf手册页似乎对此进行了备份:

摘抄

Messages
   <msg-authpw>pam_mount password:</msg-authpw>
        When  pam_mount cannot obtain a password through PAM, or is 
        configured to not do so in the first place, and is configured to ask 
        for a password interactively as a replacement, this prompt  will be 
        shown.

   <msg-sessionpw>reenter...:</msg-sessionpw>
        In  case  the  'session' PAM block does not have the password (e.g. 
        on su from root to user), it will ask again. This prompt can also be 
        customized.

注意:/etc/pam.d/*在此ArchLinux Wiki标题为:Pam mount的主题中,还引用了配置文件的顺序。

参考文献


@MikhailMorfikov-我不确定您使用的是Debian还是Ubuntu,但是如果您查看手册页,pam_mount有几个示例说明如何使用此模块构建PAM订单。您可以看一下并将其与/etc/pam.d/*文件进行比较吗?我希望您需要围绕他的PAM堆栈进行更改。您可以运行此命令strace -s 2000 -o su.log su morfik吗?这样我们就可以看到哪些规则在起作用吗?
slm

我更新了问题。
Mikhail Morfikov 2014年
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.