Bug 232040

Summary: pam_mount needs to be first entry in /etc/pam.d/SERVICE configuration
Product: [Fedora] Fedora Reporter: Kevin R. Page <redhat-bugzilla>
Component: pam_mountAssignee: Till Maas <opensource>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 6   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-17 12:48:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kevin R. Page 2007-03-13 18:02:46 UTC 
Contrary to /usr/share/doc/pam_mount-0.18/README and anecdotal evidence of
previous FC releases, the auth entry for pam_mount seems to need to be the first
in any /etc/pam.d/SERVICE configuration.

Anything else, e.g.
#%PAM-1.0
auth       required    pam_env.so
auth       include     system-auth
auth       optional    pam_mount.so use_first_pass
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so force revoke
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so
session    optional    pam_mount.so

fails with:
pam_mount: error trying to retrieve authtok from auth code.

and you need to (re-)enter a second password for pam_mount. Placing the
pam_mount entry first fixes the issue.

I don't know whether this is now the desired behavoir? In which case I guess
it's just a doc fix.

pam_mount-0.18-1.fc6
pam-0.99.6.2-3.16.fc6
Comment 1 Till Maas 2007-03-24 12:11:47 UTC 
(In reply to comment #0)
> Contrary to /usr/share/doc/pam_mount-0.18/README and anecdotal evidence of

> #%PAM-1.0
> auth       required    pam_env.so
> auth       include     system-auth

If you look into /etc/pam.d/system-auth, which is included, you will notice that
there is a "auth sufficent <something>" line in it. pam_mount needs to be
invoked before any "auth sufficient" line, because only pam modules until the
firs suceeding sufficient module will be used. This is somehow already mentioned
in the README, except that the "include" keyword is not mentioned.
Comment 2 Till Maas 2007-03-24 12:16:46 UTC 
Ah, i just noticed that pam_mount gets executed but does not get the password in
this configuration. Hm, but maybe this is only the session part. I will ask
upstream.
Comment 3 Till Maas 2007-03-24 13:25:49 UTC 
From Fedora Core 5 release notes:
http://download.fedora.redhat.com/pub/fedora/linux/core/5/i386/os/RELEASE-NOTES-en.html

#%PAM-1.0
auth       required     pam_securetty.so
auth       include      system-auth
# no module should remain after 'include' if 'sufficient' might
# be used in the included configuration file
# pam_nologin moved to account phase - it's more appropriate there
# other modules might be moved before the system-auth 'include'

So I guess

auth       required    pam_env.so
auth       include     system-auth
auth       optional    pam_mount.so use_first_pass

will never work.
Comment 4 Till Maas 2007-07-17 12:48:37 UTC 
There is an additional note now in upstreams repository, that will be included
in the next upstream release:

http://pam-mount.svn.sourceforge.net/viewvc/pam-mount/trunk/dry/pam_mount.8?r1=223&r2=222&pathrev=223