Bug 1001069 - pam_mount does not reuse password after latest update
pam_mount does not reuse password after latest update
Product: Fedora
Classification: Fedora
Component: pam_mount (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Till Maas
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-08-26 08:41 EDT by Milan Kerslager
Modified: 2013-09-21 11:10 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-09-21 11:10:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
pam_mount.conf.xml (1.11 KB, text/plain)
2013-08-26 16:01 EDT, Milan Kerslager
no flags Details
/etc/pam.d/system-auth-ac (1.35 KB, text/plain)
2013-08-26 16:24 EDT, Milan Kerslager
no flags Details
system logs, pam_mount debug was on when huzva logged in (7.01 KB, text/plain)
2013-08-26 16:34 EDT, Milan Kerslager
no flags Details

  None (edit)
Description Milan Kerslager 2013-08-26 08:41:38 EDT
I have setup with pam_mount-2.13-3.fc19.x86_64 which works. I'm mounting network share by using the same login and password as is used to authenticate. The pam_mount module has no parameter in my working pam configuration.

Latest update to pam_mount-2.13-4.20130707git966c6bea.fc19.x86_64 forces my users to input password twice no matter if the authentication goes through GDM, sshd or getty.

Simple downgrade solves the problem, so there is a bug with reusing password from stacked modules in latest update of this PAM module. I tryed to use undocumented parametr enable_pam_password (this is default) with no luck. I tryed to use disable_interactive parameter too which prevent mounting to work because module does not have a password at all.
Comment 1 Till Maas 2013-08-26 09:10:34 EDT
Milan, would you please add your pam and pam_mount config files?

Jan, would you please take a look?
Comment 2 Milan Kerslager 2013-08-26 16:01:42 EDT
Created attachment 790671 [details]
Comment 3 Milan Kerslager 2013-08-26 16:24:51 EDT
Created attachment 790686 [details]
Comment 4 Milan Kerslager 2013-08-26 16:34:57 EDT
Created attachment 790688 [details]
system logs, pam_mount debug was on when huzva logged in

The password has to be entered twice to mount home directory form the server. Login server (contacted by winbind, Samba PDC) has the huzva account, there is no huzva account locally. The same server provide home directory for the user. So the password is the same.
Comment 5 Milan Kerslager 2013-08-26 16:43:58 EDT
Well. I'm not able to reproduce the behaviour of downgrading to older pam_mount at home. So I have to investigate it tomorrow at work once more.
Comment 6 Till Maas 2013-09-05 16:42:47 EDT
Milan, do you have any news? I can provide you with an update to 2.14, but it does not seem to contain many changes that might help here.
Comment 7 Milan Kerslager 2013-09-05 19:22:50 EDT
I have a tip to use "enable_pam_password" option, but I did not try it yet by myself. Something like:

auth     optional pam_mount.so enable_pam_password
session  optional pam_mount.so enable_pam_password
Comment 8 Jan Engelhardt 2013-09-05 21:01:33 EDT
There is no "enable_pam_password" option, hence there is nothing to document.

Your problem is that pam_mount.so is after "sufficient pam_unix.so". Under certain circumstances — namely that your account is managed through /etc/shadow — pam_mount's auth stage never gets called and thus cannot grab the password.

This is already "resolved" in my git working copy where I have a modification cooking that updates the documentation about the importance of where "auth optional pam_mount.so" is supposed to go.
Comment 9 Jan Engelhardt 2013-09-05 21:02:44 EDT
>There is no "enable_pam_password" option, hence there is nothing to document.

Well spoke to soon — the option is there, but it is the default anyway. You would need a very good reason to use "disable_pam_password" (=force password re-entry) IMO.
Comment 10 Jan Engelhardt 2013-09-05 21:04:01 EDT
>I tryed to use undocumented parametr enable_pam_password

And because three is a charm, it is even (loosely) documented: in doc/options.txt. :)
Comment 11 Till Maas 2013-09-21 11:10:57 EDT
As far as I can see, this is not a bug in pam_mount. If it is, please re-open this bug.

Note You need to log in before you can comment on or make changes to this bug.