Bug 232040 - pam_mount needs to be first entry in /etc/pam.d/SERVICE configuration
pam_mount needs to be first entry in /etc/pam.d/SERVICE configuration
Product: Fedora
Classification: Fedora
Component: pam_mount (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Till Maas
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-03-13 14:02 EDT by Kevin R. Page
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-07-17 08:48:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kevin R. Page 2007-03-13 14:02:46 EDT
Contrary to /usr/share/doc/pam_mount-0.18/README and anecdotal evidence of
previous FC releases, the auth entry for pam_mount seems to need to be the first
in any /etc/pam.d/SERVICE configuration.

Anything else, e.g.
auth       required    pam_env.so
auth       include     system-auth
auth       optional    pam_mount.so use_first_pass
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so force revoke
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so
session    optional    pam_mount.so

fails with:
pam_mount: error trying to retrieve authtok from auth code.

and you need to (re-)enter a second password for pam_mount. Placing the
pam_mount entry first fixes the issue.

I don't know whether this is now the desired behavoir? In which case I guess
it's just a doc fix.

Comment 1 Till Maas 2007-03-24 08:11:47 EDT
(In reply to comment #0)
> Contrary to /usr/share/doc/pam_mount-0.18/README and anecdotal evidence of

> #%PAM-1.0
> auth       required    pam_env.so
> auth       include     system-auth

If you look into /etc/pam.d/system-auth, which is included, you will notice that
there is a "auth sufficent <something>" line in it. pam_mount needs to be
invoked before any "auth sufficient" line, because only pam modules until the
firs suceeding sufficient module will be used. This is somehow already mentioned
in the README, except that the "include" keyword is not mentioned.

Comment 2 Till Maas 2007-03-24 08:16:46 EDT
Ah, i just noticed that pam_mount gets executed but does not get the password in
this configuration. Hm, but maybe this is only the session part. I will ask
Comment 3 Till Maas 2007-03-24 09:25:49 EDT
From Fedora Core 5 release notes:

auth       required     pam_securetty.so
auth       include      system-auth
# no module should remain after 'include' if 'sufficient' might
# be used in the included configuration file
# pam_nologin moved to account phase - it's more appropriate there
# other modules might be moved before the system-auth 'include'

So I guess

auth       required    pam_env.so
auth       include     system-auth
auth       optional    pam_mount.so use_first_pass

will never work.
Comment 4 Till Maas 2007-07-17 08:48:37 EDT
There is an additional note now in upstreams repository, that will be included
in the next upstream release:


Note You need to log in before you can comment on or make changes to this bug.