Mount
為什麼 pam_mount 要求輸入密碼?
我使用該
pam-auth-update工具來啟用一些 pam 配置文件:PAM configuration PAM profiles to enable: [*] encfs encrypted home directories [*] Unix authentication [*] Mount volumes for user [*] GNOME Keyring Daemon - Login keyring management [*] ConsoleKit Session Management所有功能都按預期工作,但有一件事——該
Mount volumes for user選項似乎會影響su命令。我在文件中添加了以下行
/etc/security/pam_mount.conf.xml:<volume user="morfik" fstype="fuse" path="encfs#/media/Server/Dropbox.encfs/Dropbox/encrypted" mountpoint="/media/Server/Dropbox" />當我輸入終端
su morfik(以root身份)時,不應該有任何密碼提示,而是我看到了這個:# su morfik reenter password for pam_mount:如果我取消選中
Mount volumes for user上面菜單中的選項,一切似乎都是文件並且reenter password消失了。我試圖玩/etc/pam.d/文件,但我對 PAM 沒有任何經驗,而且我無法讓它工作。有誰知道這些文件中必須更改的內容?
更新#1
這是
/etc/pam.d目錄的內容:# ls -al /etc/pam.d/ total 104K drwxr-xr-x 2 root root 4.0K Mar 21 16:21 ./ drwxr-xr-x 153 root root 12K Mar 21 16:11 ../ -rw-r--r-- 1 root root 197 Sep 8 2013 atd -rw-r--r-- 1 root root 384 May 25 2012 chfn -rw-r--r-- 1 root root 92 May 25 2012 chpasswd -rw-r--r-- 1 root root 581 May 25 2012 chsh -rw-r--r-- 1 root root 1.2K Mar 20 17:35 common-account -rw-r--r-- 1 root root 1.3K Mar 20 17:35 common-auth -rw-r--r-- 1 root root 1.5K Mar 20 17:35 common-password -rw-r--r-- 1 root root 1.3K Mar 20 17:35 common-session -rw-r--r-- 1 root root 1.2K Mar 20 17:35 common-session-noninteractive -rw-r--r-- 1 root root 527 Jul 3 2012 cron -rw-r--r-- 1 root root 69 Jul 16 2013 cups-daemon -rw-r--r-- 1 root root 4.8K Mar 5 10:18 login -rw-r--r-- 1 root root 92 May 25 2012 newusers -rw-r--r-- 1 root root 520 Jul 22 2008 other -rw-r--r-- 1 root root 147 Feb 13 07:15 passwd -rw-r--r-- 1 root root 255 Oct 15 18:40 polkit-1 -rw-r--r-- 1 root root 84 Dec 27 12:40 samba -rw-r--r-- 1 root root 2.1K Feb 15 03:11 sshd -rw-r--r-- 1 root root 2.3K May 25 2012 su -rw-r--r-- 1 root root 95 Jan 15 22:58 sudo -rw-r--r-- 1 root root 108 Oct 19 23:42 xscreensaver沒有文件
/etc/pam.d/system-auth。我檢查了
pam_mount它們的內容中有哪些文件,我得到了這個:# egrep -i pam_mount * common-auth:auth optional pam_mount.so common-session:session optional pam_mount.so文件內容:
# # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth sufficient pam_encfs.so auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_mount.so # end of pam-auth-update config和:
# # /etc/pam.d/common-session - session-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define tasks to be performed # at the start and end of sessions of *any* kind (both interactive and # non-interactive). # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_mount.so session optional pam_ck_connector.so nox11 # end of pam-auth-update config更新#2
我正在使用 Debian 測試。我試圖改變 的位置
pam_mount,但它總是一樣的。我已經閱讀了手冊的某些部分,並且有類似的內容:When "sufficient" is used in the second column, you must make sure that pam_mount is added before this entry. Otherwise pam_mount will not get executed should a previous PAM module succeed. Also be aware of the "include" statements. These make PAM look into the specified file. If there is a "sufficient" statement, then the pam_mount entry must either be in the included file before the "sufficient" statement or before the "include" statement.我什至添加
pam_mount到/etc/pam.d/su文件中以檢查這是否有任何區別,但這沒關係。如果pam_mount首先,就像他們說的那樣,不是密碼提示,而是pam_mount password在我登錄系統時得到提示,並且在我嘗試時它仍然要求輸入密碼su morfik
遇到同樣的問題。
事實證明,通過在配置文件 ( )中添加
disable_interactive選項來解決問題。pam_mount.so``/etc/pam.d/common-{auth,session}它緊隨其後
pam_mount.so,選項用空格分隔(從so文件名和每兩個選項之間)。當
pam_mount.so程式碼在登錄時執行時,它將從堆棧頂部接收密碼並使用該密碼來解密您的捲。當您
su從根會話進行操作時,不需要密碼,因此pam_mount.so不會獲得任何密碼。因此,如果沒有該disable_interactive選項,它將嘗試獲取密碼。幸運的是,正如您從https://sourceforge.net/p/pam-mount/pam-mount/ci/master/tree/src/pam_mount.c看到的那樣,第 493 行,
pam_mount即使沒有密碼也會嘗試繼續,這很好,因為如果卷已解鎖並安裝,則不需要密碼。