|Summary:||pam_mount needs to be first entry in /etc/pam.d/SERVICE configuration|
|Product:||[Fedora] Fedora||Reporter:||Kevin R. Page <redhat-bugzilla>|
|Component:||pam_mount||Assignee:||Till Maas <opensource>|
|Status:||CLOSED UPSTREAM||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2007-07-17 12:48:37 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Kevin R. Page 2007-03-13 18:02:46 UTC
Contrary to /usr/share/doc/pam_mount-0.18/README and anecdotal evidence of previous FC releases, the auth entry for pam_mount seems to need to be the first in any /etc/pam.d/SERVICE configuration. Anything else, e.g. #%PAM-1.0 auth required pam_env.so auth include system-auth auth optional pam_mount.so use_first_pass account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so session optional pam_console.so session optional pam_mount.so fails with: pam_mount: error trying to retrieve authtok from auth code. and you need to (re-)enter a second password for pam_mount. Placing the pam_mount entry first fixes the issue. I don't know whether this is now the desired behavoir? In which case I guess it's just a doc fix. pam_mount-0.18-1.fc6 pam-0.99.6.2-3.16.fc6
Comment 1 Till Maas 2007-03-24 12:11:47 UTC
(In reply to comment #0) > Contrary to /usr/share/doc/pam_mount-0.18/README and anecdotal evidence of > #%PAM-1.0 > auth required pam_env.so > auth include system-auth If you look into /etc/pam.d/system-auth, which is included, you will notice that there is a "auth sufficent <something>" line in it. pam_mount needs to be invoked before any "auth sufficient" line, because only pam modules until the firs suceeding sufficient module will be used. This is somehow already mentioned in the README, except that the "include" keyword is not mentioned.
Comment 2 Till Maas 2007-03-24 12:16:46 UTC
Ah, i just noticed that pam_mount gets executed but does not get the password in this configuration. Hm, but maybe this is only the session part. I will ask upstream.
Comment 3 Till Maas 2007-03-24 13:25:49 UTC
From Fedora Core 5 release notes: http://download.fedora.redhat.com/pub/fedora/linux/core/5/i386/os/RELEASE-NOTES-en.html #%PAM-1.0 auth required pam_securetty.so auth include system-auth # no module should remain after 'include' if 'sufficient' might # be used in the included configuration file # pam_nologin moved to account phase - it's more appropriate there # other modules might be moved before the system-auth 'include' So I guess auth required pam_env.so auth include system-auth auth optional pam_mount.so use_first_pass will never work.
Comment 4 Till Maas 2007-07-17 12:48:37 UTC
There is an additional note now in upstreams repository, that will be included in the next upstream release: http://pam-mount.svn.sourceforge.net/viewvc/pam-mount/trunk/dry/pam_mount.8?r1=223&r2=222&pathrev=223