Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 232040

Summary: pam_mount needs to be first entry in /etc/pam.d/SERVICE configuration
Product: [Fedora] Fedora Reporter: Kevin R. Page <redhat-bugzilla>
Component: pam_mountAssignee: Till Maas <opensource>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 6   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-17 12:48:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kevin R. Page 2007-03-13 18:02:46 UTC
Contrary to /usr/share/doc/pam_mount-0.18/README and anecdotal evidence of
previous FC releases, the auth entry for pam_mount seems to need to be the first
in any /etc/pam.d/SERVICE configuration.

Anything else, e.g.
auth       required
auth       include     system-auth
auth       optional use_first_pass
account    required
account    include     system-auth
password   include     system-auth
session    optional force revoke
session    include     system-auth
session    required
session    optional
session    optional

fails with:
pam_mount: error trying to retrieve authtok from auth code.

and you need to (re-)enter a second password for pam_mount. Placing the
pam_mount entry first fixes the issue.

I don't know whether this is now the desired behavoir? In which case I guess
it's just a doc fix.


Comment 1 Till Maas 2007-03-24 12:11:47 UTC
(In reply to comment #0)
> Contrary to /usr/share/doc/pam_mount-0.18/README and anecdotal evidence of

> #%PAM-1.0
> auth       required
> auth       include     system-auth

If you look into /etc/pam.d/system-auth, which is included, you will notice that
there is a "auth sufficent <something>" line in it. pam_mount needs to be
invoked before any "auth sufficient" line, because only pam modules until the
firs suceeding sufficient module will be used. This is somehow already mentioned
in the README, except that the "include" keyword is not mentioned.

Comment 2 Till Maas 2007-03-24 12:16:46 UTC
Ah, i just noticed that pam_mount gets executed but does not get the password in
this configuration. Hm, but maybe this is only the session part. I will ask

Comment 3 Till Maas 2007-03-24 13:25:49 UTC
From Fedora Core 5 release notes:

auth       required
auth       include      system-auth
# no module should remain after 'include' if 'sufficient' might
# be used in the included configuration file
# pam_nologin moved to account phase - it's more appropriate there
# other modules might be moved before the system-auth 'include'

So I guess

auth       required
auth       include     system-auth
auth       optional use_first_pass

will never work.

Comment 4 Till Maas 2007-07-17 12:48:37 UTC
There is an additional note now in upstreams repository, that will be included
in the next upstream release: