我使用该pam-auth-update工具来启用一些 pam 配置文件:
PAM configuration
PAM profiles to enable:
[*] encfs encrypted home directories
[*] Unix authentication
[*] Mount volumes for user
[*] GNOME Keyring Daemon - Login keyring management
[*] ConsoleKit Session Management
所有功能都按预期工作,但有一件事 - 该Mount volumes for user选项似乎会影响su命令。
我将以下行添加到/etc/security/pam_mount.conf.xml文件中:
<volume user="morfik" fstype="fuse" path="encfs#/media/Server/Dropbox.encfs/Dropbox/encrypted" mountpoint="/media/Server/Dropbox" />
当我输入终端su morfik(以 root 身份)时,不应该有任何密码提示,但我看到的是:
# su morfik
reenter password for pam_mount:
如果我取消Mount volumes for user选中上面菜单中的选项,所有内容似乎都已归档并且reenter password消失。我尝试使用/etc/pam.d/文件,但我没有任何使用 PAM 的经验,并且无法使其工作。
有谁知道这些文件中必须更改什么?
更新#1
这是目录的内容/etc/pam.d:
# ls -al /etc/pam.d/
total 104K
drwxr-xr-x 2 root root 4.0K Mar 21 16:21 ./
drwxr-xr-x 153 root root 12K Mar 21 16:11 ../
-rw-r--r-- 1 root root 197 Sep 8 2013 atd
-rw-r--r-- 1 root root 384 May 25 2012 chfn
-rw-r--r-- 1 root root 92 May 25 2012 chpasswd
-rw-r--r-- 1 root root 581 May 25 2012 chsh
-rw-r--r-- 1 root root 1.2K Mar 20 17:35 common-account
-rw-r--r-- 1 root root 1.3K Mar 20 17:35 common-auth
-rw-r--r-- 1 root root 1.5K Mar 20 17:35 common-password
-rw-r--r-- 1 root root 1.3K Mar 20 17:35 common-session
-rw-r--r-- 1 root root 1.2K Mar 20 17:35 common-session-noninteractive
-rw-r--r-- 1 root root 527 Jul 3 2012 cron
-rw-r--r-- 1 root root 69 Jul 16 2013 cups-daemon
-rw-r--r-- 1 root root 4.8K Mar 5 10:18 login
-rw-r--r-- 1 root root 92 May 25 2012 newusers
-rw-r--r-- 1 root root 520 Jul 22 2008 other
-rw-r--r-- 1 root root 147 Feb 13 07:15 passwd
-rw-r--r-- 1 root root 255 Oct 15 18:40 polkit-1
-rw-r--r-- 1 root root 84 Dec 27 12:40 samba
-rw-r--r-- 1 root root 2.1K Feb 15 03:11 sshd
-rw-r--r-- 1 root root 2.3K May 25 2012 su
-rw-r--r-- 1 root root 95 Jan 15 22:58 sudo
-rw-r--r-- 1 root root 108 Oct 19 23:42 xscreensaver
没有文件/etc/pam.d/system-auth啊
我检查了文件的pam_mount内容,我得到了这个:
# egrep -i pam_mount *
common-auth:auth optional pam_mount.so
common-session:session optional pam_mount.so
文件内容:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth sufficient pam_encfs.so
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_mount.so
# end of pam-auth-update config
和:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_mount.so
session optional pam_ck_connector.so nox11
# end of pam-auth-update config
更新#2
我正在使用 Debian 测试。我试图改变 的位置pam_mount,但它总是一样。我读过手册的一些部分,其中有这样的内容:
When "sufficient" is used in the second column, you must make sure that pam_mount is added before this entry. Otherwise pam_mount will not get executed should a previous PAM module succeed. Also be aware of the "include" statements. These make PAM look into the specified file. If there is a "sufficient" statement, then the pam_mount entry must either be in the included file before the "sufficient" statement or before the "include" statement.
我甚至pam_mount在/etc/pam.d/su文件中添加了内容以检查这是否有任何区别,但这并不重要。如果pam_mount首先,就像他们说的那样,pam_mount password当我登录系统时,系统会提示输入密码,而不是密码提示,当我尝试时,系统仍然要求输入密码su morfik
答案1
遇到了同样的问题。
事实证明,通过在配置文件 ( ) 中添加disable_interactive旁边的选项可以解决问题。pam_mount.so/etc/pam.d/common-{auth,session}
它紧随其后pam_mount.so,选项之间用空格分隔(从so文件名到每两个选项之间)。
当pam_mount.so代码在登录时执行时,它将从堆栈顶部接收密码并使用该密码来解密您的卷。
当您从 root 会话进行操作时su,不需要密码,因此pam_mount.so不会获得任何密码。因此,如果没有该disable_interactive选项,它将尝试获取密码。
幸运的是,正如你所看到的https://sourceforge.net/p/pam-mount/pam-mount/ci/master/tree/src/pam_mount.c第 493 行,pam_mount即使没有密码也会尝试继续,这很好,因为如果卷已解锁并安装,则不需要密码。
答案2
完全猜测,但请查看您的/etc/pam.d/*文件并确保与以下内容相关的任何 PAM 配置pam_mount设置如下:
auth optional pam_mount.so
...
auth include system-auth use_first_pass
...
session optional pam_mount.so
这似乎得到了pam_mount.conf手册页的支持:
摘抄
Messages
<msg-authpw>pam_mount password:</msg-authpw>
When pam_mount cannot obtain a password through PAM, or is
configured to not do so in the first place, and is configured to ask
for a password interactively as a replacement, this prompt will be
shown.
<msg-sessionpw>reenter...:</msg-sessionpw>
In case the 'session' PAM block does not have the password (e.g.
on su from root to user), it will ask again. This prompt can also be
customized.
笔记:配置文件的顺序/etc/pam.d/*也在这个 ArchLinux Wiki 主题中被引用,标题为:帕姆山。