Using pam_mount and pam_kwallet
Patrick Häcker
pat_h at web.de
Fri Oct 3 06:01:39 UTC 2014
(Resending, as the first mail does not seem to be on the list)
I installed a machine with KDE, configured pam_kwallet (to open KDE's password
safe automatically when logging in) and it worked.
Then I moved /home onto an encrypted partition and configured pam_mount to
automatically decrypt/mount /home when logging in and it worked mostly. The
remaining part is that /home should be unmounted when logging off, which does
not work currently (but that's not the reason of this mail).
Unfortunately, if the now encrypted /home partition is not mounted when
logging in, the wallet does not get opened. When logging off and logging in
again (remember: /home is still mounted after logging off), the wallet gets
opened.
So both pam modules work separately, only if they have to work both,
pam_kwallet fails.
I read the Linux-PAM System Administrators' Guide, but I am lacking an idea
how to debug this problem. Has anyone an idea what I should do to find the
root of the problem?
My wild guess would be that either pam_kwallet needs access to its home
directory, which it gets too late if pam_mount has to mount the file system,
or that pam_mount has to succeed (or fail?) so that pam_kwallet works.
I already activated debugging in pam_mount (setting "<debug enable="1" />" in
/etc/security/pam_mount.conf.xml (why XML?)), but I do not know how to enable
debugging in pam_kwallet.
The log of the first (unsuccessful for kwallet) login:
> 23:24:57: (pam_mount.c:365): pam_mount 2.14: entering auth stage
> 23:24:57: (pam_mount.c:365): pam_mount 2.14: entering auth stage
> 23:24:57: pam_kwallet(lightdm:auth): pam_sm_authenticate
> 23:25:00: pam_unix(lightdm-greeter:session): session closed for user lightdm
> 23:25:00: pam_kwallet(lightdm:setcred): pam_sm_setsecred
> 23:25:00: pam_unix(lightdm:session): session opened for user pat by (uid=0)
> 23:25:00: (pam_mount.c:568): pam_mount 2.14: entering session stage
> 23:25:00: (pam_mount.c:568): pam_mount 2.14: entering session stage
> 23:25:00: (pam_mount.c:441): pmvarrun says login count is 2
> 23:25:00: (pam_mount.c:660): done opening session (ret=0)
> 23:25:00: pam_kwallet(lightdm:session): pam_sm_open_session
> 23:25:00: pam_kwallet(lightdm:session): pam-kwallet: final socket path:
> 23:25:00: /tmp//pat.socket (pam_mount.c:441): pmvarrun says login count is 2
> 23:25:00: (pam_mount.c:660): done opening session (ret=0)
The log of the first (successful for kwallet) login:
> 23:27:59: (pam_mount.c:365): pam_mount 2.14: entering auth stage
> 23:27:59: (pam_mount.c:365): pam_mount 2.14: entering auth stage
> 23:27:59: pam_kwallet(lightdm:auth): pam_sm_authenticate
> 23:28:02: pam_unix(lightdm-greeter:session): session closed for user lightdm
> 23:28:02: pam_kwallet(lightdm:setcred): pam_sm_setsecred
> 23:28:02: pam_unix(lightdm:session): session opened for user pat by (uid=0)
> 23:28:02: (pam_mount.c:568): pam_mount 2.14: entering session stage
> 23:28:02: (pam_mount.c:568): pam_mount 2.14: entering session stage
> 23:28:07: (pam_mount.c:522): mount of /dev/sda5 failed
> 23:28:07: (pam_mount.c:441): pmvarrun says login count is 2
> 23:28:07: (pam_mount.c:660): done opening session (ret=0)
> 23:28:07: pam_kwallet(lightdm:session): pam_sm_open_session
> 23:28:07: pam_kwallet(lightdm:session): pam-kwallet: final socket path:
> 23:28:07: /tmp//pat.socket (pam_mount.c:522): mount of /dev/sda5 failed
> 23:28:07: (pam_mount.c:441): pmvarrun says login count is 2
> 23:28:07: (pam_mount.c:660): done opening session (ret=0)
I diffed them and there are only two differences. First, the successful login
contains the lines "mount [...] failed" two times. Second, the time stamps
contain a 5 second delay in the successful login (probably due to the failed
mount - the mounting has to fail, as it is already mounted).
That's where I did not have further ideas. So if anyone has input, that would
be highly welcome.
Kind regards
Patrick
More information about the Pam-list
mailing list