Problems using pam_mount together with pam_ssh and pam_keyring on FC6

Jens Lautenbacher jtl at schlund.de
Wed Nov 1 22:01:46 UTC 2006


Hi,

I use Fedora Core 6 on a laptop and want to use single sign-on for
encrypted home partitions, ssh keys and the gnome keyring.

My home partition /home/jtl is luks encrypted, and I try to use
pam_mount to mount it when I enter my user id/password into gdm.

The password should also be used to read my ssh keys and open up the
default gnome keyring.

The pam.d/gdm file looks like this (every thing else being the default)

#%PAM-1.0
auth       required    pam_env.so
auth       optional    pam_mount.so try_first_pass
auth       optional    pam_keyring.so try_first_pass
auth       optional    pam_ssh.so try_first_pass
auth       include     system-auth
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    optional    pam_keyinit.so force revoke
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_console.so
session    optional    pam_mount.so
session    optional    pam_keyring.so
session    optional    pam_ssh.so


The problem is: it seems that pam_mount doesn't manage to mount the
partition early enough for pam_ssh or pam_keyring to be able to access
the keys or keyring. At least that's my conclusion from the behavior I
have experienced:

      * After a logout (where - fortunately in my case, but of course
        still a problem - pam_mount can't unmount the partition because
        of a running gconfd) logging in again makes everything work as
        expected.

      * Also copying the .ssh and the ./gnome2/keyrings directories into
        the /home/jtl folder where the new partition is to be mounted
        (so these files are accessible at any time) makes everything run
        smoothly - but of course it is not the intended setup to have
        these files outside of the encrypted homedir.

How can I change my setup so what I want works without the hacks
mentioned above?

Thanks in advance,

	jtl







More information about the Pam-list mailing list