Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Shell Script for "Password Management"
Top Forums UNIX for Beginners Questions & Answers Shell Script for "Password Management" Post 303045513 by sea on Saturday 28th of March 2020 12:34:54 PM
Old 03-28-2020
I'd have a basic tryout-draft...
Where I 'currently' 'fail' using LUKS (properly ; cryptsetup) to "mount" an encrypted file to a folder.
Currently as in: havent looked at the file for five years and gave it one quick shot today before I had to leave.

As it is right now (fallback), it allows you to mount a file that will contain the password file (anything for that matter).

So, not yet encrypted, but at least not as a loose file.

But it will require sudo rights for your account / at least for mount.

So I'm not sure if it would be of help?
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

No utpmx entry: you must exec "login" from lowest level "shell"

Hi I have installed solaris 10 on an intel machine. Logged in as root. In CDE, i open terminal session, type login alex (normal user account) and password and i get this message No utpmx entry: you must exec "login" from lowest level "shell" :confused: What i want is: open various... (0 Replies)
Discussion started by: peterpan
0 Replies

2. Shell Programming and Scripting

script that can give login password for "ssh" without involving STDIN

Hi Folks, I am writing a shell script that can logon to remote machine automatically. But, I am facing one problem. I am using "ssh" command in script and while login into remote machine it asks for passowrd and it stops for STDIN input for password. I want my script to supply password... (2 Replies)
Discussion started by: gydave
2 Replies

3. AIX

"too big" and "not enough memory" errors in shell script

Hi, This is odd, however here goes. There are several shell scripts that run in our production environment AIX 595 LPAR m/c, which has sufficient memory 14GB (physical memory) and horsepower 5CPUs. However from time to time we get the following errors in these shell scripts. The time when these... (11 Replies)
Discussion started by: jerardfjay
11 Replies

4. UNIX for Advanced & Expert Users

Customize "change password" in unix shell

I want to customize the "change password" through unix shell. when a user's password is expired and he/she logs into shell next time he/she will be asked to change his/her password. At this time when the user provides new password instead of unix doing the "password change" action I want to call my... (4 Replies)
Discussion started by: sharmanikhilesh
4 Replies

5. Shell Programming and Scripting

awk command to replace ";" with "|" and ""|" at diferent places in line of file

Hi, I have line in input file as below: 3G_CENTRAL;INDONESIA_(M)_TELKOMSEL;SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL My expected output for line in the file must be : "1-Radon1-cMOC_deg"|"LDIndex"|"3G_CENTRAL|INDONESIA_(M)_TELKOMSEL"|LAST|"SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL" Can someone... (7 Replies)
Discussion started by: shis100
7 Replies

6. Shell Programming and Scripting

Passing username and password to a script running inside "expect" script

Hi I'm trying to run a script " abc.sh" which triggers "use.sh" . abc.sh is nothing but a "expect" script which provides username and password automatically to the use.sh script. Please find below the scripts: #abc.sh #!/usr/bin/expect -f exec /root/use.sh expect "*name*" send... (1 Reply)
Discussion started by: baddykam
1 Replies

7. AIX

How to use 'expect' to pass UID & Password to a "for loop" in shell script?

Friends, Need someone's help in helping me with the below requirement for a script: > For a list of servers(over 100+), I need to login into each of them(cannot configure password-less ssh) & grab few configuration details < I know, this is possible through expect programming in a simple... (2 Replies)
Discussion started by: thisissouvik
2 Replies

8. Shell Programming and Scripting

How to use 'expect' to pass UID & Password to a "for loop" in shell script?

Friends, Need someone's help in helping me with the below requirement for a script: > For a list of servers(over 100+), I need to login into each of them(cannot configure password-less ssh) & grab few configuration details < I know, this is possible through expect programming in a simple... (14 Replies)
Discussion started by: thisissouvik
14 Replies

9. Shell Programming and Scripting

Can someone please show me a very simple "expect" script to change password in Solaris please?

Ladies & Gents, Can one of you gurus please show me a very simple "expect" script to change the password in Solaris in a script, please? Nothing fancy, no error checking, no nothing. Just to change the password of a new user, it's all. Many thanks in advance. U guys have honestly earned my... (1 Reply)
Discussion started by: Hiroshi
1 Replies

10. Shell Programming and Scripting

Bash script - Print an ascii file using specific font "Latin Modern Mono 12" "regular" "9"

Hello. System : opensuse leap 42.3 I have a bash script that build a text file. I would like the last command doing : print_cmd -o page-left=43 -o page-right=22 -o page-top=28 -o page-bottom=43 -o font=LatinModernMono12:regular:9 some_file.txt where : print_cmd ::= some printing... (1 Reply)
Discussion started by: jcdole
1 Replies

LEARN ABOUT SUSE

pam_mount

pam_mount(8)							  pam_mount 1.34						      pam_mount(8)

Name
       pam_mount - A PAM module that can mount volumes for a user session

Overview
       This  module  is  aimed	at  environments  with	central  file  servers that a user wishes to mount on login and unmount on logout, such as
       (semi-)diskless stations where many users can logon and where statically mounting the entire /home from a server is  a  security  risk,	or
       listing all possible volumes in /etc/fstab is not feasible.

       o   Users can define their own list of volumes without having to change (possibly non-writable) global config files.

       o   Single sign-on feature - the user needs to type the password just once (at login)

       o   Transparent mount process

       o   No stored passwords

       o   Volumes are unmounted on logout, freeing system resources and not leaving data exposed.

       The  module  also  supports  mounting local filesystems of any kind the normal mount utility supports, with extra code to make sure certain
       volumes are set up properly because often they need more than just a mount call, such as encrypted volumes. This includes  SMB/CIFS,  FUSE,
       dm-crypt and LUKS.

       If  you	intend	to use pam_mount to protect volumes on your computer using an encrypted filesystem system, please know that there are many
       other issues you need to consider in order to protect your data. For example, you probably want to disable or encrypt your  swap  partition
       (the cryptoswap can help you do this). Do not assume a system is secure without carefully considering potential threats.

Configuration
       The  primary  configuration  file  for  the  pam_mount  module  is pam_mount.conf.xml.  On most platforms this file is read from /etc/secu-
       rity/pam_mount.conf.xml. On OpenBSD pam_mount reads its configuration file from /etc/pam_mount.conf.xml.  See pam_mount.conf(5) documenting
       its use.

       Individual  users  may define additional volumes to mount if allowed by pam_mount.conf.xml (usually ~/.pam_mount.conf.xml). The volume key-
       word is the only valid keyword in these per-user configuration files. If the luserconf parameter is  set  in  pam_mount.conf.xml,  allowing
       user-defined  volume,  then  users may mount and unmount any volume they own at any mount point they own. On some filesystem configurations
       this may be a security flaw so user-defined volumes are not allowed by the example pam_mount.conf.xml distributed with pam_mount.

PAM configuration
       In addition, you must include two entries in the system's applicable /etc/pam.d/service config files, as the following example shows:

		  auth	   required  pam_securetty.so
		  auth	   required  pam_pwdb.so shadow nullok
		  auth	   required  pam_nologin.so
	      +++ auth	   optional  pam_mount.so
		  account  required  pam_pwdb.so
		  password required  pam_cracklib.so
		  password required  pam_pwdb.so shadow nullok use_authtok
		  session  required  pam_pwdb.so
		  session  optional  pam_console.so
	      +++ session  optional  pam_mount.so

       When "sufficient" is used in the second column, you must make sure that pam_mount is added before this entry. Otherwise pam_mount will  not
       get  executed should a previous PAM module succeed. Also be aware of the "include" statements. These make PAM look into the specified file.
       If there is a "sufficient" statement, then the pam_mount entry must either be in the included file before  the  "sufficient"  statement	or
       before the "include" statement.

       If  you use pam_ldap, pam_winbind, or any other authentication services that make use of PAM's sufficient keyword, model your configuration
       on the following order:

	      ooo
	      account sufficient  pam_ldap.so
	      auth    required	  pam_mount.so
	      auth    sufficient  pam_ldap.so use_first_pass
	      auth    required	  pam_unix.so use_first_pass
	      session optional	  pam_mount.so
	      ooo

       This allows for:

       1.  pam_mount, as the first "auth" module, will prompt for a password and export it to the PAM system.

       2.  pam_ldap will use the password from the PAM system to try and authenticate the user. If this succedes, the user will be  authenticated.
	   If it fails, pam_unix will try to authenticate.

       3.  pam_unix  will  try to authenticate the user if pam_ldap failed. If pam_unix fails, then the authentication will be refused (due to the
	   "required").

       Alternatively, the following is possible (thanks to Andrew Morgan for the hint!):

	      auth [success=2 default=ignore] pam_unix2.so
	      auth [success=1 default=ignore] pam_ldap.so use_first_pass
	      auth requisite pam_deny.so
	      auth optional pam_mount.so

       It may seem odd, but the first three lines will make it so that at least one of pam_unix2 or pam_ldap has  to  succeed.	As  you  can  see,
       pam_mount will be run after successful authentification with these subsystems.

Encrypted disks
       pam_mount supports a few types of crypto. The most common are encfs, dm-crypt and dm-crypt+LUKS.

       The first one uses the FUSE layer; files within the encfs container are stored as single encrypted files on the host in a previously-exist-
       ing directory. If you store lots of files, it is recommended to have a lower filesystem that is strong in this area, such as xfs, but  some
       software and/or your partitioning decisions may force you to use a different fs. The 1:1 mapping of files also allows encrypted files to be
       reasonably efficiently rsync'ed for example without having to open the encrypted container. Creation is done through the encfs(1) tool.

       dm-crypt provides whole-filesystem/entire-partition encryption. You can also create a container file, but the idea is  that  it	is  repre-
       sented  as a block device on which you still have to create a filesystem. In fact, this way you can select a filesystem of your choice. The
       downside is that shrinking is often not possible (there is no such issue in encfs because it uses the lower fs). Suitable dm-crypt contain-
       ers (and auxiliary files), using block devices or plain files, can be created using the pmt-ehd(8) tool.

       pmt-ehd	creates filesystem key material which is a bunch of random bytes that will be used to en-/decrypt the volume. This material itself
       is encrypted with your own password - this is done so that you can change the password without having to reencrypt all of your data.

       LUKS is an extension for dm-crypt to support multi-password containers.	Unless you specifically need it, the above two solutions are  rec-
       ommended.

       NOTE:  The  key file that pmt-ehd(8) will create represents the filesystem key material as encrypted with your password. It is thus safe to
       store this on an unsecured filesystem.

Troubleshooting
       To ensure that your system and, possibly, the remote server are all properly configured, you should try to mount all or some of the volumes
       by  hand, using the same commands and mount points provided in pam_mount.conf.xml. This will save you a lot of grief, since it is more dif-
       ficult to debug the mounting process via pam_mount.

       If you can mount the volumes by hand but it is not happening via pam_mount, you may want to enable the "debug" option in pam_mount.conf.xml
       to see what is happening.

       Verify  if  the user owns the mount point and has sufficient permissions over that. pam_mount will verify this and will refuse to mount the
       remote volume if the user does not own that directory.

       If pam_mount is having trouble unmounting volumes upon logging out, enable the debug variable. This causes pam_mount to run ofl	on  logout
       and write its output to the system's log.

Authors
       W. Michael Petullo

       Jan Engelhardt (current maintainer)

Community Support
       The following two forms of communication are available. The maintainer has no preference, though you will reach more users who could answer
       by means of the mailing list.

       Mailing List:
	      http://sf.net/mail/?group_id=41452

       Bug Tracker (no registration needed):
	      http://sf.net/tracker/?group_id=41452

pam_mount 1.34							    2010-04-08							      pam_mount(8)
All times are GMT -4. The time now is 12:22 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy