10 More Discussions You Might Find Interesting
1. AIX
Hi All,
I was trying to know more about RAM disk concept in AIX. I found something on IBM site.
I was able to create and use/delete RAM disk as per IBM instructions.
But as you guys know, this RAM disk is a temporary storage. (*when ever we reboot the AIX LPAR, content/RAM disk will be... (4 Replies)
Discussion started by: System Admin 77
4 Replies
2. OS X (Apple)
I have a drive full of diagnostic images (ASD), and I also use it for storage, installers, etc. When I plug it in to a booted system, it has to mount every single volume (about 25) which can take some time. I would like to keep all the ASD partitions from mounting when plugged in/at boot. I know... (0 Replies)
Discussion started by: nextyoyoma
0 Replies
3. UNIX for Advanced & Expert Users
Hi Guys ,
I am using putty.exe file to login to servers . I heard that there is way to save my username and password in putty so that i no need to give my creds while logging into putty . If so please provide me th way to do so .
Please note : I am not talking about keyfile .
Thanks in... (6 Replies)
Discussion started by: radha254
6 Replies
4. AIX
Hello,
machine1:mount /dev/lv1 /dir1
mount /dev/lv2 /dir1/subdir1
exportfs /dir1
machine2:
If I do NFS mount: mount machine1:/dir1 /foreign1
then /foreign1/subdir1 is empty.
Does NFS supports this kind of mounting ?
thanks
Vilius (2 Replies)
Discussion started by: vilius
2 Replies
5. UNIX for Advanced & Expert Users
hi all,
I have a debian lenny 5.0 server without GNOME installed.
the server is at a customer's premise.
I want to backup data from the server to the external usb hard disk.
the backup will start at e.g 01:00 everyday.
the user will plug the drive before going home.
also the user will... (1 Reply)
Discussion started by: coolatt
1 Replies
6. AIX
Hi, may I know how to automatically load a script once I login? For example, I want to load "set -o vi" command once I login in my Aix. (2 Replies)
Discussion started by: ngaisteve1
2 Replies
7. Shell Programming and Scripting
Hi men,
I think this must be a very common job. "How could to Automatically change to Bash shell after login and then jail user can only using this shell".
I want monitor user works.However it just only effect on Bash shell. Consequently if the user change the shell it will be worthless.
... (4 Replies)
Discussion started by: tien86
4 Replies
8. AIX
Hello friends,
I am confused with one of aix filesystem problem.
On one of my server, some of my rootvg filesystems shows Closed/synced status for i.e /home, /var/adm/ras/platform
Everyday i manually mount these filesystems.
What is the reason causing filesystems to go in Closed/synced... (4 Replies)
Discussion started by: Shrek
4 Replies
9. UNIX for Advanced & Expert Users
Greetings all,
I'll just like to know if it is possible to launch a shell script automatically upon a user's successful login into ssh from a remote host, without adding a command parameter to the ssh command...
ie. after keying in ssh username@host (not ssh username@host "command") and upon... (1 Reply)
Discussion started by: rockysfr
1 Replies
10. AIX
When I login to a unix box using a putty session , I'm landed in a vi editor, instead of my home directory,I'm guessing instead of pointing me to my home directory, the system points me to /usr/bin/vi. As a result, everytime I log into the system I open up a vi editor and am in there. how do i... (3 Replies)
Discussion started by: ramky79
3 Replies
pam_mount(8) pam_mount 2.13 pam_mount(8)
Name
pam_mount - A PAM module that can mount volumes for a user session
Overview
This module is aimed at environments with central file servers that a user wishes to mount on login and unmount on logout, such as
(semi-)diskless stations where many users can logon and where statically mounting the entire /home from a server is a security risk, or
listing all possible volumes in /etc/fstab is not feasible.
o Users can define their own list of volumes without having to change (possibly non-writable) global config files.
o Single sign-on feature - the user needs to type the password just once (at login)
o Transparent mount process
o No stored passwords
o Volumes are unmounted on logout, freeing system resources and not leaving data exposed.
The module also supports mounting local filesystems of any kind the normal mount utility supports, with extra code to make sure certain
volumes are set up properly because often they need more than just a mount call, such as encrypted volumes. This includes SMB/CIFS, FUSE,
dm-crypt and LUKS.
If you intend to use pam_mount to protect volumes on your computer using an encrypted filesystem system, please know that there are many
other issues you need to consider in order to protect your data. For example, you probably want to disable or encrypt your swap partition
(the cryptoswap can help you do this). Do not assume a system is secure without carefully considering potential threats.
Configuration
The primary configuration file for the pam_mount module is pam_mount.conf.xml. On most platforms this file is read from /etc/secu-
rity/pam_mount.conf.xml. On OpenBSD pam_mount reads its configuration file from /etc/pam_mount.conf.xml. See pam_mount.conf(5) documenting
its use.
Individual users may define additional volumes to mount if allowed by pam_mount.conf.xml (usually ~/.pam_mount.conf.xml). The volume key-
word is the only valid keyword in these per-user configuration files. If the luserconf parameter is set in pam_mount.conf.xml, allowing
user-defined volume, then users may mount and unmount any volume they own at any mount point they own. On some filesystem configurations
this may be a security flaw so user-defined volumes are not allowed by the example pam_mount.conf.xml distributed with pam_mount.
PAM configuration
In addition, you must include two entries in the system's applicable /etc/pam.d/service config files, as the following example shows:
auth required pam_securetty.so
auth required pam_pwdb.so shadow nullok
auth required pam_nologin.so
+++ auth optional pam_mount.so
account required pam_pwdb.so
password required pam_cracklib.so
password required pam_pwdb.so shadow nullok use_authtok
session required pam_pwdb.so
session optional pam_console.so
+++ session optional pam_mount.so
When "sufficient" is used in the second column, you must make sure that pam_mount is added before this entry. Otherwise pam_mount will not
get executed should a previous PAM module succeed. Also be aware of the "include" statements. These make PAM look into the specified file.
If there is a "sufficient" statement, then the pam_mount entry must either be in the included file before the "sufficient" statement or
before the "include" statement.
If you use pam_ldap, pam_winbind, or any other authentication services that make use of PAM's sufficient keyword, model your configuration
on the following order:
ooo
account sufficient pam_ldap.so
auth required pam_mount.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_unix.so use_first_pass
session optional pam_mount.so
ooo
This allows for:
1. pam_mount, as the first "auth" module, will prompt for a password and export it to the PAM system.
2. pam_ldap will use the password from the PAM system to try and authenticate the user. If this succedes, the user will be authenticated.
If it fails, pam_unix will try to authenticate.
3. pam_unix will try to authenticate the user if pam_ldap failed. If pam_unix fails, then the authentication will be refused (due to the
"required").
Alternatively, the following is possible (thanks to Andrew Morgan for the hint!):
auth [success=2 default=ignore] pam_unix2.so
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth optional pam_mount.so
It may seem odd, but the first three lines will make it so that at least one of pam_unix2 or pam_ldap has to succeed. As you can see,
pam_mount will be run after successful authentification with these subsystems.
Encrypted disks
pam_mount supports a few types of crypto. The most common are encfs, dm-crypt and dm-crypt+LUKS.
The first one uses the FUSE layer; files within the encfs container are stored as single encrypted files on the host in a previously-exist-
ing directory. If you store lots of files, it is recommended to have a lower filesystem that is strong in this area, such as xfs, but some
software and/or your partitioning decisions may force you to use a different fs. The 1:1 mapping of files also allows encrypted files to be
reasonably efficiently rsync'ed for example without having to open the encrypted container. Creation is done through the encfs(1) tool.
dm-crypt provides whole-filesystem/entire-partition encryption. You can also create a container file, but the idea is that it is repre-
sented as a block device on which you still have to create a filesystem. In fact, this way you can select a filesystem of your choice. The
downside is that shrinking is often not possible (there is no such issue in encfs because it uses the lower fs). Suitable dm-crypt contain-
ers (and auxiliary files), using block devices or plain files, can be created using the pmt-ehd(8) tool.
pmt-ehd creates filesystem key material which is a bunch of random bytes that will be used to en-/decrypt the volume. This material itself
is encrypted with your own password - this is done so that you can change the password without having to reencrypt all of your data.
LUKS is an extension for dm-crypt to support multi-password containers. Unless you specifically need it, the above two solutions are rec-
ommended.
NOTE: The key file that pmt-ehd(8) will create represents the filesystem key material as encrypted with your password. It is thus safe to
store this on an unsecured filesystem.
Troubleshooting
To ensure that your system and, possibly, the remote server are all properly configured, you should try to mount all or some of the volumes
by hand, using the same commands and mount points provided in pam_mount.conf.xml. This will save you a lot of grief, since it is more dif-
ficult to debug the mounting process via pam_mount.
If you can mount the volumes by hand but it is not happening via pam_mount, you may want to enable the "debug" option in pam_mount.conf.xml
to see what is happening.
Verify if the user owns the mount point and has sufficient permissions over that. pam_mount will verify this and will refuse to mount the
remote volume if the user does not own that directory.
If pam_mount is having trouble unmounting volumes upon logging out, enable the debug variable. This causes pam_mount to run ofl on logout
and write its output to the system's log.
Authors
W. Michael Petullo
Jan Engelhardt (current maintainer)
Community Support
The following two forms of communication are available. The maintainer has no preference, though you will reach more users who could answer
by means of the mailing list.
Mailing List:
http://sf.net/mail/?group_id=41452
Bug Tracker (no registration needed):
http://sf.net/tracker/?group_id=41452
pam_mount 2.13 2011-12-15 pam_mount(8)