Skip to the content of the web site.

Linux | PamMount

Under Debian it is no longer necessary to compile the source code for the pam_mount module you can install it from apt-get by running the following code
linxus101:~# apt-get install libpam-mount
Now Because of some recent changes to OpenSSH? in order to have pam_mount mount a user's share and umount it on log out we need to enable PrivilageSeperation? in the OpenSSH? server to do this you edit the file /etc/ssh/sshd_config as below. Before by disabling it allowed a user to preform actions only allowed by root during certain times in an SSH session such as umount their share. However, due to recent changes if you disable PrivilageSeperation? it also seems to stop SSH from properly closing the session and reporting to the PAM stack that the session is closed.

linxus101:/etc/ssh# vim sshd_config
-----------------------------------------
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
-----------------------------------------
Most Likely it's enabled by default like above. Now what privilage seperation essentially does is during an SSH session only allows that user to perform actions ie a regular user couldn't perform mount/umount. What I was noticing during the use of pam_mount was that a user could log in and get their share mounted and then log out their share would not get umounted. The reason for this is that pam_mount is split into two parts the auth module part and the session part. The auth module is what does the capturing of the username and password and calls mount as root however if you have privilage seperation on when a session ends you can't perform root actions. Since I had to have PrivilageSeperation? On in order for ssh to close the session and I also needed the share to be mounted I made a wrapper for linux to allow a normal user to umount their share as long as they had their username in the share. So john could umount /home/john/N but could not umount /home/cory/N. The code for this wrapper is found on the Project Management Site http://linxus101/webcollab-1.70/ .

Now in order to use the wrapper file you have to compile it and tell pam_mount to use it by changing which command it uses to umount shares. The the setup is completely the same as before. Good Luck.

-- CoryCater - 30 Mar 2005