id="info"

Open Source

Using pam_mount to automount filesystems at login

Vincent Danen introduces the automounter, pam_mount, which can take a password entered at login and use it to mount an encrypted filesystem. It can also mount non-encrypted filesystems. This allows for mounting a filesystem at login, and having it unmount at logout.

There are a number of automounters available for Linux, which makes on-demand filesystem mounting easy. The two primary automounters are amd, the Berkely automount daemon, and autofs, the Linux kernel automounting system. These two automount systems are great, system-wide, for mounting external devices such as NFS mounts, Samba shares, and so forth. One thing they cannot easily do is automount encrypted partitions or filesystems, as those are protected with a passphrase that autofs or amd will not know.

One solution to this is to use the pam_mount PAM module. Because all Linux systems use PAM as the authentication stack, pam_mount can take a password entered at login and use it to mount an encrypted filesystem. It can also mount non-encrypted filesystems as well. This allows for mounting a filesystem at login, and having it unmount at logout.

Most distributions provide pam_mount, so the only thing required to enable it is to edit the PAM configuration file(s). Depending on the distribution, this may require editing multiple configuration files, or a single one. For instance, on Mandriva systems, the configuration file to edit would be /etc/pam.d/system-auth, which is the central system authentication configuration file that is used by most every other pam configuration file.

Some distributions do not use a system-auth configuration file, so you will need to edit each PAM configuration file for the services you would like to use pam_mount with. If, for example, gdm has its own configuration file that does not use system-auth (or an equivalent), you would need to edit /etc/pam.d/gdm to add support for pam_mount. However, if you do not want pam_mount to operate on all services then you will want to edit those specific configuration files directly. As another example, you may want an encrypted filesystem available to local logins (via gdm, kdm, the console, etc.), but not to remote logins via ssh. In other words, there are a number of ways it can be configured; it's all a matter of preference.

At any rate, edit your chosen PAM configuration file(s) to add pam_mount to the auth and session sections. An example /etc/pam.d/system-auth on Mandriva, with pam_mount added, would look like this:

#%PAM-1.0
auth        optional      pam_mount.so try_first_pass
auth        required      pam_env.so
auth        sufficient    pam_tcb.so shadow fork nullok prefix=$2a$ count=8
auth        required      pam_deny.so
account     sufficient    pam_tcb.so shadow fork
account     required      pam_permit.so
password    required      pam_cracklib.so try_first_pass retry=3 minlen=2  dcredit=0  ucredit=0
password    sufficient    pam_tcb.so use_authtok shadow write_to=shadow fork nullok prefix=$2a$ count=8
password    required      pam_deny.so
session     optional      pam_mnount.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_tcb.so

The pam_mount configuration file is /etc/security/pam_mount.conf.xml. This is where you can tweak the various options that the pam_mount module will use. It is also where you can enable per-user configuration files so that users can create their own pam_mount configs, rather than the administrator having to modify the primary configuration file to accommodate everyone. It is in the configuration file, but disabled by default so you want to remove the comment strings around the following line:

<luserconf name=".pam_mount.conf.xml" />

With this in place, users can create their own ~/.pam_mount.conf.xml which may look as follows:

<?xml version="1.0" encoding="utf-8" ?>
<pam_mount>
    <volume fstype="crypt" path="/dev/sdb3" mountpoint="~/crypted" />
</pam_mount>

The above would tell pam_mount to mount the encrypted partition /dev/sdb3 at ~/crypted/ upon login and unmount it at logout. The specifics of creating encrypted partitions are beyond our scope here, but suffice it to say that in order for pam_mount to work properly, your login password and the password used to secure the encrypted filesystem must be identical for this to work.

Finally, if you wish to use pam_mount to mount an NFS or samba share, add another item to ~/.pam_mount.conf.xml that looks like this:

<volume fstype="nfs" server="nfsserver" path="/srv/subversion/repos/personal" mountpoint="~/svn" />

This will mount the remote share on the server nfsserver with the path /srv/subversion/repos/personal to the local ~/svn directory (make sure this directory exists first).

There is quite a lot that can be done with pam_mount. The pam_mount and pam_mount.conf manpages are great places to start, both containing a lot of information.

Get the PDF version of this tip here.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks