The pam_mount module allows users to mount and access volumes through SMB on Windows servers, NCP on NetWare servers, or any other type of volume that can be mounted using the MOUNT command, by typing a password once at login. Pam_mount simplifies administration by eliminating the requirement to store passwords in additional files. Here’s how it works.
Installation and configuration
You can download Pam_mount from Flyn Computing. Once the tar ball is downloaded, unpack the source archive with the following command:
When the archive is unpacked, enter the pam_mount-0.5.10 directory. Next, compile and install pam_mount with the following series of commands:
The first step in configuring pam_mount is to add the following two lines to /etc/pam.d/serviceconf:
session required /lib/security/pam_mount.souse_first_pass
auth required /lib/security/pam_mount.souse_first_pass
You can do so using any text editor. To use different passwords for logging and mounting volumes, use the following entries:
Session required /lib/security/pam_mount.sotry_first_pass
auth required /lib/security/pam_mount.sotry_first_pass
If the try_first_pass method is used, any applications using PAM must fully support the PAM mechanisms.
If you want to increase security, you can encrypt passwords for remote volumes and keep them in a file on the local system. The system password is then used as the key when this file is accessed. Pam_mount will transparently decrypt the key if Openssl supports the cipher. The following terminology is used when working with filesystem keys:
- · Sk: System key, which is the key or password used for logging into the system
- · Fsk: Ffilesystem key, which is the key used to access the file to be mounted by pam_mount
- · E and D: An encryption/decryption algorithm used by openssl
- · Efsk: Encrypted filesystem key, stored on the local filesystem; for example, home/user/user.key
Pam_mountreads the encrypted filesystem key, decrypts the key, and then uses the filesystem key to mount the requested volume.
You’ll find the configuration file for pam_mount in /etc/pam_mount.conf. Most of the entries at the beginning of this file can be left with their default values. The entries define the volumes to be mounted. On multiuser systems, copy this file to each user's home directory to specify any additional volumes required by individual users. To see an example of what pam_mount.conf looks like, click here.
The pam_mount.conf file provides examples of how volumes are mounted. To specify volumes, the following syntax is used:
volume<user> [smb|ncp] <server> <volume> <mount point> <mount options>
volumejim smb everestjim /home/jim/everest
wouldmount the volume jim, on the server everest, at the mount point /home/jim/everest.
To ensure that the configuration is correct on both the server and the local system, always try to mount the volumes specified in pam_mount.conf using the mount command from the command line, prior to mounting from pam_mount.
Using the mount command allows any errors to be debugged more easily than by using pam_mount. This procedure also works well when errors occur on a configured system.
Support for NetWare volumes
The /usr/local/sbin/pmhelper program is used to transport passwords. To correctly send passwords to ncpmount, version 22.214.171.124.10 or newer, ncpfs must be installed. You can find out more about NetWare support in Linux by checking out “Connecting Linux workstations to your NetWare servers.”
Mounted and ready to ride
The ability to mount SAMBA and NetWare volumes with a single password, and to mount these volumes automatically at login, can help make the network transparent to users. Once you know the basics of installing and configuring pam_mount, a utility designed to take advantage of Pluggable Authentication Modules (PAM) to automate the mounting of remote volumes, you’ll wish you had used this utility a long time ago. This tool is worth a look for any Linux user or administrator who wants to simplify the process of mounting volumes.