I use LUKS encrypted LVM's that are opened with pam_mount to store user directories on a server. Historically pam_mount has to be watched when upgrading, but this is a new level of broken. Reproducible: Always Steps to Reproduce: 1) pam_mount 2.10 + libhx 3.10.1 2) mount a LUKS device 3) fail Actual Results: *with debug enabled in pam_mount # su USER - pam_mount(pam_mount.c:553): pam_mount 2.10: entering session stage reenter password for pam_mount: pam_mount(misc.c:38): Session open: (ruid/rgid=0/1008, e=0/1008) pam_mount(mount.c:214): Mount info: globalconf, user=USER <volume fstype="crypt" server="(null)" path="/dev/vg0/home_USER" mountpoint="/home/USER" cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" options="" /> fstab=0 ssh=0 command: 'mount' '-t' 'crypt' '/dev/vg0/home_USER' '/home/USER' pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=0/1008, e=0/1008) pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/1008, e=0/1008) pam_mount(mount.c:65): Messages from underlying mount program: pam_mount(mount.c:69): ehd_load: Invalid argument pam_mount(misc.c:380): 16 1 253:16 / / rw,relatime - ext2 /dev/mapper/root rw,barrier=1,data=ordered pam_mount(misc.c:380): 12 16 0:3 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw pam_mount(misc.c:380): 13 16 0:12 / /lib64/rc/init.d rw,nosuid,nodev,noexec,relatime - tmpfs rc-svcdir rw,size=1024k,mode=755 pam_mount(misc.c:380): 14 16 0:13 / /sys rw,nosuid,nodev,noexec,relatime - sysfs sysfs rw pam_mount(misc.c:380): 15 14 0:14 / /sys/kernel/security rw,nosuid,nodev,noexec,relatime - securityfs securityfs rw pam_mount(misc.c:380): 17 16 0:15 / /dev rw,nosuid,relatime - tmpfs udev rw,size=10240k,mode=755 pam_mount(misc.c:380): 18 17 0:8 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620 pam_mount(misc.c:380): 19 17 0:16 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw pam_mount(misc.c:380): 20 16 253:10 / /var/cache/squid rw,noatime - ext4 /dev/mapper/vg0-squid_cache rw,barrier=1,data=ordered pam_mount(misc.c:380): 21 16 0:17 / /tmp rw,nosuid,nodev,noexec,relatime - tmpfs none rw pam_mount(misc.c:380): 22 12 0:18 / /proc/sys/fs/binfmt_misc rw,nosuid,nodev,noexec,relatime - binfmt_misc binfmt_misc rw pam_mount(pam_mount.c:521): mount of /dev/vg0/home_USER failed command: 'pmvarrun' '-u' 'USER' '-o' '1' pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=0/1008, e=0/1008) pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/1008, e=0/1008) pmvarrun(pmvarrun.c:248): parsed count value 0 pam_mount(pam_mount.c:440): pmvarrun says login count is 1 pam_mount(pam_mount.c:645): done opening session (ret=0) Expected Results: # su user - reenter password for pam_mount: user@machine:03:51:0:/var/log> The libhx version is specified because pam_mount depends on it, and the earlier version (I have to use 2.8 now) requires an earlier version of libhx so there may possibly be a relation. The mount via cryptsetup functions equally well in either version so I assume this is a problem with the pam_mount package. ========================================= emerge --info: Portage 2.1.9.47 (hardened/linux/amd64, gcc-4.5.2, glibc-2.13-r2, 2.6.37-hardened-r7 x86_64) ================================================================= System uname: Linux-2.6.37-hardened-r7-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_5600+-with-gentoo-2.0.2 Timestamp of tree: Tue, 07 Jun 2011 14:00:01 +0000 distcc 3.1 x86_64-pc-linux-gnu [disabled] ccache version 3.1.4 [enabled] app-shells/bash: 4.2_p8-r1 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.1-r1, 3.1.3-r1 dev-util/ccache: 3.1.4 dev-util/cmake: 2.8.4-r1 sys-apps/baselayout: 2.0.2 sys-apps/openrc: 0.8.2 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.68 sys-devel/automake: 1.9.6-r2, 1.11.1-r1 sys-devel/binutils: 2.21 sys-devel/gcc: 4.5.2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82 sys-kernel/linux-headers: 2.6.38 (virtual/os-headers) sys-libs/glibc: 2.13-r2 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /etc/pam.d/ /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe" DISTDIR="/var/portage/distfiles" FEATURES="assume-digests binpkg-logs ccache distlocks fixlafiles fixpackages metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="http://distfiles.gentoo.org" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-O1,--as-needed" LINGUAS="en" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/layman/hardened-development /usr/local/portage/layman/sunrise /usr/local/portage/layman/sectools /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext amd64 custom-cflags gnutls hardened imap ipv6 maildir mmx mmxext multilib mysql ncurses pam python sse sse2 ssl tcpd threads vhosts xattr xinetd xorg zlib" ALSA_CARDS="hda-intel" APACHE2_MODULES="authz_host dir mime userdir vhost_alias alias rewrite log_config" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LINGUAS="en" QEMU_SOFTMMU_TARGETS="x86_64" USERLAND="GNU" VIDEO_CARDS="radeon radeonhd" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ========================================== /etc/security/pam_mount.conf.xml <?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <!-- See pam_mount.conf(5) for a description. --> <pam_mount> <!-- debug should come before everything else, since this file is still processed in a single pass from top-to-bottom --> <debug enable="1" /> <!-- VOLDEF--> <volume user="user" path="/dev/vg0/home_user" mountpoint="/home/user" fstype="crypt" /> <!-- pam_mount parameters: General tunables --> <!-- <luserconf name=".pam_mount.conf.xml" /> --> <!-- Note that commenting out mntoptions will give you the defaults. You will need to explicitly initialize it with the empty string to reset the defaults to nothing. --> <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> <!-- <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> --> <mntoptions require="nosuid,nodev" /> <logout wait="10000" hup="no" term="no" kill="no" /> <path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path> <logout wait="0" hup="0" term="0" kill="0" /> <!-- pam_mount parameters: Volume-related --> <mkmountpoint enable="1" remove="true" /> </pam_mount>
This worked with older versions? I see in your log cipher="(null)" fskeypath="(null)" fskeycipher="(null)" fskeyhash="(null)" I can't tell what kind of set up you have, but I'd think at least you'd have to specify cipher=. Probably the best course of action is to email the pam-mount-user mailing list on SourceForge.
No response in a month. Marking as NEEDINFO.