Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 48463 Details for
Bug 24213
sys-auth/pam_mount (new ebuild)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
fixes previous pam_mount.conf
pam_mount.conf (text/plain), 9.13 KB, created by
Gilles Schintgen
on 2005-01-14 07:31:50 UTC
(
hide
)
Description:
fixes previous pam_mount.conf
Filename:
MIME Type:
Creator:
Gilles Schintgen
Created:
2005-01-14 07:31:50 UTC
Size:
9.13 KB
patch
obsolete
>#------------------------------------------------------------------- ># Below is a modified sample configuration file for pam_mount that has ># been successfully used to do encrypted auto mounts on a gentoo box ># using both the same password as login and a sperate key file ># and openssl. This works for cryptoloop and dm-crypt. >#------------------------------------------------------------------- > ># Turn on if you want to debug why some volume cannot be mounted etc. ># This can be overriden by user's local configuration ># ># Format: debug [ 1 | 0 ] ># Local user configuration can override this. > >debug 1 >mkmountpoint 1 ># Loopback device to use to run fsck on loopback filesystems. >fsckloop /dev/loop7 > ># Users' local configuration file (if there is none, comment out this ># parameter). Will be read as ~/<file> ># ># Note: you must include either options_allow or options_deny to use ># this directive. I recommend also including options_require. ># ># Individual users may define additional volumes to mount if allowed ># by pam_mount.conf (usually ~/.pam_mount.conf). The volume keyword is ># the only valid keyword in these per-user configuration files. If the ># luserconf parameter is set in pam_mount.conf, allowing user-defined ># volume, then users may mount and unmount any volume they own at any ># mount point they own. On some filesystem configurations this may be ># a security flaw so user-defined volumes are not allowed by the example ># pam_mount.conf distributed with pam_mount. ># ># Format: luserconf <file> ># luserconf .pam_mount.conf > ># These directives determine which options may be specified in a user config ># file (luserconf). You must include one of these directives if you have a ># luserconf directive. You may not include both directives. ># ># If you have an options_allow directive, then the options listed in that ># directive wil be allowed, and all others rejected. If you have an ># options_deny directive, then the options listed will be denied, and all others ># permitted. ># ># You may use the wildcard '*' to match all options. ># ># options_allow nosuid,nodev ># options_deny suid,dev ># options_allow * ># options_deny * ># ># I recommend not permitting the suid and dev options. > ># The options listed in this directive are required for all volumes from a ># user config file. That is, any volume specified in a user config file that ># does not include these options will be ignored. ># ># Note: you must make sure that a required option is permitted (either by ># including it in options_allow, or by not including it in options_deny). ># ># I recommend requiring at least nosuid and nodev. ># ># This is ignored completely if the volume is configured to get its options ># and mount point from /etc/fstab. ># >options_require nosuid,nodev > ># Commands to mount/unmount volumes. They can take parameters, as shown. ># ># If you change the -p0 argument for lclmount, you'll need to modify the ># source in mount.c (it sends the password to the stdin file descriptor ># of the child process -- look for STDIN_FILENO). > >lsof /usr/sbin/lsof > ># Added the -p option to fsck prevent reiserfs from asking questions >fsck /sbin/fsck -p >losetup /sbin/losetup >unlosetup /sbin/losetup -d >smbmount /bin/mount -t smbfs >ncpmount /bin/mount -t ncpfs ># Linux supports lazy unmounting (-l). May be dangerous for encrypted volumes. ># May also break loopback mounts because loopback devices are not freed. ># This was disabled, if you know what you're doing, add -l to the next line >umount /bin/umount > ># On OpenBSD try "/usr/local/bin/mount_ehd" (included in pam_mount package). >lclmount /bin/mount -p0 >nfsmount /bin/mount ># --bind may be a Linuxism. FIXME: find BSD equivalent. >mntagain /bin/mount --bind >mntcheck /bin/mount # For BSD's (don't have /etc/mtab) > ># Volumes that will be mounted when user triggers pam_mount module ># (usually at login). ># ># Format: ># volume <user> [smb|ncp|nfs|local] <server> <volume> <mount point> <mount options> <fs key cipher> <fs key path> ># ># General examples: ># volume user smb krueger public /home/user/krueger - - - ># volume user ncp krueger public /home/user/krueger - - - > ># Linux encrypted home directory examples: ># volume user local - /dev/hda123 /home/user loop,encryption=aes - - ># volume user local - /home/user.img /home/user loop,user,exec,encryption=aes,keybits=256 - - ># volume user local - /home/user.img - - - - ># volume user local - /home/user.img - - aes-256-ecb /home/user4.key > ># BEGIN GENTOO EXAMPLES FOR ENCRYPTED HOME ># user1 has an encrypted home that uses his/her system passwd as the ># encryption key ># To create a USB dongle secured user see user2: ># Define a user key and group key to use a USB dongle as an encrypted ># file system for the key to the user2 file system - so user would need ># the USB dongle, the password for user key and the password for user ># user2. in order to access the encrypted home of user2. Note that ># without the first two the user can still log in and create files ># on his home directory mount point. However the security for the ># encrypted volume is much better since a dictionary attack would need ># the dongle. See http://www.counterpane.com/twofish-final.html ># for a discussion on why twofish is a good choice. This setup works ># with mm-sources-2.6.0_beta9-r5. So to login graphically as user2 ># insert key, ctrl-alt-f1 login as key, alt-f7, login as user2, ># ctrl-alt-f1, logout key, remove dongle. This works for KDM. Modify ># /etc/pam.d/login and /etc/pam.d/kde per docs >#volume key local - /dev/sda2 /key loop,encryption=twofish - - >#volume user1 local - /home/.user1 /home/user1 loop,encryption=twofish - - >#volume user2 local - /home/.user2 - - bf-ecb /key/sp.key ># /etc/fstab contains >#/home/.user2 /home/user2 reiserfs user,loop,encryption=twofish,noauto 0 0 >#/dev/sda2 /key ext2 user,loop,encryption=twofish,noauto 0 0 ># ># Device-Mapper based encryption (dm-crypt) ># Since the introduction of dm-crypt in Linux 2.6.4, cryptoloop has been ># deprecated. To use the new dm-crypt interface, you will have to adapt ># the preceding examples to use "crypt" instead of "local" as filesystem ># type. Additionally the cipher algorithm is specified via the "cipher" ># option (to distinguish from cryptoloop's "encryption"). Thus, the ># user1 example would look like this: >#volume user1 crypt - /home/.user1 /home/user1 loop,cipher=twofish - - ># An entry in /etc/fstab is not needed. A detailed HOWTO can be found in ># the forums: http://forums.gentoo.org/viewtopic.php?t=274651 ># END GENTOO EXAMPLES > ># ># OpenBSD encrypted home directory example (see also lclmount above): ># volume user local - /home/user.img /home/user svnd0 - - ># ># The last two examples need a line like the following in ># /etc/fstab: ># ># /home/user4.img /home/user4 xfs user,loop,encryption=aes,keybits=256,noauto 0 0 ># ># Details: ># Local user configuration can extend this. ># Mount point must be owned by the user. ># ># If there are no servers, mount options, fs key ciphers, etc. you must ># supply a "-" ># ># If a local mount is specified in a user config file, then the user must ># own the device or file being mounted. ># ># See http://www.tldp.org/HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html ># to learn how to create a encrypted loopback filesystem. ># ># If the volume's password is different than the user's login password, ># the following technique may be used (see also README): ># ># 1. Create a file containing the volume's password (FS key). If you are ># using pam_mount to mount an loopback encrypted volume, this password ># should may generated by /dev/urandom. ># ># Simple example: ># echo <volume password> | openssl aes-256-ecb > /home/user.key ># Encrypt this file using the user's login password as the key. ># ># Verbose loopback encrypted volume example: ># a. dd if=/dev/urandom of=/home/user.img bs=1M count=<image size in MB> ># b. dd if=/dev/urandom bs=1c count=<keysize / 8> | openssl enc \ ># -<fs key cipher> > /home/user.key ># Encrypt this file using the user's login password as the key. ># c. openssl enc -d -<fs key cipher> -in /home/user.key | losetup -e aes \ ># -k <keysize> -p0 /dev/loop0 /home/user.img ># d. mkfs -t ext2 /dev/loop0 ># e. umount /dev/loop0 ># f. losetup -d /dev/loop0 ># ># 3. In pam_mount.conf: ># a. Set the fs key cipher variable to the cipher used (ie: aes-256-ecb). ># b. Set the fs key path variable to the key's path (ie: /home/user.key) ># 4. If a user changes his login password, regenerate the efsk that ># was created in step 1b. A script named passwdehd is provided to do this. ># ># If fs_key_cipher is -, then the user's login password is also the volume's ># password. > ># Template (or wildcard) volumes ># ># If user is "*", "&" will be replaced by name of the user logging on in the ># volume, mount point, mount options and fs key path fields. "~/*" will be ># replaced with "<user's homedir>/*." In this mode, the user need not ># own the mount point, but it must exist. ># ># volume * smb krueger & /home/& uid=&,gid=&,dmask=0750 - - ># volume * smb krueger homes /home/&/remote - - - ># volume * local - /home/&.img - - aes-256-ecb /etc/ehd/& > ># Windows 2000, which requires a domain specified, example (thanks John Knox): ># volume * smb viper & /home/& uid=&,gid=&,dmask=0750,workgroup=WINDOWS_DOMAIN - -
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 24213
:
21301
|
22230
|
22231
|
22232
|
24578
|
33293
|
37524
|
41525
|
41526
|
48462
|
48463
|
48486
|
49305
|
51530
|
51582
|
57980
|
64090
|
75487
|
75599
|
75777
|
75904
|
78138
|
78170
|
78181
|
78182
|
84836
|
91625
|
91626
|
93975
|
93976
|
95798
|
95800
|
112458
|
112460
|
115329