Re: relationship between pam_module and PAM chains

[Joe Pfeiffer <pfeiffer@cs.nmsu.edu>]

Kushal Kumaran <kushal.kumaran+debian@gmail.com> writes:

> Joe Pfeiffer <pfeiffer@cs.nmsu.edu> writes:
>>
>> So where I'm confused is with pam_setcred().  When the program calls
>> pam_setcred(), which modules' pam_sm_setcred() functions get called?
>> Are they associated with one of the chains, and if so, which one?
>>
>
> Look at the "What is expected of a module" section in the pam manual.
> pam_sm_authenticate and pam_sm_setcred are both called for the auth
> chains.  That said, do you need pam_sm_setcred for your purpose below?

Thanks -- this (and the manual in general!) helps a lot to clear things
up.

I don't have any particular reason to think pam_sm_setcred() has any
relevance to my actual goal:  I'm trying to get to understand the system
well enough to start making guesses as to what's going on!

>> -------------------
>>
>> So here's what I'm trying to do:  I'd like to use libpam_mount to mount
>> an encfs filesystem when I login using ssh.  This is working just fine
>> with console and gdm3 logins, but when I login using ssh my password
>> doesn't get passed to libpam_mount so the mount fails.  From googling,
>> it looks like many people before me have jumped down this particular
>> rabbit hole, and if any have ever emerged successfully they haven't
>> posted their results.
>>
>
> In a past life, I wrote a python module (using pam_python) to do this:
> https://bitbucket.org/kushal_kumaran/libpam-encfs-2/overview
>
> It's been a while since I wrote that, so the details are a bit fuzzy.
> pam_sm_authenticate is called first, and it has to get the user's
> password by calling pam_get_item(PAM_AUTHTOK).  This translates to line
> 146 in the source (accessing pamh.authtok translates to the
> pam_get_item(PAM_AUTHTOK) call).
>
> My pam_sm_setcred implementation is a do-nothing-return-success
> function.  Apparently I did not need it.

Thanks -- I just grabbed a copy.  I expect this to help a lot.

> If you're doing this as a learning exercise, great!  If not, consider
> https://code.google.com/p/pam-encfs/ as well.

I was actually using that at one time, and started running into some of
the bugs that have been reported against it (multiply-mounted
filesystems and the like); seeing it is no longer actively maintained
made be shy away from it.  I sort of like the idea of getting pam_mount
working in this case, since it's more general.

> Note that if you are logging in with a public key, you will not be able
> to do this (you don't get AUTHTOK).  This was the main reason I
> eventually stopped using it, because I do not enable password
> authentication for ssh.

Yes, that's a drawback.  In an ideal world, ssh could authenticate
using a public key, then pam_mount could notice it needed my password
and ask for it (if the directory wasn't already mounted).  I'm nowhere
near far enough along in this to even guess whether that would be
possible!

> sshd will also call pam_open_session, so it does not really matter
> whether it calls pam_setcred also.
>
> I'm not sure why you are suspecting problems with environment
> variables.  See the manpage for pam_env for what it does.  It's just a
> convenient way to (un)set environment variables from a variety of
> sources (/etc/security/pam_env.conf being the default).

Sorry, I guess I wasn't clear about where my questions are coming from.
I'm not actually suspecting environment variables or anything else at
this point -- I don't know enough to have actual suspicions yet.