~ubuntu-branches/ubuntu/trusty/libpam-mount/trusty-proposed : revision 34

1

Description: Upstream changes introduced in version 1.33-2

2

This patch has been created by dpkg-source during the package build.

3

Here's the last changelog entry, hopefully it gives details on why

4

those changes were made:

5

.

6

libpam-mount (1.33-2) unstable; urgency=low

7

.

8

* Added patch grab_authtok_retcode:

9

Fix regression in authentication token handling.

10

.

11

The person named in the Author field signed this changelog entry.

12

Author: Bastian Kleineidam <calvin@debian.org>

13

14

---

15

The information above should follow the Patch Tagging Guidelines, please

16

checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here

17

are templates for supplementary fields that you might want to add:

18

19

Origin: <vendor|upstream|other>, <url of original patch>

20

Bug: <url in upstream bugtracker>

21

Bug-Debian: http://bugs.debian.org/<bugnumber>

22

Forwarded: <no|not-needed|url proving that it has been forwarded>

23

Reviewed-By: <name and email of someone who approved the patch>

24

Last-Update: <YYYY-MM-DD>

25

26

--- libpam-mount-1.33.orig/doc/pam_mount.txt

27

+++ libpam-mount-1.33/doc/pam_mount.txt

28

@@ -1,4 +1,4 @@

29

-pam_mount(8) pam_mount 1.33 pam_mount(8)

30

+pam_mount(8) pam_mount 1.33 pam_mount(8)

31

32

33

34

@@ -6,57 +6,37 @@ Name

35

pam_mount - A PAM module that can mount volumes for a user session

36

37

Overview

38

- This module is aimed at environments with central file servers that a

39

- user wishes to mount on login and unmount on logout, such as

40

- (semi-)diskless stations where many users can logon and where stati-

41

- cally mounting the entire /home from a server is a security risk, or

42

- listing all possible volumes in /etc/fstab is not feasible.

43

+ This module is aimed at environments with central file servers that a user wishes to mount on login and unmount on logout, such as (semi-)diskless stations where many

44

+ users can logon and where statically mounting the entire /home from a server is a security risk, or listing all possible volumes in /etc/fstab is not feasible.

45

46

- · Users can define their own list of volumes without having to change

47

- (possibly non-writable) global config files.

48

+ · Users can define their own list of volumes without having to change (possibly non-writable) global config files.

49

50

- · Single sign-on feature - the user needs to type the password just

51

- once (at login)

52

+ · Single sign-on feature - the user needs to type the password just once (at login)

53

54

· Transparent mount process

55

56

· No stored passwords

57

58

- · Volumes are unmounted on logout, freeing system resources and not

59

- leaving data exposed.

60

+ · Volumes are unmounted on logout, freeing system resources and not leaving data exposed.

61

62

- The module also supports mounting local filesystems of any kind the

63

- normal mount utility supports, with extra code to make sure certain

64

- volumes are set up properly because often they need more than just a

65

- mount call, such as encrypted volumes. This includes SMB/CIFS, FUSE,

66

- dm-crypt and LUKS.

67

-

68

- If you intend to use pam_mount to protect volumes on your computer

69

- using an encrypted filesystem system, please know that there are many

70

- other issues you need to consider in order to protect your data. For

71

- example, you probably want to disable or encrypt your swap partition

72

- (the cryptoswap can help you do this). Do not assume a system is secure

73

- without carefully considering potential threats.

74

+ The module also supports mounting local filesystems of any kind the normal mount utility supports, with extra code to make sure certain volumes are set up properly

75

+ because often they need more than just a mount call, such as encrypted volumes. This includes SMB/CIFS, FUSE, dm-crypt and LUKS.

76

+

77

+ If you intend to use pam_mount to protect volumes on your computer using an encrypted filesystem system, please know that there are many other issues you need to con‐

78

+ sider in order to protect your data. For example, you probably want to disable or encrypt your swap partition (the cryptoswap can help you do this). Do not assume a

79

+ system is secure without carefully considering potential threats.

80

81

Configuration

82

- The primary configuration file for the pam_mount module is

83

- pam_mount.conf.xml. On most platforms this file is read from

84

- /etc/security/pam_mount.conf.xml. On OpenBSD pam_mount reads its con-

85

- figuration file from /etc/pam_mount.conf.xml. See pam_mount.conf(5)

86

- documenting its use.

87

-

88

- Individual users may define additional volumes to mount if allowed by

89

- pam_mount.conf.xml (usually ~/.pam_mount.conf.xml). The volume keyword

90

- is the only valid keyword in these per-user configuration files. If the

91

- luserconf parameter is set in pam_mount.conf.xml, allowing user-defined

92

- volume, then users may mount and unmount any volume they own at any

93

- mount point they own. On some filesystem configurations this may be a

94

- security flaw so user-defined volumes are not allowed by the example

95

+ The primary configuration file for the pam_mount module is pam_mount.conf.xml. On most platforms this file is read from /etc/security/pam_mount.conf.xml. On OpenBSD

96

+ pam_mount reads its configuration file from /etc/pam_mount.conf.xml. See pam_mount.conf(5) documenting its use.

97

+

98

+ Individual users may define additional volumes to mount if allowed by pam_mount.conf.xml (usually ~/.pam_mount.conf.xml). The volume keyword is the only valid keyword

99

+ in these per-user configuration files. If the luserconf parameter is set in pam_mount.conf.xml, allowing user-defined volume, then users may mount and unmount any vol‐

100

+ ume they own at any mount point they own. On some filesystem configurations this may be a security flaw so user-defined volumes are not allowed by the example

101

pam_mount.conf.xml distributed with pam_mount.

102

103

PAM configuration

104

- In addition, you must include two entries in the system's applicable

105

- /etc/pam.d/service config files, as the following example shows:

106

+ In addition, you must include two entries in the system's applicable /etc/pam.d/service config files, as the following example shows:

107

108

auth required pam_securetty.so

109

auth required pam_pwdb.so shadow nullok

110

@@ -69,17 +49,11 @@ PAM configuration

111

session optional pam_console.so

112

+++ session optional pam_mount.so

113

114

- When "sufficient" is used in the second column, you must make sure that

115

- pam_mount is added before this entry. Otherwise pam_mount will not get

116

- executed should a previous PAM module succeed. Also be aware of the

117

- "include" statements. These make PAM look into the specified file. If

118

- there is a "sufficient" statement, then the pam_mount entry must either

119

- be in the included file before the "sufficient" statement or before the

120

- "include" statement.

121

-

122

- If you use pam_ldap, pam_winbind, or any other authentication services

123

- that make use of PAM's sufficient keyword, model your configuration on

124

- the following order:

125

+ When "sufficient" is used in the second column, you must make sure that pam_mount is added before this entry. Otherwise pam_mount will not get executed should a previ‐

126

+ ous PAM module succeed. Also be aware of the "include" statements. These make PAM look into the specified file. If there is a "sufficient" statement, then the pam_mount

127

+ entry must either be in the included file before the "sufficient" statement or before the "include" statement.

128

+

129

+ If you use pam_ldap, pam_winbind, or any other authentication services that make use of PAM's sufficient keyword, model your configuration on the following order:

130

131

···

132

account sufficient pam_ldap.so

133

@@ -91,83 +65,55 @@ PAM configuration

134

135

This allows for:

136

137

- 1. pam_mount, as the first "auth" module, will prompt for a password

138

- and export it to the PAM system.

139

+ 1. pam_mount, as the first "auth" module, will prompt for a password and export it to the PAM system.

140

141

- 2. pam_ldap will use the password from the PAM system to try and

142

- authenticate the user. If this succedes, the user will be authenti-

143

- cated. If it fails, pam_unix will try to authenticate.

144

-

145

- 3. pam_unix will try to authenticate the user if pam_ldap failed. If

146

- pam_unix fails, then the authentication will be refused (due to the

147

- "required").

148

+ 2. pam_ldap will use the password from the PAM system to try and authenticate the user. If this succedes, the user will be authenticated. If it fails, pam_unix will

149

+ try to authenticate.

150

151

- Alternatively, the following is possible (thanks to Andrew Morgan for

152

- the hint!):

153

+ 3. pam_unix will try to authenticate the user if pam_ldap failed. If pam_unix fails, then the authentication will be refused (due to the "required").

154

+

155

+ Alternatively, the following is possible (thanks to Andrew Morgan for the hint!):

156

157

auth [success=2 default=ignore] pam_unix2.so

158

auth [success=1 default=ignore] pam_ldap.so use_first_pass

159

auth requisite pam_deny.so

160

auth optional pam_mount.so

161

162

- It may seem odd, but the first three lines will make it so that at

163

- least one of pam_unix2 or pam_ldap has to succeed. As you can see,

164

- pam_mount will be run after successful authentification with these sub-

165

- systems.

166

+ It may seem odd, but the first three lines will make it so that at least one of pam_unix2 or pam_ldap has to succeed. As you can see, pam_mount will be run after suc‐

167

+ cessful authentification with these subsystems.

168

169

Encrypted disks

170

- pam_mount supports a few types of crypto. The most common are encfs,

171

- dm-crypt and dm-crypt+LUKS.

172

+ pam_mount supports a few types of crypto. The most common are encfs, dm-crypt and dm-crypt+LUKS.

173

+

174

+ The first one uses the FUSE layer; files within the encfs container are stored as single encrypted files on the host in a previously-existing directory. If you store

175

+ lots of files, it is recommended to have a lower filesystem that is strong in this area, such as xfs, but some software and/or your partitioning decisions may force you

176

+ to use a different fs. The 1:1 mapping of files also allows encrypted files to be reasonably efficiently rsync'ed for example without having to open the encrypted con‐

177

+ tainer. Creation is done through the encfs(1) tool.

178

+

179

+ dm-crypt provides whole-filesystem/entire-partition encryption. You can also create a container file, but the idea is that it is represented as a block device on which

180

+ you still have to create a filesystem. In fact, this way you can select a filesystem of your choice. The downside is that shrinking is often not possible (there is no

181

+ such issue in encfs because it uses the lower fs). Suitable dm-crypt containers (and auxiliary files), using block devices or plain files, can be created using the

182

+ pmt-ehd(8) tool.

183

184

- The first one uses the FUSE layer; files within the encfs container are

185

- stored as single encrypted files on the host in a previously-existing

186

- directory. If you store lots of files, it is recommended to have a

187

- lower filesystem that is strong in this area, such as xfs, but some

188

- software and/or your partitioning decisions may force you to use a dif-

189

- ferent fs. The 1:1 mapping of files also allows encrypted files to be

190

- reasonably efficiently rsync'ed for example without having to open the

191

- encrypted container. Creation is done through the encfs(1) tool.

192

-

193

- dm-crypt provides whole-filesystem/entire-partition encryption. You can

194

- also create a container file, but the idea is that it is represented as

195

- a block device on which you still have to create a filesystem. In fact,

196

- this way you can select a filesystem of your choice. The downside is

197

- that shrinking is often not possible (there is no such issue in encfs

198

- because it uses the lower fs). Suitable dm-crypt containers (and auxil-

199

- iary files), using block devices or plain files, can be created using

200

- the pmt-ehd(8) tool.

201

-

202

- pmt-ehd creates filesystem key material which is a bunch of random

203

- bytes that will be used to en-/decrypt the volume. This material itself

204

- is encrypted with your own password - this is done so that you can

205

- change the password without having to reencrypt all of your data.

206

-

207

- LUKS is an extension for dm-crypt to support multi-password containers.

208

- Unless you specifically need it, the above two solutions are recom-

209

- mended.

210

-

211

- NOTE: The key file that pmt-ehd(8) will create represents the filesys-

212

- tem key material as encrypted with your password. It is thus safe to

213

- store this on an unsecured filesystem.

214

+ pmt-ehd creates filesystem key material which is a bunch of random bytes that will be used to en-/decrypt the volume. This material itself is encrypted with your own

215

+ password - this is done so that you can change the password without having to reencrypt all of your data.

216

+

217

+ LUKS is an extension for dm-crypt to support multi-password containers. Unless you specifically need it, the above two solutions are recommended.

218

+

219

+ NOTE: The key file that pmt-ehd(8) will create represents the filesystem key material as encrypted with your password. It is thus safe to store this on an unsecured

220

+ filesystem.

221

222

Troubleshooting

223

- To ensure that your system and, possibly, the remote server are all

224

- properly configured, you should try to mount all or some of the volumes

225

- by hand, using the same commands and mount points provided in

226

- pam_mount.conf.xml. This will save you a lot of grief, since it is more

227

- difficult to debug the mounting process via pam_mount.

228

-

229

- If you can mount the volumes by hand but it is not happening via

230

- pam_mount, you may want to enable the "debug" option in

231

- pam_mount.conf.xml to see what is happening.

232

-

233

- Verify if the user owns the mount point and has sufficient permissions

234

- over that. pam_mount will verify this and will refuse to mount the

235

- remote volume if the user does not own that directory.

236

-

237

- If pam_mount is having trouble unmounting volumes upon logging out,

238

- enable the debug variable. This causes pam_mount to run ofl on logout

239

- and write its output to the system's log.

240

+ To ensure that your system and, possibly, the remote server are all properly configured, you should try to mount all or some of the volumes by hand, using the same com‐

241

+ mands and mount points provided in pam_mount.conf.xml. This will save you a lot of grief, since it is more difficult to debug the mounting process via pam_mount.

242

+

243

+ If you can mount the volumes by hand but it is not happening via pam_mount, you may want to enable the "debug" option in pam_mount.conf.xml to see what is happening.

244

+

245

+ Verify if the user owns the mount point and has sufficient permissions over that. pam_mount will verify this and will refuse to mount the remote volume if the user does

246

+ not own that directory.

247

+

248

+ If pam_mount is having trouble unmounting volumes upon logging out, enable the debug variable. This causes pam_mount to run ofl on logout and write its output to the

249

+ system's log.

250

251

Authors

252

W. Michael Petullo

253

@@ -175,9 +121,8 @@ Authors

254

Jan Engelhardt (current maintainer)

255

256

Community Support

257

- The following two forms of communication are available. The maintainer

258

- has no preference, though you will reach more users who could answer by

259

- means of the mailing list.

260

+ The following two forms of communication are available. The maintainer has no preference, though you will reach more users who could answer by means of the mailing

261

+ list.

262

263

Mailing List:

264

http://sf.net/mail/?group_id=41452

265

@@ -187,4 +132,4 @@ Community Support

266

267

268

269

-pam_mount 1.33 2010-01-10 pam_mount(8)

270

+pam_mount 1.33 2010-01-10 pam_mount(8)