1
Description: Upstream changes introduced in version 2.9-1
2
This patch has been created by dpkg-source during the package build.
3
Here's the last changelog entry, hopefully it gives details on why
4
those changes were made:
6
libpam-mount (2.9-1) unstable; urgency=low
8
* New upstream release.
10
The person named in the Author field signed this changelog entry.
11
Author: Bastian Kleineidam <calvin@debian.org>
14
The information above should follow the Patch Tagging Guidelines, please
15
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
16
are templates for supplementary fields that you might want to add:
18
Origin: <vendor|upstream|other>, <url of original patch>
19
Bug: <url in upstream bugtracker>
20
Bug-Debian: http://bugs.debian.org/<bugnumber>
21
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
22
Forwarded: <no|not-needed|url proving that it has been forwarded>
23
Reviewed-By: <name and email of someone who approved the patch>
24
Last-Update: <YYYY-MM-DD>
26
--- libpam-mount-2.9.orig/doc/pam_mount.txt
27
+++ libpam-mount-2.9/doc/pam_mount.txt
29
-pam_mount(8) pam_mount 2.9 pam_mount(8)
30
+pam_mount(8) pam_mount 2.9 pam_mount(8)
34
@@ -6,57 +6,44 @@ Name
35
pam_mount - A PAM module that can mount volumes for a user session
38
- This module is aimed at environments with central file servers that a
39
- user wishes to mount on login and unmount on logout, such as
40
- (semi-)diskless stations where many users can logon and where stati-
41
- cally mounting the entire /home from a server is a security risk, or
42
- listing all possible volumes in /etc/fstab is not feasible.
43
+ This module is aimed at environments with central file servers that a user wishes to mount on login and unmount on
44
+ logout, such as (semi-)diskless stations where many users can logon and where statically mounting the entire /home
45
+ from a server is a security risk, or listing all possible volumes in /etc/fstab is not feasible.
47
- · Users can define their own list of volumes without having to change
48
- (possibly non-writable) global config files.
49
+ · Users can define their own list of volumes without having to change (possibly non-writable) global config
52
- · Single sign-on feature - the user needs to type the password just
54
+ · Single sign-on feature - the user needs to type the password just once (at login)
56
· Transparent mount process
60
- · Volumes are unmounted on logout, freeing system resources and not
61
- leaving data exposed.
62
+ · Volumes are unmounted on logout, freeing system resources and not leaving data exposed.
64
- The module also supports mounting local filesystems of any kind the
65
- normal mount utility supports, with extra code to make sure certain
66
- volumes are set up properly because often they need more than just a
67
- mount call, such as encrypted volumes. This includes SMB/CIFS, FUSE,
70
- If you intend to use pam_mount to protect volumes on your computer
71
- using an encrypted filesystem system, please know that there are many
72
- other issues you need to consider in order to protect your data. For
73
- example, you probably want to disable or encrypt your swap partition
74
- (the cryptoswap can help you do this). Do not assume a system is secure
75
- without carefully considering potential threats.
76
+ The module also supports mounting local filesystems of any kind the normal mount utility supports, with extra code
77
+ to make sure certain volumes are set up properly because often they need more than just a mount call, such as
78
+ encrypted volumes. This includes SMB/CIFS, FUSE, dm-crypt and LUKS.
80
+ If you intend to use pam_mount to protect volumes on your computer using an encrypted filesystem system, please
81
+ know that there are many other issues you need to consider in order to protect your data. For example, you probably
82
+ want to disable or encrypt your swap partition (the cryptoswap can help you do this). Do not assume a system is
83
+ secure without carefully considering potential threats.
86
- The primary configuration file for the pam_mount module is
87
- pam_mount.conf.xml. On most platforms this file is read from
88
- /etc/security/pam_mount.conf.xml. On OpenBSD pam_mount reads its con-
89
- figuration file from /etc/pam_mount.conf.xml. See pam_mount.conf(5)
90
- documenting its use.
92
- Individual users may define additional volumes to mount if allowed by
93
- pam_mount.conf.xml (usually ~/.pam_mount.conf.xml). The volume keyword
94
- is the only valid keyword in these per-user configuration files. If the
95
- luserconf parameter is set in pam_mount.conf.xml, allowing user-defined
96
- volume, then users may mount and unmount any volume they own at any
97
- mount point they own. On some filesystem configurations this may be a
98
- security flaw so user-defined volumes are not allowed by the example
99
- pam_mount.conf.xml distributed with pam_mount.
100
+ The primary configuration file for the pam_mount module is pam_mount.conf.xml. On most platforms this file is read
101
+ from /etc/security/pam_mount.conf.xml. On OpenBSD pam_mount reads its configuration file from
102
+ /etc/pam_mount.conf.xml. See pam_mount.conf(5) documenting its use.
104
+ Individual users may define additional volumes to mount if allowed by pam_mount.conf.xml (usually
105
+ ~/.pam_mount.conf.xml). The volume keyword is the only valid keyword in these per-user configuration files. If the
106
+ luserconf parameter is set in pam_mount.conf.xml, allowing user-defined volume, then users may mount and unmount
107
+ any volume they own at any mount point they own. On some filesystem configurations this may be a security flaw so
108
+ user-defined volumes are not allowed by the example pam_mount.conf.xml distributed with pam_mount.
111
- In addition, you must include two entries in the system's applicable
112
- /etc/pam.d/service config files, as the following example shows:
113
+ In addition, you must include two entries in the system's applicable /etc/pam.d/service config files, as the fol‐
114
+ lowing example shows:
116
auth required pam_securetty.so
117
auth required pam_pwdb.so shadow nullok
118
@@ -69,17 +56,13 @@ PAM configuration
119
session optional pam_console.so
120
+++ session optional pam_mount.so
122
- When "sufficient" is used in the second column, you must make sure that
123
- pam_mount is added before this entry. Otherwise pam_mount will not get
124
- executed should a previous PAM module succeed. Also be aware of the
125
- "include" statements. These make PAM look into the specified file. If
126
- there is a "sufficient" statement, then the pam_mount entry must either
127
- be in the included file before the "sufficient" statement or before the
128
- "include" statement.
130
- If you use pam_ldap, pam_winbind, or any other authentication services
131
- that make use of PAM's sufficient keyword, model your configuration on
132
- the following order:
133
+ When "sufficient" is used in the second column, you must make sure that pam_mount is added before this entry. Oth‐
134
+ erwise pam_mount will not get executed should a previous PAM module succeed. Also be aware of the "include" state‐
135
+ ments. These make PAM look into the specified file. If there is a "sufficient" statement, then the pam_mount entry
136
+ must either be in the included file before the "sufficient" statement or before the "include" statement.
138
+ If you use pam_ldap, pam_winbind, or any other authentication services that make use of PAM's sufficient keyword,
139
+ model your configuration on the following order:
142
account sufficient pam_ldap.so
143
@@ -91,83 +74,62 @@ PAM configuration
147
- 1. pam_mount, as the first "auth" module, will prompt for a password
148
- and export it to the PAM system.
149
+ 1. pam_mount, as the first "auth" module, will prompt for a password and export it to the PAM system.
151
+ 2. pam_ldap will use the password from the PAM system to try and authenticate the user. If this succedes, the user
152
+ will be authenticated. If it fails, pam_unix will try to authenticate.
154
- 2. pam_ldap will use the password from the PAM system to try and
155
- authenticate the user. If this succedes, the user will be authenti-
156
- cated. If it fails, pam_unix will try to authenticate.
158
- 3. pam_unix will try to authenticate the user if pam_ldap failed. If
159
- pam_unix fails, then the authentication will be refused (due to the
161
+ 3. pam_unix will try to authenticate the user if pam_ldap failed. If pam_unix fails, then the authentication will
162
+ be refused (due to the "required").
164
- Alternatively, the following is possible (thanks to Andrew Morgan for
166
+ Alternatively, the following is possible (thanks to Andrew Morgan for the hint!):
168
auth [success=2 default=ignore] pam_unix2.so
169
auth [success=1 default=ignore] pam_ldap.so use_first_pass
170
auth requisite pam_deny.so
171
auth optional pam_mount.so
173
- It may seem odd, but the first three lines will make it so that at
174
- least one of pam_unix2 or pam_ldap has to succeed. As you can see,
175
- pam_mount will be run after successful authentification with these sub-
177
+ It may seem odd, but the first three lines will make it so that at least one of pam_unix2 or pam_ldap has to suc‐
178
+ ceed. As you can see, pam_mount will be run after successful authentification with these subsystems.
181
- pam_mount supports a few types of crypto. The most common are encfs,
182
- dm-crypt and dm-crypt+LUKS.
183
+ pam_mount supports a few types of crypto. The most common are encfs, dm-crypt and dm-crypt+LUKS.
185
+ The first one uses the FUSE layer; files within the encfs container are stored as single encrypted files on the
186
+ host in a previously-existing directory. If you store lots of files, it is recommended to have a lower filesystem
187
+ that is strong in this area, such as xfs, but some software and/or your partitioning decisions may force you to use
188
+ a different fs. The 1:1 mapping of files also allows encrypted files to be reasonably efficiently rsync'ed for
189
+ example without having to open the encrypted container. Creation is done through the encfs(1) tool.
191
+ dm-crypt provides whole-filesystem/entire-partition encryption. You can also create a container file, but the idea
192
+ is that it is represented as a block device on which you still have to create a filesystem. In fact, this way you
193
+ can select a filesystem of your choice. The downside is that shrinking is often not possible (there is no such
194
+ issue in encfs because it uses the lower fs). Suitable dm-crypt containers (and auxiliary files), using block
195
+ devices or plain files, can be created using the pmt-ehd(8) tool.
197
+ pmt-ehd creates filesystem key material which is a bunch of random bytes that will be used to en-/decrypt the vol‐
198
+ ume. This material itself is encrypted with your own password - this is done so that you can change the password
199
+ without having to reencrypt all of your data.
201
+ LUKS is an extension for dm-crypt to support multi-password containers. Unless you specifically need it, the above
202
+ two solutions are recommended.
204
- The first one uses the FUSE layer; files within the encfs container are
205
- stored as single encrypted files on the host in a previously-existing
206
- directory. If you store lots of files, it is recommended to have a
207
- lower filesystem that is strong in this area, such as xfs, but some
208
- software and/or your partitioning decisions may force you to use a dif-
209
- ferent fs. The 1:1 mapping of files also allows encrypted files to be
210
- reasonably efficiently rsync'ed for example without having to open the
211
- encrypted container. Creation is done through the encfs(1) tool.
213
- dm-crypt provides whole-filesystem/entire-partition encryption. You can
214
- also create a container file, but the idea is that it is represented as
215
- a block device on which you still have to create a filesystem. In fact,
216
- this way you can select a filesystem of your choice. The downside is
217
- that shrinking is often not possible (there is no such issue in encfs
218
- because it uses the lower fs). Suitable dm-crypt containers (and auxil-
219
- iary files), using block devices or plain files, can be created using
220
- the pmt-ehd(8) tool.
222
- pmt-ehd creates filesystem key material which is a bunch of random
223
- bytes that will be used to en-/decrypt the volume. This material itself
224
- is encrypted with your own password - this is done so that you can
225
- change the password without having to reencrypt all of your data.
227
- LUKS is an extension for dm-crypt to support multi-password containers.
228
- Unless you specifically need it, the above two solutions are recom-
231
- NOTE: The key file that pmt-ehd(8) will create represents the filesys-
232
- tem key material as encrypted with your password. It is thus safe to
233
- store this on an unsecured filesystem.
234
+ NOTE: The key file that pmt-ehd(8) will create represents the filesystem key material as encrypted with your pass‐
235
+ word. It is thus safe to store this on an unsecured filesystem.
238
- To ensure that your system and, possibly, the remote server are all
239
- properly configured, you should try to mount all or some of the volumes
240
- by hand, using the same commands and mount points provided in
241
- pam_mount.conf.xml. This will save you a lot of grief, since it is more
242
- difficult to debug the mounting process via pam_mount.
244
- If you can mount the volumes by hand but it is not happening via
245
- pam_mount, you may want to enable the "debug" option in
246
- pam_mount.conf.xml to see what is happening.
248
- Verify if the user owns the mount point and has sufficient permissions
249
- over that. pam_mount will verify this and will refuse to mount the
250
- remote volume if the user does not own that directory.
252
- If pam_mount is having trouble unmounting volumes upon logging out,
253
- enable the debug variable. This causes pam_mount to run ofl on logout
254
- and write its output to the system's log.
255
+ To ensure that your system and, possibly, the remote server are all properly configured, you should try to mount
256
+ all or some of the volumes by hand, using the same commands and mount points provided in pam_mount.conf.xml. This
257
+ will save you a lot of grief, since it is more difficult to debug the mounting process via pam_mount.
259
+ If you can mount the volumes by hand but it is not happening via pam_mount, you may want to enable the "debug"
260
+ option in pam_mount.conf.xml to see what is happening.
262
+ Verify if the user owns the mount point and has sufficient permissions over that. pam_mount will verify this and
263
+ will refuse to mount the remote volume if the user does not own that directory.
265
+ If pam_mount is having trouble unmounting volumes upon logging out, enable the debug variable. This causes
266
+ pam_mount to run ofl on logout and write its output to the system's log.
270
@@ -175,9 +137,8 @@ Authors
271
Jan Engelhardt (current maintainer)
274
- The following two forms of communication are available. The maintainer
275
- has no preference, though you will reach more users who could answer by
276
- means of the mailing list.
277
+ The following two forms of communication are available. The maintainer has no preference, though you will reach
278
+ more users who could answer by means of the mailing list.
281
http://sf.net/mail/?group_id=41452
282
@@ -187,4 +148,4 @@ Community Support
286
-pam_mount 2.9 2011-04-06 pam_mount(8)
287
+pam_mount 2.9 2011-04-06 pam_mount(8)