Skip to content

pam_mount.so.md

Latest commit

 

History

History
105 lines (68 loc) · 5.5 KB

pam_mount.so.md

File metadata and controls

105 lines (68 loc) · 5.5 KB

pam_mount.so

The pam_mount.so module is part of the Pluggable Authentication Module (PAM) system in Linux, which allows administrators to mount (and unmount) filesystems automatically when a user logs in (and logs out). It can mount network shares (such as CIFS/Samba, NFS) and encrypted filesystems based on user credentials.

Purpose of pam_mount.so

  • Automatic Mounting/Unmounting of Volumes:
    It automates the process of mounting user-specific or system-wide filesystems when a user logs into a system (e.g., at the console, via SSH, or using graphical login methods) and unmounts those filesystems when the user logs out.

  • Network Share Access:
    pam_mount.so is commonly used to mount network shares like CIFS/Samba or NFS, making it ideal for environments where user home directories or workspaces are hosted on networked storage servers.

  • Encrypted Filesystems:
    It can also handle encrypted volumes, which require mounting and unmounting at login and logout.

Usage

The pam_mount.so module is configured via PAM's stack configuration files, typically /etc/pam.d/common-auth, /etc/pam.d/common-session, or specific service files like /etc/pam.d/ssh. The actual filesystems to be mounted and associated settings are defined in /etc/security/pam_mount.conf.xml.

Basic PAM Configuration

To use pam_mount.so, you need to edit PAM service configuration files. Typically, you’ll find these in /etc/pam.d/ and add lines to reference pam_mount.so.

Here’s how it works in two key stages:

1. During Authentication

This happens when the user authenticates themselves, such as logging in or opening a session:

auth optional pam_mount.so

This line ensures that when a user logs in, pam_mount.so mounts the necessary filesystems as defined in the pam_mount.conf.xml file.

2. During Session Start/End

After a successful login (or at session startup), the user's filesystems are mounted, and when the session ends, they are unmounted:

session optional pam_mount.so

This line ensures that filesystems are mounted when the session begins and unmounted when it ends (e.g., during logout or closing the session).

These entries can be placed in different PAM configuration files like /etc/pam.d/common-auth, /etc/pam.d/common-session, or service-specific files (like /etc/pam.d/ssh).

Sample Configuration in /etc/pam.d/common-auth

auth required pam_unix.so
auth optional pam_mount.so

This configuration uses pam_unix.so for user authentication and pam_mount.so as an optional step to mount filesystems after the authentication.

Sample Configuration in /etc/pam.d/common-session

session required pam_unix.so
session optional pam_mount.so

This line ensures that filesystems are mounted/unmounted as part of the user session handling.

Configuring Mount Options in /etc/security/pam_mount.conf.xml

The actual filesystems that pam_mount.so will mount are configured in the pam_mount.conf.xml file, as discussed in the previous answer about pam_mount.conf.xml.

Here’s an example of how network shares are defined in the pam_mount.conf.xml file:

<pam_mount>
    <!-- Volume for CIFS share -->
    <volume user="*" fstype="cifs" server="fileserver" path="home" mountpoint="/home/%(USER)/share" />
    
    <!-- Enable debug mode -->
    <debug enable="1" />
</pam_mount>
  • CIFS Share: The example mounts a CIFS network share at login for all users (user="*") from a file server.
  • Dynamic Mountpoints: The mountpoint uses the %(USER) variable, which dynamically refers to the username of the logged-in user, ensuring that each user gets their specific network share.

Common Use Cases

  1. Automatically Mounting Network Shares:
    In multi-user environments (e.g., offices, schools), it is often necessary to mount users' home directories or shared drives from a network server when they log in.

  2. Encrypted Filesystems:
    For users with encrypted home directories, pam_mount.so can handle unlocking and mounting them automatically at login and ensuring they are securely unmounted on logout.

  3. Samba or NFS Integration:
    In environments where user directories are hosted on Samba or NFS servers, pam_mount.so ensures seamless integration by mounting these directories when users log in.

Security Considerations

  • User Authentication:
    Since pam_mount.so handles user credentials (especially when mounting network shares like CIFS), ensuring that proper encryption methods (e.g., SSL/TLS) are in place for network authentication is important to avoid credentials being intercepted.

  • Unmounting on Logout:
    Properly unmounting filesystems on logout is essential to avoid leaving sensitive files or encrypted volumes exposed. If filesystems are not unmounted properly, it can lead to security risks.

  • Permission Handling:
    Be sure to configure file and directory permissions properly when mounting filesystems to avoid unauthorized access by other users.

Conclusion

pam_mount.so is a powerful tool for automating the mounting and unmounting of filesystems in Linux. It is particularly useful in environments with network shares or encrypted filesystems, allowing for seamless access to user-specific resources during login and ensuring they are securely unmounted during logout. Proper configuration of both PAM and pam_mount.conf.xml is essential for smooth operation and maintaining security in a multi-user environment.