Eu tentei configurar o EncFS para ser montado no login do usuário, conforme descrito em este guia , excluindo o Password Utility , no entanto, funciona com pouco sucesso. O EncFS funciona corretamente (os testes de criptografia / descriptografia funcionam), mas quando tento configurar o PAM via pam_script , ele simplesmente não aciona o /etc/security/onauth ou semelhante. Aqui estão minhas configurações finais:
O #cat /etc/pam.d/password-auth :
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
# pam-script for EncFS mounting ......
auth optional pam_script.so expose=1 runas=root
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
# pam-script for EncFS mounting ......
session optional pam_script.so runas=root
session required pam_unix.so
O # cat /etc/security/onauth :
#!/bin/sh
#
# What: onauth, onsessionopen, onsessionclose
# When: 5-Aug-2013
# Who: Philip Jensen
# Why: To capture login credentials to transparently fusermount an encrypted
# home directory for a user.
#
# Setup vars
USER=$1
PASSWORD=$PAM_AUTHTOK
USER_FILE=/tmp/__u
PASSWORD_FILE=/tmp/__p
LOG_FILE=/var/log/pam_script.log
echo "ONAUTH RUNNING script: ${PAM_AUTHTOK} ${PAM_USER}"
/bin/echo "------------------------------" >> ${LOG_FILE}
date >> ${LOG_FILE}
/bin/echo "Run as 'whoami'" >> ${LOG_FILE}
#echo "Params passed to this script" >> ${LOG_FILE}
#echo "\...
-rwxr-xr-x. 1 root root 2200 28. Jul 16:00 onauth
lrwxrwxrwx. 1 root root 20 28. Jul 11:41 onsessionclose -> /etc/security/onauth
lrwxrwxrwx. 1 root root 20 28. Jul 11:41 onsessionopen -> /etc/security/onauth
= $0" >> ${LOG_FILE}
#echo "\ = $1" >> ${LOG_FILE}
#echo "\ = $2" >> ${LOG_FILE}
#echo "\ = $3" >> ${LOG_FILE}
#echo "\$PAM_AUTHTOK = ${PAM_AUTHTOK}" >> ${LOG_FILE}
#echo "" >> ${LOG_FILE}
capture_credentials() {
#
umask 277
/bin/echo "${USER}" | base64 > ${USER_FILE}
/bin/echo "${PASSWORD}" | base64 > ${PASSWORD_FILE}
exit 0
}
mount_encfs_home() {
USER='cat ${USER_FILE} | base64 -d'
PASSWORD='cat ${PASSWORD_FILE} | base64 -d'
#echo ${PASSWORD} | su - ${USER} -c "/usr/bin/encfs -v -S /home/.encfs/${USER} /home/${USER} -- -o nonempty" >> ${LOG_FILE} 2>&1
echo ${PASSWORD} | su - ${USER} -c "/usr/bin/encfs -v -S /home/.encfs/${USER} /home/${USER} -- -o nonempty" >> /dev/null 2>&1
rm ${USER_FILE} ${PASSWORD_FILE}
}
umount_encfs_home() {
echo "Unmounting encrypted home dir /home/.encfs/${USER} from /home/${USER}" >> ${LOG_FILE}
# need to do a lazy unmount to wait until the filesystem is clean.
#umount -l /home/${USER} >> ${LOG_FILE} 2>&1
umount -l /home/${USER} >> /dev/null 2>&1
}
case "$0" in
*onauth)
echo "Capturing credentials" >> ${LOG_FILE}
capture_credentials
;;
*onsessionopen)
echo "Trying to mount encfs home" >> ${LOG_FILE}
mount_encfs_home
;;
*onsessionclose)
echo "Trying to un-mount encfs home" >> ${LOG_FILE}
umount_encfs_home
;;
esac
echo "------------------------------" >> ${LOG_FILE}
exit 0
Com links simbólicos apropriados, como em # ll /etc/security/ :
Jul 29 07:07:26 host_name su: pam_unix(su-l:auth): authentication failure; logname=...
Jul 29 07:07:33 host_name su: pam_unix(su-l:session): session opened for user ...
Jul 29 07:07:57 host_name su: pam_unix(su-l:session): session closed for user ...
Não vejo nada nos registros, exceto as mensagens padrão em /var/log/secure :
# ll /usr/lib64/security/ | grep script
-rwxr-xr-x. 1 root root 15416 18. Jul 2014 pam_script.so
O pam_script parece estar instalado corretamente, como comprovado por:
# ll /etc/ | grep pam_script
-rwxr-xr-x. 1 root root 3837 18. Jul 2014 pam_script
lrwxrwxrwx. 1 root root 10 28. Jul 09:01 pam_script_acct -> pam_script
lrwxrwxrwx. 1 root root 10 28. Jul 09:01 pam_script_auth -> pam_script
lrwxrwxrwx. 1 root root 10 28. Jul 09:01 pam_script_passwd -> pam_script
lrwxrwxrwx. 1 root root 10 28. Jul 09:01 pam_script_ses_close -> pam_script
lrwxrwxrwx. 1 root root 10 28. Jul 09:01 pam_script_ses_open -> pam_script
e
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
# pam-script for EncFS mounting ......
auth optional pam_script.so expose=1 runas=root
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
# pam-script for EncFS mounting ......
session optional pam_script.so runas=root
session required pam_unix.so
O problema é semelhante a isso , pois parece que onauth não é acionado nunca.