Bug 347144

Summary: inlcude pam_mount in an up-to-date version and provide a YaST interface for it
Product: [openSUSE] openSUSE 11.0 Reporter: Forgotten User Drfk9mafMw <forgotten_Drfk9mafMw>
Component: YaST2Assignee: Jiří Suchomel <jsuchome>
Status: RESOLVED FEATURE QA Contact: Jiri Srain <jsrain>
Severity: Enhancement    
Priority: P5 - None CC: mc
Version: Alpha 2   
Target Milestone: ---   
Hardware: i686   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Forgotten User Drfk9mafMw 2007-12-08 10:01:23 UTC 
Hello,

I have recently configured pam_mount for our Linux clients ($HOME with NFS, all other shares with SAMBA) and wonder why this great tool is still treated so much as a stepchild and so tricky to handle.

It would be an enormous enhancement if this could be more easily configured through YAST: it only requires /etc/pam.d/login and /etc/pam.d/xdm to be slightly altered and /etc/security/pam_mount.conf.xml to be filled with the appropriate volumes. For both tasks, a simple YAST module could be made available, also in order to remove that configuration properly again if so needed.

I can only see advantages of pam_mount over autofs when SAMBA shares come into play so it would be great to have it treated as equal at least.
Comment 1 Forgotten User Drfk9mafMw 2007-12-10 10:11:58 UTC 
I have played a little longer with pam_mount and received considerable help from the current maintainer, jengelh!

As far as I can tell, it is only necessary to change /etc/pam.d/common-auth and common-session according to /usr/share/doc/packages/pam_mount.txt:

common-auth:

auth    required        pam_env.so
##auth  sufficient      pam_unix2.so
##auth  required        pam_ldap.so     use_first_pass
auth [success=2 default=ignore] pam_unix2.so
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth optional pam_mount.so use_first_pass

common-session:

session required        pam_limits.so
session required        pam_unix2.so
session optional        pam_ldap.so
session optional        pam_umask.so
session optional        pam_mount.so

In addition to that, the provided /etc/ssh/sshd_config must be slightly changed: in addition to the default 'UsePAM yes' the options 'ChallengeResponseAuthentication no' and 'PasswordAuthentication yes' are necessary to have sshd walk through the PAM-stack.

Since PAM is such a powerful and convenient tool a user-friendly and error-safe interface for it would greatly enhance the usability of the openSUSE distribution! Not only in homeuse scenarios but even more so in enterprise environments!

Also, the issue seems to be on the wishlist for upcoming version, anyway. 11 is a major upgrade, so why not deliver a major improvement? :)

http://en.opensuse.org/Feature_Wishlist/YAST_related#YaST_configuration_of_pam_mount
Comment 4 Forgotten User Drfk9mafMw 2007-12-14 11:14:43 UTC 
As it seems, there is more to it than what I have stated above: obviously sshd_config needs even more tweaking since we are no longer able to log in to an NX session... Regular ssh logins work fine, though.

Even more so: a proper configuration interface would very much help the user to tame pam_mount and cope with these issues!
Comment 6 Jiri Srain 2008-01-21 11:27:05 UTC 
Dirk, we are evaluating pam_config, as well as pam_cifs, for including better configuration in our future products. However, we are still in the evaluation phase and I don't know when we are able to deliver it.

You state yourself about the need to tweak SSHD configuration, there may be other issues, and all changes must be checked security-wise. That's why I we cannot commit on the time of delivery of YaST configuration.
Comment 7 Stephan Kulow 2008-06-25 09:10:54 UTC 
mass reopening of later+remind bugs of 11.0
Comment 8 Jiří Suchomel 2008-06-25 09:39:39 UTC 
This is now feature 304970