次の説明に従って、ユーザーがログインしたときにマウントするようにEncFSを設定してみました。これガイドには含まれていませんパスワードユーティリティ部分的には効果がほとんどありません。 EncFSはうまく機能しますが(暗号化/復号化テストは機能します)、pam_scriptこれでPAMを設定しようとすると実行されません/etc/security/onauth。これが私の最終構成です。
これ#cat /etc/pam.d/password-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
# pam-script for EncFS mounting ......
auth optional pam_script.so expose=1 runas=root
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
# pam-script for EncFS mounting ......
session optional pam_script.so runas=root
session required pam_unix.so
これ# cat /etc/security/onauth:
#!/bin/sh
#
# What: onauth, onsessionopen, onsessionclose
# When: 5-Aug-2013
# Who: Philip Jensen
# Why: To capture login credentials to transparently fusermount an encrypted
# home directory for a user.
#
# Setup vars
USER=$1
PASSWORD=$PAM_AUTHTOK
USER_FILE=/tmp/__u
PASSWORD_FILE=/tmp/__p
LOG_FILE=/var/log/pam_script.log
echo "ONAUTH RUNNING script: ${PAM_AUTHTOK} ${PAM_USER}"
/bin/echo "------------------------------" >> ${LOG_FILE}
date >> ${LOG_FILE}
/bin/echo "Run as `whoami`" >> ${LOG_FILE}
#echo "Params passed to this script" >> ${LOG_FILE}
#echo "\$0 = $0" >> ${LOG_FILE}
#echo "\$1 = $1" >> ${LOG_FILE}
#echo "\$2 = $2" >> ${LOG_FILE}
#echo "\$3 = $3" >> ${LOG_FILE}
#echo "\$PAM_AUTHTOK = ${PAM_AUTHTOK}" >> ${LOG_FILE}
#echo "" >> ${LOG_FILE}
capture_credentials() {
#
umask 277
/bin/echo "${USER}" | base64 > ${USER_FILE}
/bin/echo "${PASSWORD}" | base64 > ${PASSWORD_FILE}
exit 0
}
mount_encfs_home() {
USER=`cat ${USER_FILE} | base64 -d`
PASSWORD=`cat ${PASSWORD_FILE} | base64 -d`
#echo ${PASSWORD} | su - ${USER} -c "/usr/bin/encfs -v -S /home/.encfs/${USER} /home/${USER} -- -o nonempty" >> ${LOG_FILE} 2>&1
echo ${PASSWORD} | su - ${USER} -c "/usr/bin/encfs -v -S /home/.encfs/${USER} /home/${USER} -- -o nonempty" >> /dev/null 2>&1
rm ${USER_FILE} ${PASSWORD_FILE}
}
umount_encfs_home() {
echo "Unmounting encrypted home dir /home/.encfs/${USER} from /home/${USER}" >> ${LOG_FILE}
# need to do a lazy unmount to wait until the filesystem is clean.
#umount -l /home/${USER} >> ${LOG_FILE} 2>&1
umount -l /home/${USER} >> /dev/null 2>&1
}
case "$0" in
*onauth)
echo "Capturing credentials" >> ${LOG_FILE}
capture_credentials
;;
*onsessionopen)
echo "Trying to mount encfs home" >> ${LOG_FILE}
mount_encfs_home
;;
*onsessionclose)
echo "Trying to un-mount encfs home" >> ${LOG_FILE}
umount_encfs_home
;;
esac
echo "------------------------------" >> ${LOG_FILE}
exit 0
次のように正しいシンボリックリンクを使用してください# ll /etc/security/。
...
-rwxr-xr-x. 1 root root 2200 28. Jul 16:00 onauth
lrwxrwxrwx. 1 root root 20 28. Jul 11:41 onsessionclose -> /etc/security/onauth
lrwxrwxrwx. 1 root root 20 28. Jul 11:41 onsessionopen -> /etc/security/onauth
デフォルトのメッセージを除いて、ログには何も表示されません/var/log/secure。
Jul 29 07:07:26 host_name su: pam_unix(su-l:auth): authentication failure; logname=...
Jul 29 07:07:33 host_name su: pam_unix(su-l:session): session opened for user ...
Jul 29 07:07:57 host_name su: pam_unix(su-l:session): session closed for user ...
pam_scriptは以下のように正しくインストールされているようです。
# ll /usr/lib64/security/ | grep script
-rwxr-xr-x. 1 root root 15416 18. Jul 2014 pam_script.so
そして
# ll /etc/ | grep pam_script
-rwxr-xr-x. 1 root root 3837 18. Jul 2014 pam_script
lrwxrwxrwx. 1 root root 10 28. Jul 09:01 pam_script_acct -> pam_script
lrwxrwxrwx. 1 root root 10 28. Jul 09:01 pam_script_auth -> pam_script
lrwxrwxrwx. 1 root root 10 28. Jul 09:01 pam_script_passwd -> pam_script
lrwxrwxrwx. 1 root root 10 28. Jul 09:01 pam_script_ses_close -> pam_script
lrwxrwxrwx. 1 root root 10 28. Jul 09:01 pam_script_ses_open -> pam_script
質問は次のとおりです。これonauth決して触発されないようだからです。