How to use pam_mount with SSH/NX 3.x
Using pam_mount in conjuntion with NX can be tricky as OpenSSH had some problems which did not allow SSH to run through the entire PAM stack in versions before 4.9.
More information can be found here:
https://bugzilla.mindrot.org/show_bug.cgi?id=688
We have tested a configuration with pam_mount and managed to get it to work, although we reiterate that this way is not officially supported:
1. Configure sshd to use PAM ("UsePAM" Option in sshd_config)
2. Disable "PrivelegeSeparation" in sshd_config, as this is incompatible in OpenSSH Versions before 4.9
3. Integrate pam_mount.so within your existing PAM Configuration stack as one of the following example show:
auth required pam_securetty.so
auth required pam_pwdb.so shadow nullok
auth required pam_nologin.so
+++ auth optional pam_mount.so
account required pam_pwdb.so
password required pam_cracklib.so
password required pam_pwdb.so shadow nullok use_authtok
session required pam_pwdb.so
session optional pam_console.so
+++ session optional pam_mount.so
If you use pam_ldap, pam_winbind, or any other authentication services that make use of PAM's sufficient keyword, model your configuration on the following order:
account sufficient pam_ldap.so
auth required pam_mount.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_unix.so use_first_pass
session optional pam_mount.so
Alternatively, you can use following configuration:
auth [success=2 default=ignore] pam_unix2.so
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth optional pam_mount.so
The first three lines will mean that at least one of pam_unix2 or pam_ldap has to succeed. As you can see, pam_mount will be run after successful authentification with these subsystems.
Options are listed in the 4th column of a PAM file, e.g.:
auth optional pam_mount.so debug
enable_pam_password (default)
disable_pam_password
Enable or disable asking the PAM system for a previously-entered
password.
enable_interactive (default)
disable_interactive
Enable or disable asking for a password interactively.
pam_mount will first try to get the password from PAM, if enabled,
otherwise interactively, if enabled.
enable_propagate_password (default)
disable_propagate_password
Enable/disable propagation of the interactively-input password
to PAM modules following in the stack.
So far in a tested environment with the latest NX version (3.3.0 at the time of writing this article) the defaults can remain as they are to get NX work with pam_mount.
To begin with it would be helpful to enable debugging in both pam_mount.conf.xml and your PAM file.
3. Configure pam_mount.conf.xml
4. Restart your SSHd, and restart NX-Server using nxserver --restart to get the configuration changes running.
Precautions:
1. Like most PAM modules, pam_mount prompts the user for a password. When used with another auth type module, such as pam_unix2, this may result in both modules prompting for a password. In order to get a more desirable behavior, instruct the second module to use the first password entered by using the use_first_pass option in your PAM configuration.
2. As there might be problems with processes still running whilst trying to unmount (which in that case would fail) it always is a good idea to configure the <logout> directive in your pam_mount XML-Configuration file pam_mount.conf.xml
3. If you run an SELinux-enabled system please make sure to configure pam_selinux.so to reverse its contexts around pam_mount.so like this:
session required /lib/security/pam_selinux.so close
session required /lib/security/pam_mount.so
session required /lib/security/pam_selinux.so open multiple
Please note that depending on your system configuration paths might differ. We also reiterate that pam_mount is not officially supported by NoMachine, and we cannot guarantee that the above workaround will be successful for all users.