/etc/security/pam_mount-stateless-debian-edu.conf is in debian-edu-config 1.702.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 | # Turn on if you want to debug why some volume cannot be mounted etc.
# This can be overriden by user's local configuration
#
# Format: debug [ 1 | 0 ]
# Local user configuration can override this.
debug 1
mkmountpoint 1
# Loopback device to use to run fsck on loopback filesystems.
fsckloop /dev/loop7
# Users' local configuration file (if there is none, comment out this
# parameter). Will be read as ~/<file>
#
# Note: you must include either options_allow or options_deny to use
# this directive. I recommend also including options_require.
#
# Individual users may define additional volumes to mount if allowed
# by pam_mount.conf (usually ~/.pam_mount.conf). The volume keyword is
# the only valid keyword in these per-user configuration files. If the
# luserconf parameter is set in pam_mount.conf, allowing user-defined
# volume, then users may mount and unmount any volumes they specify.
# The mount operation is executed under the user account, not with
# root permissions.
# IMPORTANT: right now only smb and ncp mounts work in ~/.pam_mount.conf
# since they do not require root privileges! All other mount types
# have to be in the global configuration file.
# Please only file bugs about this if you can exactly show and prevent
# the security implications of user-specified mount commands.
#
# Format: luserconf <file>
# luserconf .pam_mount.conf
# These directives determine which options may be specified in a user config
# file (luserconf). You must include one of these directives if you have a
# luserconf directive. You may not include both directives.
#
# If you have an options_allow directive, then the options listed in that
# directive wil be allowed, and all others rejected. If you have an
# options_deny directive, then the options listed will be denied, and all others
# permitted.
#
# You may use the wildcard '*' to match all options.
#
options_allow nosuid,nodev,loop,encryption
# options_deny suid,dev
# options_allow *
# options_deny *
#
# I recommend not permitting the suid and dev options.
# The options listed in this directive are required for all volumes from a
# user config file. That is, any volume specified in a user config file that
# does not include these options will be ignored.
#
# Note: you must make sure that a required option is permitted (either by
# including it in options_allow, or by not including it in options_deny).
#
# I recommend requiring at least nosuid and nodev.
#
# This is ignored completely if the volume is configured to get its options
# and mount point from /etc/fstab.
#
options_require nosuid,nodev
# Commands to mount/unmount volumes. They can take parameters, as shown.
#
# If you change the -p0 argument for lclmount, you'll need to modify the
# source in mount.c (it sends the password to the stdin file descriptor
# of the child process -- look for STDIN_FILENO).
lsof /usr/sbin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKTARGET)
losetup /sbin/losetup -p0 "%(before=\"-e\" CIPHER)" "%(before=\"-k\" KEYBITS)" %(FSCKLOOP) %(VOLUME)
unlosetup /sbin/losetup -d %(FSCKLOOP)
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
#smbmount /usr/bin/smbmount //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
smbmount /bin/mount -nt smb //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
ncpmount /usr/bin/ncpmount %(SERVER)/%(USER) %(MNTPT) -o "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"
smbumount /usr/bin/smbumount %(MNTPT)
ncpumount /usr/bin/ncpumount %(MNTPT)
# Linux supports lazy unmounting (-l). May be dangerous for encrypted volumes.
# May also break loopback mounts because loopback devices are not freed.
# Need to unmount mount point not volume to support SMB mounts, etc.
umount /bin/umount -l %(MNTPT)
# On OpenBSD try "/usr/local/bin/mount_ehd" (included in pam_mount package).
lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o\" OPTIONS)"
cryptmount /bin/mount -t crypt "%(before=\"-o\" OPTIONS)" %(VOLUME) %(MNTPT)
nfsmount /bin/mount -n %(SERVER):%(VOLUME) %(MNTPT) "%(before=\"-o\" OPTIONS)"
# --bind may be a Linuxism. FIXME: find BSD equivalent.
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
#mntcheck /bin/mount # For BSD's (don't have /etc/mtab)
pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION)
# Volumes that will be mounted when user triggers pam_mount module
# (usually at login).
#
# Format:
# volume <user> [smb|ncp|nfs|local] <server> <volume> <mount point> <mount options> <fs key cipher> <fs key path>
#
# Note that if the mount command has specified an option, eg %(KEYBITS)
# and you don't specify a value, a warning is printed in the log. The
# warning can usually be ignored, except when the option is mandatory.
#
# General examples:
#
# smb mounts require the "smbfs" Debian package
# smb mounts work also in user-specified config file ~/.pam_mount.conf
# volume user smb krueger public /home/user/krueger - - -
#
# ncp mounts require the "ncpfs" Debian package
# ncp mounts work also in user-specified config file ~/.pam_mount.conf
# volume user ncp krueger public /home/user/krueger user=user.context - -
#
# Linux encrypted home directory examples, using dm_crypt:
#
# crypt mounts require a kernel with CONFIG_BLK_DEV_DM and CONFIG_DM_CRYPT
# enabled as well as all the used ciphers (eg. CONFIG_CRYPTO_AES_586,
# CONFIG_CRYPTO_TWOFISH, etc.)
# crypt mounts require the "cryptsetup" Debian package.
# crypt mounts must be in the global config file /etc/security/pam_mount.conf
# volume user crypt - /dev/sda2 /home/user cipher=aes aes-256-ecb /home/user.key
#
# Linux encrypted home directory examples, using cryptoloop:
#
# cryptoloop mounts require a kernel with CONFIG_BLK_DEV_CRYPTOLOOP enabled
# cryptoloop mounts must be in the global config file
# /etc/security/pam_mount.conf
# volume user local - /dev/hda123 /home/user loop,encryption=aes - -
# volume user local - /home/user.img /home/user loop,user,exec,encryption=aes,keybits=256 - -
# volume user local - /home/user.img - - - -
# volume user local - /home/user.img - - aes-256-ecb /home/user4.key
#
# The last two examples need a line like the following in
# /etc/fstab:
#
# /home/user4.img /home/user4 xfs user,loop,encryption=aes,keybits=256,noauto 0 0
#
# OpenBSD encrypted home directory example (see also lclmount above):
# volume user local - /home/user.img /home/user svnd0 - -
#
# Volatile tmpfs mount with restricted size
# (thanks to Mike Hommey for this example)
#
# volume test local - /tmpfs/test /home/test "size=10M,uid=test,gid=users,mode=0700 -t tmpfs" - -
#
# Details:
# Local user configuration (~/.pam_mount.conf) can extend this.
#
# If there are no servers, mount options, fs key ciphers, etc. you must
# supply a "-"
#
# See http://www.tldp.org/HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html
# to learn how to create a encrypted loopback filesystem.
#
# If the volume's password is different than the user's login password,
# the following technique may be used (see also README):
#
# 1. Create a file containing the volume's password (FS key). If you are
# using pam_mount to mount an loopback encrypted volume, this password
# should may generated by /dev/urandom.
#
# Simple example:
# echo <volume password> | openssl enc -aes-256-ecb > /home/user.key
# Encrypt this file using the user's login password as the key.
#
# Verbose loopback encrypted volume example:
# a. dd if=/dev/urandom of=/home/user.img bs=1M count=<image size in MB>
# b. dd if=/dev/urandom bs=1c count=<keysize / 8> | openssl enc \
# -<fs key cipher> > /home/user.key
# Encrypt this file using the user's login password as the key.
# c. openssl enc -d -<fs key cipher> -in /home/user.key | losetup -e aes \
# -k <keysize> -p0 /dev/loop0 /home/user.img
# d. mkfs -t ext2 /dev/loop0
# e. umount /dev/loop0
# f. losetup -d /dev/loop0
#
# 3. In pam_mount.conf:
# a. Set the fs key cipher variable to the cipher used (ie: aes-256-ecb).
# b. Set the fs key path variable to the key's path (ie: /home/user.key)
# 4. If a user changes his login password, regenerate the efsk that
# was created in step 1b. A script named passwdehd is provided to do this.
#
# If fs_key_cipher is -, then the user's login password is also the volume's
# password.
# Template (or wildcard) volumes
#
# If user is "*", "&" will be replaced by name of the user logging on in the
# volume, mount point, mount options and fs key path fields. "~/*" will be
# replaced with "<user's homedir>/*."
#
# volume * smb krueger & /home/& uid=&,gid=&,dmask=0750 - -
# volume * smb krueger homes /home/&/remote - - -
# volume * local - /home/&.img - - aes-256-ecb /etc/ehd/&
# Windows 2000, which requires a domain specified, example (thanks John Knox):
# volume * smb viper & /home/& uid=&,gid=&,dmask=0750,workgroup=WINDOWS_DOMAIN - -
# An NCP example:
# volume user ncp SERVER /USERS/Department/user /home/user user=user.full.context,uid=user,gid=user,symlinks - -
volume * nfs tjener /skole/tjener/home0 /skole/tjener/home0 nolock - -
# volume * smb tjener shared /skole/tjener/shared - - -
|