1

can I configure pam_mount to only ask for the password on login and not when unlocking the screen or doing sudo?

I'm using pam_fingerprint-gui.so to login. I now started using pam_mount to mount and unmount a volume on login/logout. I understand that it is insecure to have the volume mounted only via fingerprint.

Anyways I think pam_mount doesn't unmount the volume when I lock the screen or doesn't really has any effect when I'm doing sudo. pam_mount makes pam_fingerprint-gui almost useless despite the fact I can just hit enter and ignore the missing password. (pam_mount is configured optional).

bastian
  • 323
  • 2
  • 8

1 Answers1

2

Yes, you can configure PAM to skip pam_mount if you are already logged in. How to check this (with pam_succeed_if) depends a bit on your system setup. When using systemd, you might check it with:

session [success=1 default=ignore]  pam_succeed_if.so  service = systemd-user quiet
session    optional   pam_mount.so

See https://wiki.archlinux.org/index.php/pam_mount#Login_manager_configuration

stefan0xC
  • 1,508
  • 10
  • 20
  • Thanks, it didn't work yet. I'm using Linux Mint which is supposed to use systemd. There is also a process `systemd --user` running. I've changed `common-session` in `/etc/pam.d` to contain the `pam_succeed_if` you mentioned. In that folder also a `systemd-user` file exists. – bastian Jan 14 '18 at 16:54
  • Got it somehow working. I had to remove the line from`common-session` and add it to `common-auth`. Modified the condition to `service in polkit-1:lightdm:sudo`. Enabling `debug` for `pam_succeed_if.so` helped a lot. Unfortunately it doesn't force a pam_mount password at login. The service `lightdm` is true for login AND the unlock screen. – bastian Jan 14 '18 at 17:43