Bonjour à tous
J’ai un soucis avec pam_mount et je patauge, faut dire je ne connais pas encore bien ce paquet
Voila le soucis:
Mon serveur Node1 est sous Debian 8.2 et j’utilise pam_mount pour monter les disques durs réseaux hébergés sur un NAS syno.
A partir de mon PC distant sous linux, dans un terminal, si je me connecte sur ce serveur par la commande:
Je rentre mon mot de passe, pas de soucis, je me connecte et mes disques durs réseaux sont montés
Par contre, et c’est la le soucis, si j’enregistre mon mot de passe (pour ne pas avoir à le taper lors de chaque connexion ssh) et que je le copie sur le serveur avec ssh-copy-id et que je fais donc ma commande
La connexion distante se fait sans que j’ai a taper mon mot de passe, pas de soucis de ce coté là, cependant les disques durs réseaux ne se montent pas 
Voila ce que j’ai dans /var/log/auth.log
Jan 19 11:29:10 Node1 sshd[20613]: Accepted publickey for testuser from 192.168.25.65 port 58914 ssh2: RSA 7f:32:23:41:81:96:98:09:6t:1b:c6:a8:0d:ec:d3:4c
Jan 19 11:29:10 Node1 sshd[20613]: pam_unix(sshd:session): session opened for user testuser by (uid=0)
Jan 19 11:29:10 Node1 sshd[20613]: (pam_mount.c:173): conv->conv(...): Conversation error
Jan 19 11:29:10 Node1 sshd[20613]: (pam_mount.c:477): warning: could not obtain password interactively either
Jan 19 11:29:11 Node1 sshd[20613]: (mount.c:72): Messages from underlying mount program:
Jan 19 11:29:11 Node1 sshd[20613]: (mount.c:76): mount error(13): Permission denied
Jan 19 11:29:11 Node1 sshd[20613]: (mount.c:76): Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Jan 19 11:29:11 Node1 sshd[20613]: (pam_mount.c:522): mount of data failedvoila les deux fichiers de configs que je modifie lors de l’installation des serveurs et PC:
pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!-- See pam_mount.conf(5) for a description. This should go in /etc/security/ -->
<pam_mount>
<debug enable="0" />
<!-- Volume definitions -->
<volume
fstype="cifs"
server="172.16.15.10"
path="data"
mountpoint="/home/%(USER)/Data"
user="*"
options="nodev,nosuid,dir_mode=0700"
/>
<volume
fstype="cifs"
server="172.16.15.10"
path="archives"
mountpoint="/home/%(USER)/Data/Archives"
user="*"
options="nodev,nosuid,dir_mode=0700"
/>
<volume
fstype="cifs"
server="172.16.15.20"
path="homes"
mountpoint="/home/%(USER)/PersonalData"
user="*"
options="nodev,nosuid,dir_mode=0700"
/>
<!-- pam_mount parameters: General tunables -->
<!--<luserconf name=".pam_mount.conf.xml" />-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,nonempty,allow_other,sec,dir_mode,file_mode" />
<mntoptions require="nosuid,nodev,dir_mode" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<logout wait="0" hup="0" term="0" kill="0" />
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
</pam_mount>et le deuxième
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session [success=ok default=ignore] pam_lsass.so
session optional pam_mount.so
session optional pam_systemd.so
session optional pam_ck_connector.so nox11
# end of pam-auth-update config/etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yesMerci enormement pour votre aide, car la je suis vraiment bloqué et j’ai absolument besoin que les disques reseaux se montent lors d’une connexion ssh sans taper son mdp.
