diff options
author | Jakub Moc <jakub@gentoo.org> | 2006-06-09 08:29:56 +0000 |
---|---|---|
committer | Jakub Moc <jakub@gentoo.org> | 2006-06-09 08:29:56 +0000 |
commit | 1a6dbaa16fc89d08f7dc76bf5f34efe09f9843a1 (patch) | |
tree | 03e3f67af880483ed432b726dfffcef4376ec0e2 /sys-auth/pam_mount | |
parent | sys-auth/pam_mount - tweak system-auth and drop redundant sed accordingly (diff) | |
download | sunrise-1a6dbaa16fc89d08f7dc76bf5f34efe09f9843a1.tar.gz sunrise-1a6dbaa16fc89d08f7dc76bf5f34efe09f9843a1.tar.bz2 sunrise-1a6dbaa16fc89d08f7dc76bf5f34efe09f9843a1.zip |
sys-auth/pam_mount - drop redundant pam_mount.conf from files, we are patching the one in tarball
svn path=/; revision=32
Diffstat (limited to 'sys-auth/pam_mount')
-rw-r--r-- | sys-auth/pam_mount/Manifest | 4 | ||||
-rw-r--r-- | sys-auth/pam_mount/files/pam_mount.conf | 215 |
2 files changed, 0 insertions, 219 deletions
diff --git a/sys-auth/pam_mount/Manifest b/sys-auth/pam_mount/Manifest index 800c130d3..2679c894b 100644 --- a/sys-auth/pam_mount/Manifest +++ b/sys-auth/pam_mount/Manifest @@ -2,10 +2,6 @@ AUX pam_mount-gentoo-paths-and-examples.patch 3434 RMD160 d96c9d62e06f5f1a9d3fa6 MD5 18e77a5b6f8042067d0afeb7482c5eaa files/pam_mount-gentoo-paths-and-examples.patch 3434 RMD160 d96c9d62e06f5f1a9d3fa66db6262c908699ba1c files/pam_mount-gentoo-paths-and-examples.patch 3434 SHA256 ff49183c0899650f1d9e480b7895bd26627c2bee246715697071303751ffa96a files/pam_mount-gentoo-paths-and-examples.patch 3434 -AUX pam_mount.conf 10115 RMD160 1fd1af233ce50a6fb231341966982a15c747fedf SHA1 aa73716cfe5b697bd5a049430a6dc8824734e312 SHA256 7bf16e96d6d4a7e380913316863d06f2b405883b5c790329aeaf3c7ad90e8f12 -MD5 b8261fc18126cbabf8670a3d92806448 files/pam_mount.conf 10115 -RMD160 1fd1af233ce50a6fb231341966982a15c747fedf files/pam_mount.conf 10115 -SHA256 7bf16e96d6d4a7e380913316863d06f2b405883b5c790329aeaf3c7ad90e8f12 files/pam_mount.conf 10115 AUX system-auth 788 RMD160 2bd8f3a36e181072708c2e16eb5142abedc92b56 SHA1 0b0925270acadaa87fcfd93dea8f17847da3f85e SHA256 a5683c1fe369facdd41d735ea774e628170fa48e979bb7f4778fff05a2ea6199 MD5 576010d1897ae496736e03ea81f66aa6 files/system-auth 788 RMD160 2bd8f3a36e181072708c2e16eb5142abedc92b56 files/system-auth 788 diff --git a/sys-auth/pam_mount/files/pam_mount.conf b/sys-auth/pam_mount/files/pam_mount.conf deleted file mode 100644 index 2e75611f1..000000000 --- a/sys-auth/pam_mount/files/pam_mount.conf +++ /dev/null @@ -1,215 +0,0 @@ -#------------------------------------------------------------------- -# Below is a modified sample configuration file for pam_mount that has -# been successfully used to do encrypted auto mounts on a gentoo box -# using both the same password as login and a sperate key file -# and openssl. This works for cryptoloop and dm-crypt. -#------------------------------------------------------------------- - -# Turn on if you want to debug why some volume cannot be mounted etc. -# This can be overriden by user's local configuration -# -# Format: debug [ 1 | 0 ] -# Local user configuration can override this. - -debug 1 -mkmountpoint 1 -# Loopback device to use to run fsck on loopback filesystems. -fsckloop /dev/loop7 - -# Users' local configuration file (if there is none, comment out this -# parameter). Will be read as ~/<file> -# -# Note: you must include either options_allow or options_deny to use -# this directive. I recommend also including options_require. -# -# Individual users may define additional volumes to mount if allowed -# by pam_mount.conf (usually ~/.pam_mount.conf). The volume keyword is -# the only valid keyword in these per-user configuration files. If the -# luserconf parameter is set in pam_mount.conf, allowing user-defined -# volume, then users may mount and unmount any volume they own at any -# mount point they own. On some filesystem configurations this may be -# a security flaw so user-defined volumes are not allowed by the example -# pam_mount.conf distributed with pam_mount. -# -# Format: luserconf <file> -# luserconf .pam_mount.conf - -# These directives determine which options may be specified in a user config -# file (luserconf). You must include one of these directives if you have a -# luserconf directive. You may not include both directives. -# -# If you have an options_allow directive, then the options listed in that -# directive wil be allowed, and all others rejected. If you have an -# options_deny directive, then the options listed will be denied, and all others -# permitted. -# -# You may use the wildcard '*' to match all options. -# -options_allow nosuid,nodev,loop,encryption -# options_deny suid,dev -# options_allow * -# options_deny * -# -# I recommend not permitting the suid and dev options. - -# The options listed in this directive are required for all volumes from a -# user config file. That is, any volume specified in a user config file that -# does not include these options will be ignored. -# -# Note: you must make sure that a required option is permitted (either by -# including it in options_allow, or by not including it in options_deny). -# -# I recommend requiring at least nosuid and nodev. -# -# This is ignored completely if the volume is configured to get its options -# and mount point from /etc/fstab. -# -options_require nosuid,nodev - -# Commands to mount/unmount volumes. They can take parameters, as shown. -# -# If you change the -p0 argument for lclmount, you'll need to modify the -# source in mount.c (it sends the password to the stdin file descriptor -# of the child process -- look for STDIN_FILENO). - -lsof /usr/sbin/lsof %(MNTPT) -fsck /sbin/fsck -p %(FSCKTARGET) -losetup /sbin/losetup -p0 "%(before=\"-e \" CIPHER)" "%(before=\"-k \" KEYBITS)" %(FSCKLOOP) %(VOLUME) -unlosetup /sbin/losetup -d %(FSCKLOOP) -cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)" -smbmount /bin/mount -t smbfs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)" -ncpmount /bin/mount -t ncpfs %(SERVER)/%(USER) %(MNTPT) -o "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)" -# Linux supports lazy unmounting (-l). May be dangerous for encrypted volumes. -# May also break loopback mounts because loopback devices are not freed. -# Need to unmount mount point not volume to support SMB mounts, etc. -umount /bin/umount %(MNTPT) -# On OpenBSD try "/usr/local/bin/mount_ehd" (included in pam_mount package). -lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)" -cryptmount /bin/mount -t crypt "%(before=\"-o \" OPTIONS)" %(VOLUME) %(MNTPT) -nfsmount /bin/mount %(SERVER):%(VOLUME) "%(MNTPT)%(before=\"-o \" OPTIONS)" -# --bind may be a Linuxism. FIXME: find BSD equivalent. -mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT) -mntcheck /bin/mount # For BSD's (don't have /etc/mtab) -pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION) - -# Volumes that will be mounted when user triggers pam_mount module -# (usually at login). -# -# Format: -# volume <user> [smb|ncp|nfs|local] <server> <volume> <mount point> <mount options> <fs key cipher> <fs key path> -# -# General examples: -# volume user smb krueger public /home/user/krueger - - - -# volume user ncp krueger public /home/user/krueger user=user.context - - - -# Linux encrypted home directory examples, using dm_crypt: -# volume user crypt - /dev/sda2 /home/user cipher=aes aes-256-ecb /home/user.key -# -# Linux encrypted home directory examples, using cryptoloop: -# volume user local - /dev/hda123 /home/user loop,encryption=aes - - -# volume user local - /home/user.img /home/user loop,user,exec,encryption=aes,keybits=256 - - -# volume user local - /home/user.img - - - - -# volume user local - /home/user.img - - aes-256-ecb /home/user4.key - -# BEGIN GENTOO EXAMPLES FOR ENCRYPTED HOME -# user1 has an encrypted home that uses his/her system passwd as the -# encryption key -# To create a USB dongle secured user see user2: -# Define a user key and group key to use a USB dongle as an encrypted -# file system for the key to the user2 file system - so user would need -# the USB dongle, the password for user key and the password for user -# user2. in order to access the encrypted home of user2. Note that -# without the first two the user can still log in and create files -# on his home directory mount point. However the security for the -# encrypted volume is much better since a dictionary attack would need -# the dongle. See http://www.counterpane.com/twofish-final.html -# for a discussion on why twofish is a good choice. This setup works -# with mm-sources-2.6.0_beta9-r5. So to login graphically as user2 -# insert key, ctrl-alt-f1 login as key, alt-f7, login as user2, -# ctrl-alt-f1, logout key, remove dongle. This works for KDM. Modify -# /etc/pam.d/login and /etc/pam.d/kde per docs -#volume key local - /dev/sda2 /key loop,encryption=twofish - - -#volume user1 local - /home/.user1 /home/user1 loop,encryption=twofish - - -#volume user2 local - /home/.user2 - - bf-ecb /key/sp.key -# /etc/fstab contains -#/home/.user2 /home/user2 reiserfs user,loop,encryption=twofish,noauto 0 0 -#/dev/sda2 /key ext2 user,loop,encryption=twofish,noauto 0 0 -# -# Device-Mapper based encryption (dm-crypt) -# Since the introduction of dm-crypt in Linux 2.6.4, cryptoloop has been -# deprecated. To use the new dm-crypt interface, you will have to adapt -# the preceding examples to use "crypt" instead of "local" as filesystem -# type. Additionally the cipher algorithm is specified via the "cipher" -# option (to distinguish from cryptoloop's "encryption"). Thus, the -# user1 example would look like this: -#volume user1 crypt - /home/.user1 /home/user1 loop,cipher=twofish - - -# An entry in /etc/fstab is not needed. A detailed HOWTO can be found in -# the forums: http://forums.gentoo.org/viewtopic.php?t=274651 -# END GENTOO EXAMPLES - -# -# OpenBSD encrypted home directory example (see also lclmount above): -# volume user local - /home/user.img /home/user svnd0 - - -# -# The last two examples need a line like the following in -# /etc/fstab: -# -# /home/user4.img /home/user4 xfs user,loop,encryption=aes,keybits=256,noauto 0 0 -# -# Details: -# Local user configuration can extend this. -# Mount point must be owned by the user. -# -# If there are no servers, mount options, fs key ciphers, etc. you must -# supply a "-" -# -# If a local mount is specified in a user config file, then the user must -# own the device or file being mounted. -# -# See http://www.tldp.org/HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html -# to learn how to create a encrypted loopback filesystem. -# -# If the volume's password is different than the user's login password, -# the following technique may be used (see also README): -# -# 1. Create a file containing the volume's password (FS key). If you are -# using pam_mount to mount an loopback encrypted volume, this password -# should may generated by /dev/urandom. -# -# Simple example: -# echo <volume password> | openssl aes-256-ecb > /home/user.key -# Encrypt this file using the user's login password as the key. -# -# Verbose loopback encrypted volume example: -# a. dd if=/dev/urandom of=/home/user.img bs=1M count=<image size in MB> -# b. dd if=/dev/urandom bs=1c count=<keysize / 8> | openssl enc \ -# -<fs key cipher> > /home/user.key -# Encrypt this file using the user's login password as the key. -# c. openssl enc -d -<fs key cipher> -in /home/user.key | losetup -e aes \ -# -k <keysize> -p0 /dev/loop0 /home/user.img -# d. mkfs -t ext2 /dev/loop0 -# e. umount /dev/loop0 -# f. losetup -d /dev/loop0 -# -# 3. In pam_mount.conf: -# a. Set the fs key cipher variable to the cipher used (ie: aes-256-ecb). -# b. Set the fs key path variable to the key's path (ie: /home/user.key) -# 4. If a user changes his login password, regenerate the efsk that -# was created in step 1b. A script named passwdehd is provided to do this. -# -# If fs_key_cipher is -, then the user's login password is also the volume's -# password. - -# Template (or wildcard) volumes -# -# If user is "*", "&" will be replaced by name of the user logging on in the -# volume, mount point, mount options and fs key path fields. "~/*" will be -# replaced with "<user's homedir>/*." In this mode, the user need not -# own the mount point, but it must exist. -# -# volume * smb krueger & /home/& uid=&,gid=&,dmask=0750 - - -# volume * smb krueger homes /home/&/remote - - - -# volume * local - /home/&.img - - aes-256-ecb /etc/ehd/& - -# Windows 2000, which requires a domain specified, example (thanks John Knox): -# volume * smb viper & /home/& uid=&,gid=&,dmask=0750,workgroup=WINDOWS_DOMAIN - - |