Results 1 to 6 of 6

Thread: pmount failed during pam_usb Auth

  1. #1
    Join Date
    Aug 2009
    Location
    PA, USA, Earth
    Beans
    59
    Distro
    Ubuntu 10.04 Lucid Lynx

    pmount failed during pam_usb Auth

    I hate to start yet another pam_usb thread, but I haven't seen any active threads that cover this issue. I installed pam_usb fresh several times and have even gone so far as to remove pmount as well. Here's the issue:

    When I have my USB device inserted, authentication goes as planned:
    me@UbuntuDesktop:~$ pamusb-check me
    * Authentication request for user "me" (pamusb-check)
    * Device "TimeCapsule" is connected (good).
    * Performing one time pad verification...
    * Access granted.
    But when said device is unmounted (but still inserted) this happens:
    me@UbuntuDesktop:~$ pamusb-check me
    * Authentication request for user "me" (pamusb-check)
    * Device "TimeCapsule" is connected (good).
    * Performing one time pad verification...
    Error: device /dev/sdc1 is not removable
    * Mount failed
    * Access denied.
    Any clue why pmount is failing? The docs for pam_usb states that it can authenticate even when the device isn't mounted. This is important because I cannot login via GDM unless pam_usb can mount the device itself.

    Any help is appriciated.

  2. #2
    Join Date
    Apr 2008
    Beans
    2

    Re: pmount failed during pam_usb Auth

    Greetings HuckBerry,

    I recently had the problem you described. I solved it with help from the comments on this blog post:

    http://highmem.blogspot.com/2008/10/...k-present.html

    Essentially, you can force pmount to allow your device to be automounted by pam_usb by adding the device on a line by itself in /etc/pmount.allow. Since you may attach other removable media before inserting your USB key (e.g. an external hard drive) you can setup a range of device nodes to use:


    Code:
    # /etc/pmount.allow
    # pmount will allow users to additionally mount all devices that are
    # listed here.
    
    /dev/sd[c-h]1

    This allows the first partition on any device in the range dev/sdc to dev/sdh to be mounted using pmount.


    Fare thee well!
    DarkPorpoise
    Last edited by DarkPorpoise; September 1st, 2009 at 07:18 PM. Reason: Clarification

  3. #3
    Join Date
    Aug 2009
    Location
    PA, USA, Earth
    Beans
    59
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: pmount failed during pam_usb Auth

    Thanks,
    I was aware of a system similar to that (not the range bit though) but I was skeptical of using it because of the fact that I had to allow mounting of all USB drives. I originally had my system set to prompt for a password upon insertion of a USB device, but had to remove it to make pam_usb work. Allowing pmount to mount without permission made the system a even less secure.

    But for anyone who is looking for a solution to the OP, that did the trick. Worked on the first shot. But does anyone know of any alternatives?

    ~Huckle

  4. #4
    Join Date
    Apr 2008
    Beans
    2

    Re: pmount failed during pam_usb Auth

    Greetings HuckBerry,

    I did some troubleshooting of this problem with an empty /etc/pmount.allow file. Running pmount -d I was able to find the problem (output truncated for brevity):


    Code:
    ~ $ pmount -d -t ext2 /dev/sdc1
    resolved /dev/sdc1 to device /dev/sdc1
    mount point to be used: /media/sdc1
    no iocharset given, current locale encoding is UTF-8
    locale encoding uses UTF-8, setting iocharset to 'utf8'
    Cleaning lock directory /var/lock/pmount_dev_sdc1
    device_whitelist: checking /etc/pmount.allow...
    device_whitlisted(): nothing matched, returning 0
    find_sysfs_device: looking for sysfs directory for device 8:145
    find_sysfs_device: checking whether /dev/sdc1 is on /sys/block/ram0 (1:0)
    ...
    ...
    find_sysfs_device: checking whether /dev/sdc1 is on /sys/block/sdc (8:144)
    find_sysfs_device: major device numbers match
    find_sysfs_device: minor device numbers do not match, checking partitions...
    find_sysfs_device: checking whether device /dev/sdc1 matches partition 8:144
    find_sysfs_device: checking whether device /dev/sdc1 matches partition 8:145
    find_sysfs_device: -> partition matches, belongs to block device /sys/block/sdc
    device_removable: could not find a sysfs device for /dev/sdc1
    Error: device /dev/sdc1 is not removable
    policy check failed
    ~ $

    pmount finds a matching block device for /dev/sdc1, but there isn't enough information in /sys/block/ for it to proceed. Instead of checking the removable flag of the matching hardware block device (/sys/block/sdc/removable) it needs to check the flag of the specific partition (/sys/block/sdc1/removable) which fails because the directory /sys/block/sdc1/ does not exist.

    This behavior has changed in the latest unstable version (0.9.19). pmount now looks in /sys/class/block/ for matching device nodes which, on my system, contains directories for individual partitions on SCSI devices. I don't know how you feel about running testing, but it does seem to fix the problem.

    Getting pmount to behave the way it's supposed to and allow mounting of all suitable devices that have /sys/class/block/<device>/removable set to 1 is comparable to having the line /dev/sd[a-z][1-99] set in /etc/pmount.allow. Any removable USB storage media become mountable by the user, which is by design. It's also what allows PAM_USB to authenticate from unmounted media. Run pamusb-check --debug me to see how PAM_USB calls pmount. There are some things you can try to help prevent unsafe mounts while still allowing PAM_USB and pmount to work as intended.

    You can make sure that no services will automatically mount inserted media insecurely. Essentially, you would have to tell your ssytem that a disk is trusted by manually mounting it or having an authorized service mount it in the background. For instance, PAM_USB matches the UUID of the inserted device with the devices listed in its configuration file, which ensures that it only tries to mount trusted devices.

    You can remove other users from the plugdev group, since only members of plugdev can use pmount. Of course, since PAM_USB calls pmount with the credentials of the user trying to authenticate, users of PAM_USB must be in the plugdev group. So, this measure won't work if there are other users on your system whom you want to be able to log in with PAM_USB, but you don't trust them to only insert safe media.

    Also, it might be possible to use pamusb-agent to turn on your system's password check for inserted USB devices automatically upon unlocking. I'm not sure how that would affect further attempts to authenticate with PAM_USB, or if it can even be done, but it might be worth fiddling with the idea.


    Fare thee well!
    DarkPorpoise


    EDIT:
    Of course, since PAM_USB calls pmount with the credentials of the user trying to authenticate, users of PAM_USB must be in the plugdev group.
    A quick test revealed that this is only the case after the user has been authenticated. When logging in, PAM_USB is able to mount the media regardless of the user's membership in the plugdev group. That makes sense, since PAM_USB cannot run anything as user until that user is authenticated and it must run pmount before it can authenticate.
    Last edited by DarkPorpoise; August 27th, 2009 at 05:02 PM. Reason: Accuracy

  5. #5
    Join Date
    Aug 2009
    Location
    PA, USA, Earth
    Beans
    59
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: pmount failed during pam_usb Auth

    What you say does make sense. I really do need to learn a bit more about how Linux interacts with devices (USB in particular) in order to solve this issue completely. But a as temporary fix I was thinking of turning back on Ubuntu's security feature that prompts for a password in order to mount a device.

    This would require the user to type their password once, but then be free from having to do so for as long as the device is inserted. However this would again disable logging in via device auth, and I could really emulate the same effect by extending the timeout for sudo. So I will instead live wth the lack of security, since I have no real need for it at the moment anyway. It was pure paranoia.

    Thanks to everyone in this forum for their great help, this was enither the first nor the last.
    ~Huckle

  6. #6
    Join Date
    Feb 2007
    Location
    New York
    Beans
    894
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: pmount failed during pam_usb Auth

    So if I try to pmount a USB device and I get "Error: device /dev/sda1 is not removable", this is a bug?

    https://bugs.launchpad.net/ubuntu/+s...ls/+bug/281367
    Last edited by Endolith; October 12th, 2009 at 12:07 AM.
    "Please remember to do things the Ubuntu way. There is always more than one solution to a problem, choose the one you think will be the easiest for the user. ... Try to think as a green user and choose the simplest solution." — Code of Conduct

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •