pam_mount and davfs2 v 1.1.4: password issue

Mihai
2007-04-26
2013-04-16
  • Mihai
    Mihai
    2007-04-26

    Hi,

    On a SUSE 10.1 and RHEL 4, I am trying to mount a webdav drive using pam_mount and davfs2 v1.1.4. When logging in with sshd, pam_mount logs the following:

    ---------------------------------------------------------------------

    pam_mount: information for mount:
    pam_mount: ----------------------
    pam_mount: (defined by globalconf)
    pam_mount: user:          root
    pam_mount: server:
    pam_mount: volume:        http://webdavserver:81/webdav
    pam_mount: mountpoint:    /root/webdav/
    pam_mount: options:
    pam_mount: fs_key_cipher:
    pam_mount: fs_key_path:
    pam_mount: use_fstab:   0
    pam_mount: ----------------------
    pam_mount: realpath of volume "/root/webdav/" is "/root/webdav"
    pam_mount: checking to see if http://webdavserver:81/webdav is already mounted                                                              at /root/webdav/
    pam_mount: checking for encrypted filesystem key configuration
    pam_mount: about to start building mount command
    pam_mount: could not fill %(before="-o" OPTIONS)
    pam_mount: command: /bin/mount [-p0] [-t] [davfs] [http://webdavserver:81/webdav] [/root/webdav/]
    pam_mount: mount errors (should be empty):

    Please enter the password to authenticate root with server
      http://webdavserver:81/webdav
    or hit enter for none.
    Password:
    pam_mount: pam_mount: setting uid to 0
    pam_mount: pam_mount: real user/group IDs are 0/0, effective is 0/0
    pam_mount: /sbin/mount.davfs: Mounting failed.
    pam_mount: 401 Unauthorized

    ----------------------------------------------------------------------------------

    The problem is that davfs is reading the password sent by pam_mount less last character, hence authentication failure message.

    The line to mount in pam_mount for the webdav volume is:

    volume root davfs - http://webdavserver:81/webdav /root/webdav/ - - -

    No such problem with davfs2 v 1.2.0

    Any clue much appreciated,

    Thanks,
    Mihai

     
    • Werner Baumann
      Werner Baumann
      2007-04-27

      Hello Mihai,

      I am not familiar with pam_mount and can not find any documentation that tells what pam_mount really does. So here is what mount.davfs does:

      mount.davfs gets the credentials for authentication with the server either from the secrets file (pam_mount and mount are not involved in this), or it reads it from standard input.

      The difference between 1.1.4 and 1.2.0:
      1.1.4 reads the *line* with the password form standard input (using c-function getline). As a line always ends with a newline charcacter, it removes the last character, without any checking.
      1.2.0 just uses the function getpass from the c library to get the password. getpass tries to use the real terminal, not just standard input. This might make the difference.

      But I think, pam_mount should not eat the newline character. I do not know how pam_mount reaches the credentials to mount.davfs. But as mount.davfs reads a *line* from standard in, pam_mount should follow the conventions; that is, a line is terminated by a newline character. But I wonder how it manages to pass the username, as mount.davfs drops the last character from username just as well?

      Is there a reason to use 1.1.4 instead of 1.2.1?

      Cheers
      Werner

      P.S.: from the documentation of GNU libc:

      — Function: ssize_t getline (char **lineptr, size_t *n, FILE *stream)

          This function reads an entire line from stream, storing the text (including the newline and a terminating null character) in a buffer and storing the buffer address in *lineptr.

       
      • Mihai
        Mihai
        2007-04-27

        Hi Werner,

        Thanks for your message. Please find a quick overview of pam_mount here:

        http://pam-mount.sourceforge.net/

        To avoid asking for username, we use the 'secrets' file. Pam_mount 'knows' by default to answer to "password:"  prompt with the user password from PAM stack(login password in our case). As mentioned, this part works fine with davfs 1.2.0 but we cannot not use davfs 1.2.0 version because some filenames showing up incorrectly.

        Regards,
        Mihai

         
    • Werner Baumann
      Werner Baumann
      2007-04-28

      Hello Mihai,

      the documentation at http://pam-mount.sourceforge.net/ is not very helpful and I am not interested in working through the source code.

      > To avoid asking for username, we use the 'secrets' file. Pam_mount 'knows' by default to
      > answer to "password:" prompt with the user password from PAM stack(login password in our
      > case).
      Is the password to authenticate with the server the same as the login password? Why not put the password for the server into the secrets file?

      Please tell me more about the incorrect filenames. davfs2-1.2.1 introduced character set conversion and it does this by default for filenames that are send within the WebDAV 'displayname'-property. There is another report about problems with this (http://sourceforge.net/forum/forum.php?thread_id=1724503&forum_id=128247).

      I would like to track down and solve the problem, so I need your information about this. You might also use option 'use_displayname 0' in your davfs2.conf-file. This will force mount.davfs to get the filename from the url and not from displayname. Are the filenames still incorrect then?

      Cheers
      Werner

       
      • Mihai
        Mihai
        2007-04-28

        Hi Werner,

        Yes, the login password is the same with webdav one through centralized authentication with Active Directory. We cannot put password in 'secrets' in our scenario because: 1.security concerns; 2 we have many potential users and we do not know their passwords. We implement single sign-on with linux machines and webdav server integrated with Active Directory(AD), i.e. when users login to a linux machine, personal webdav folders are mounted through davfs in their local home folder by pam-mount.

        The problem with characters is actualy our common problem; is just another person taking care of it on the topic you mentioned, so the info provided there is from our common implementation.

        Thanks a lot,
        Mihai

         
    • Werner Baumann
      Werner Baumann
      2007-04-28

      Hello Mihai,

      I had a look at the bug reports for pam_mount. The issue had been reported earlier by buzdee, including a patch, but it was not handled by the pam_mount developers.
      pam_mount redirects standard input of the mount program to a pipe. So this pipe should behave like standard input. I think the missing newline is a bug.

      Nevertheless, davfs2 should handle the password, even if the newline is missing. The getpass function, used since vesion 1.2.0 does this. You can easily patch version 1.1.4 to handle this too.

      In file mount_davfs.c, function ask_auth(), line 1031, replace

      *password = ne_strndup(s, len - 1);

      by

      if (*(*password + len - 1) == '\n') {
          *password = ne_strndup(s, len - 1);
      } else {
          *password = ne_strndup(s, len);
      }

      After running 'make', please backup your /usr/local/etc/davfs.conf and /usr/local/etc/secrets file, before running 'make install'. 'make install' will replace the existing files without warning.

      Cheers
      Werner