I am trying to use pam_mount to mount each users home folder over sshfs when each user logs in. The problem I have gotten stuck on is that when pam_mount calls mount.fuse and mount.fuse uses ssh to mount the sshfs folder it creates the "~/.ssh". This means that the mount point of ~/ for that user becomes nonempty and the mount fails. At this point you might point out that there is an option called nonempty that I can turn on which will allow mounting to a non empty mount point. I have turned that on but it does not work. Maybe this is just broken in my version of sshfs? Maybe I misunderstood the meaning of that option?
You might ask, how do I know that the mounting is failing due to a non empty directory. I tested my theory like this. I changed the mount point to "~/foobar". So instead of mounting directly to the home directory we are now mounting to a folder called foobar in the home directory. When I login as a regular user the mount succeeds and the users home directory is mounted to ~/foobar. So I logout and the share is unmounted. So now I create a blank file in that foobar directory so that the foobar directory is non empty. I login again as the regular user and the mount fails.
Edit: Added info from /etc/security/pam_mount.conf.xml (server ip removed for privacy)
<fusemount>mount.fuse %(VOLUME) %(MNTPT) -o %(OPTIONS)</fusemount>
<volume fstype="fuse" path="sshfs#%(USER)@<ssh server ip>:/data/home/%(USER)" mountpoint="/home/%(USER)" options="nonempty" ssh="1"/>
Edit: (the output of audit.log on the ssh/file server side)
type=CRED_DISP msg=audit(1314290438.255:1490): user pid=5817 uid=0 auid=16777308 ses=203 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="<ssh username>" exe="/usr/sbin/sshd" hostname=<client ip> addr=<client ip> terminal=ssh res=success'
Edit: I just thought that I would mention that I tried to do basically the same command that pam_mount is configured to do on an empty directory then a non empty directory. It appears to work when the directory is non empty. So now my theory is that pam_mount is not passing in the non_empty option correctly or something else is happening... Again though I dont think its an authentication issue as on the server side authentication is reported as a success. The command I am talking about is:
mount.fuse sshfs#<ssh user>@<ssh/file server ip>:/data/home/<ssh user> <mount point> -o "nonempty"