I need to prevent users from authenticating through Kerberos when the encrypted /home/users has not yet been mounted. (This is to avoid corrupting the ecryptfs mountpoint)
Currently I have these lines in /etc/pam.d/common-auth:
auth required pam_group.so use_first_pass
auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000 try_first_pass
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
I am planning to use pam_exec.so to execute a script that will exit 1 if the ecyptfs mounts are not ready yet.
Doing this:
auth required pam_exec.so /etc/security/check_ecryptfs
will lock me out for good if ecryptfs for some reason fails. In such case I would like to at least be able to login with a local (non-kerberos) user to fix the issue.
Is there some sort of AND-Operator in which I can say that login through kerberos+ldap is only sufficient if both kerberos authentication and the ecryptfs mount has succeeded?
I'm not aware of any AND operator for PAM, but you can achieve the same effect with control statements. Per my comment, this is pretty hacky, but should get the job done.
In your check script, return a specific PAM error code (probably
PAM_SYSTEM_ERR), then use control statements in yourcommon-authfile like so:The control statements for the pam_exec module should cause PAM to go to the next module (pam_krb5) on success, and skip to pam_unix if pam_exe returns any other return code. You'll need to make sure your module actually returns the success code, though. See the source.
Further reference: