

Known Issues with other programs
================================

[ gksu & kdesu ]

gksu interprets any output on stderr as an error. pam_mount writes
debug output to stderr, so this combination will only work if debugging
is disabled in pam_mount, or gksu gets fixed.


[ sshd - various ]

The "UsePAM" configuration option is required to be enabled to make
sshd go through the PAM stacks.

When "PrivilegeSeparation" is enabled in OpenSSH versions before 4.9,
ssh will not run correctly through the PAM stacks. In 4.9 and later,
this is fixed.

When public key authentication is used, the PAM auth stage is entirely
skipped. The same goes for Challenge Response Authentication.

So pam_mount would normally ask for a password in the session stage,
but in any OpenSSH to date, PAM modules do not seem to be able to ask
for a password in the session stage, "conversation" always fails:
https://bugzilla.mindrot.org/show_bug.cgi?id=926#c35
https://bugzilla.mindrot.org/show_bug.cgi?id=688

"UseLogin yes" may be used to enable pam_mount -- irrespective of
public key authentification, privilege separation or UsePAM=no. sshd
itself will not do anything useful w.r.t. pam_mount, but it will call
/bin/login which will then run through the PAM session stage, where
pam_mount can ask your for a password. Read the sshd documentation
about possible pitfalls involved using UseLogin.


[ su, probably others - privilege drop ]

I sometimes get reports about unmount failing because of insufficient
privileges. Some programs and/or distributions and/or pam
configurations seem to drop the root privileges after successful
authentification. This goes counter to pam_mount which needs these
privileges for umount. (May not apply for FUSE mounts.)

The following programs are confirmed to have this issue:

	* su/sux from coreutils

Unverified programs:

	* GDM on Ubuntu


[ truecrypt ]


The scriptable interface of Truecrypt 5 and upwards is broken and
cannot be used by pam_mount.


[ vsftpd - not using PAM ]

vsftpd does not run through the PAM session code, hence will never
call pam_mount's mounting functions.
It also appears to drop privileges so that there would be a
unmounting problems.


# right-margin: 72
