I am trying to use pam_mount to mount each users home folder over sshfs when each user logs in. The problem I have gotten stuck on is that when pam_mount calls mount.fuse and mount.fuse uses ssh to mount the sshfs folder it creates the "~/.ssh". This means that the mount point of ~/ for that user becomes nonempty and the mount fails. At this point you might point out that there is an option called nonempty that I can turn on which will allow mounting to a non empty mount point. I have turned that on but it does not work. Maybe this is just broken in my version of sshfs? Maybe I misunderstood the meaning of that option?
You might ask, how do I know that the mounting is failing due to a non empty directory. I tested my theory like this. I changed the mount point to "~/foobar". So instead of mounting directly to the home directory we are now mounting to a folder called foobar in the home directory. When I login as a regular user the mount succeeds and the users home directory is mounted to ~/foobar. So I logout and the share is unmounted. So now I create a blank file in that foobar directory so that the foobar directory is non empty. I login again as the regular user and the mount fails.
Edit: Added info from /etc/security/pam_mount.conf.xml (server ip removed for privacy)
<fusemount>mount.fuse %(VOLUME) %(MNTPT) -o %(OPTIONS)</fusemount>
<volume fstype="fuse" path="sshfs#%(USER)@<ssh server ip>:/data/home/%(USER)" mountpoint="/home/%(USER)" options="nonempty" ssh="1"/>
Edit: (the output of audit.log on the ssh/file server side)
type=CRED_DISP msg=audit(1314290438.255:1490): user pid=5817 uid=0 auid=16777308 ses=203 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="<ssh username>" exe="/usr/sbin/sshd" hostname=<client ip> addr=<client ip> terminal=ssh res=success'
Edit:
I just thought that I would mention that I tried to do basically the same command that pam_mount is configured to do on an empty directory then a non empty directory. It appears to work when the directory is non empty. So now my theory is that pam_mount is not passing in the non_empty option correctly or something else is happening… Again though I dont think its an authentication issue as on the server side authentication is reported as a success. The command I am talking about is:
mount.fuse sshfs#<ssh user>@<ssh/file server ip>:/data/home/<ssh user> <mount point> -o "nonempty"
Best Answer
Ok, I figured this out. If nothing is specified in pam_mount.conf.xml for how to mount fuse filesystems like sshfs then it is supposed to be configured like this.
So I didnt explicitly have anything set until I started messing with changing that default to do things like delete any files in the mount point or trick ssh into thinking that home was at a different location so it wold not create the .ssh folder under home. Both of those failed for other reasons. Finally I set things back to defaults and then replaced the mount.fuse executable with a bash script to log all of the arguments and environment variables that its executed with. When I did this I found out the issue. There was no space between the -o and nonempty. So as a result the argument was -ononempty which probably caused the mount to fail or at least the nonempty option to not be applied. Hence the default, if you dont specify anything must be something like this:
So I finally specified explicitly what the default is supposed to be, see above. And it worked!!! Maybe this was a bug in pam_mount. I am running pam_mount-2.5-1.fc12.x86_64 on Centos6. Hope some one else finds this info useful. Thanks to every one who commented.