pam_mount(pam_mount.c:100): unknown pam_mount option "use_first_pass"

So remove the option from the pam_mount line in your pam configs.

Yeah, that would be fine if I'm the only one seeing this message. However, I suspect it's a common annoyance which IMO should be addressed in the distribution.

BTW, the offending option is in /etc/pam.d/common-pammount .

Having same issue since 3/31/09.

Linux core2duo 2.6.28-11-generic #38-Ubuntu SMP Fri Mar 27 10:01:17 UTC 2009 x86_64 GNU/Linux

Same for me since recent upgrade in Jaunty Beta.

confirming that i have the same issue as well

I have the same issue, Jaunty Beta on AMD64

>which IMO should be addressed in the distribution

well seems like they take the "should" by its definition as it appears in RFCs -- and decide not to address it ;-)

Confirming the same problem. (Jaunty beta on AMD64)

I personally consider this serious, since we have dozens of Ubuntu installations that will be effected by this.

I upgraded Ubuntu to 9.04 (amd64) and I got same issue.

Confirming the issue: Jaunty ß / i386/

I upgraded to Ubuntu 9.04 and I am also seeing this message. x86_64

However I also use pam_mount to mount a luks encrypted home drive, and it looks like logging in no longer passes my login password to cryptsetup (that is, what use_first_pass is supposed to do). Both gdm and a terminal based login hang as if waiting for me to enter a second password. However there does not seem to be any way to do so.

Basically I can't access my home drive without manually calling cryptsetup, then mounting my home drive myself. This is a serious pain.

flocci: I also use pam mount to automount luks. I see the annoying "use_first_pass" message but at least automount works fine in my case.

Still unsure if it is safe to remove the option from /etc/pam.d/common-pammount

I think I have a setup similar to flocci's, and I'm not having any such trouble, with or without the option.

I spent some more time messing around with my system and I am now able to get
my home drive to mount when I log in. I had to modify my /etc/crypttab
settings.

However I am still getting the use_first_pass message.

Darin

On Sat, 25 Apr 2009 16:30:40 -0000
Per Ångström <email address hidden> wrote:

> I think I have a setup similar to flocci's, and I'm not having any
> such trouble, with or without the option.
>

--
Because all other Floccinaucinihilipilification Homepages are worthless.
http://www.floccinaucinihilipilification.net
The Floccinaucinihilipilification Homepage

same problem

I had the same problem, losting the login mount of my crypt partition.

Flocci, how did you fixed that, please?

Thanks, Diego

The same problem here, after upgrading from intrepid to jaunty, pam_mount no longer mounts my luks-encrypted home partition and I see the same message, there is no delay however.

My /etc/pam.d/common-pammount contains these lines:

auth optional pam_mount.so use_first_pass
session optional pam_mount.so

I suspect we have two issues here:
1) A confusing and annoying but benign message (the original issue),
2) A serious problem with mounting luks-encrypted partitions.

I cannot say for certain that the two issues are not interrelated in any way, but I think a separate bug should be opened for the second issue, to give it more attention.

I think that's true, the message is harmless. The reason that my luks-encrypted partition did not mount was because I accidentally overwrote /etc/security/pam_mount.conf.xml during the upgrade. Now it works.

I also removed the use_first_pass option from /etc/pam.d/common-pammount so that it contains

auth optional pam_mount.so
session optional pam_mount.so

and I no longer get the message.

I just upgraded from intrepid to jaunty and got same problem about "unknown option "use_first_pass"", readming new pam_mount man page I see that "use_fist_pass" option is no longer needed, previous man page uses use_first_pass, you you only need to remove those options from module and that is all. However, I think that there should be a dialog warning about this change when upgrading libpam_mount, probably recommeding manual removal or something.

It's also present in a clean Jaunty install.
Can be solved by removing the "use_first_pass" option in the common_pammount and common_auth files. I haven't tried with an encrypted home partition yet, will setup one soon, if it breaks it, I'll update my report.

The functionality of the "use_first_pass" option is now controlled by the "enable_pam_password" to the pam_mount module. This option is enabled by default, according to the page below, so shouldn't be necessary:

http://www.nomachine.com/ar/view.php?ar_id=AR06G00536

Attached is a package-patch to replace the debian package patch of the original package.

Note for others: in order to eliminate this error message,

pam_mount(pam_mount.c:100): unknown pam_mount option "use_first_pass"

everytime when su-ing to root,

 I had to edit /etc/pam.d/common-pammount (as suggested),
and also /etc/pam.d/common-auth (which was only hinted at by the first reply to the bug post, and also implied in Leo's patch diff file, I believe).

I changed /etc/pam.d/common-pammount by removing the 'use_first_pass' option from the fourth options column;
I elected to replace its presence in the "Additional" block in the common-auth file by the string "enable_pam_password" so that the line that formerly reads:

auth optional pam_mount.so use_first_pass

is changed to:

auth optional pam_mount.so enable_pam_password

the options.txt file that is included in the libpam-mount documentation clearly identifies the "enable_pam_password" as the default; I was simply making sure.

After I changed these two files, the error message went away.

System notes: I am running Jaunty Server:
Linux erwin 2.6.28-13-server #45-Ubuntu SMP &&
my version of libpam-mount is '1.5-1ubuntu1'

I hadn't seen cheoppy's report: so my report is a second towards his initial suggestion.

I also am about to setup encrypted home; and if I see problems like reported here, I will update my report.

As I am also about to work with Netatalk and libpam-mount, that may provide an additional view of any problems.

We have both pammount and ldap authentication in use, so use_first_pass is still needed:
Problem fixed by removing use_first_pass from /etc/pam.d/common-* except from lines with ldap references: 'required pam_ldap.so' .

Regarding the message one gets when using "sudo": this is caused by the line "auth optional pam_mount.so use_first_pass" being included in /etc/pam.d/common-auth. This is triggered by a call to "pam-auth-update" in the libpam-mount.postinst script, which should be removed.

As the documentation of pam_mount states, that line only belongs in /etc/pam.d/common-pammount; which should only be included ("@include common-pammount") in the services that need to use pam mount upon successful authentication.

problem started after setting up for encryption:
apt-get install lvm2 cryptsetup libpam-mount
fixed by editing out "use_first_pass" from /etc/pam.d/common-auth and /etc/pam.d/common-pammount.

Fixed in libpam-mount 1.27-4.

libpam-mount (1.27-4) unstable; urgency=low

  * Remove old use_first_pass option from debian/pam-auth-update
    to avoid warnings.
  * Added pmt-ofl(1) manpage.

 -- Bastian Kleineidam <email address hidden> Wed, 19 Aug 2009 21:05:32 +0200

Yeah I had the problem but it was merely an annoying message issue. Just reinstalled the libpam-mount package through the synaptic package manager and all was good.

cheers
gez

Steve,

I have version 1.5 libpam-mount and still the same issue...

regards,

Opti

On Thu, Oct 15, 2009 at 03:42:49PM -0000, iram chelli wrote:

> I have version 1.5 libpam-mount and still the same issue...

The fix for this bug was to not use the use_first_pass option in the default
configuration. If you have manually configured use_first_pass in your
setup, you will need to manually remove it.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

I have already fixed that manually, but i sincerely don't recall modifying the default configuration in any way. In that case i would have kept a .old copy.

I.