Just checked sudo's behavior regarding the login count. It consistently uses the user "root" before and after the given command:

[BEGIN OF LOG]
[sudo] password for USER: 
pam_mount(pam_mount.c:364): pam_mount 2.10: entering auth stage
pam_mount(pam_mount.c:553): pam_mount 2.10: entering session stage
pam_mount(misc.c:38): Session open: (ruid/rgid=1014/2000, e=0/2000)
pam_mount(pam_mount.c:614): no volumes to mount
command: 'pmvarrun' '-u' 'root' '-o' '1' 
pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=1014/2000, e=0/2000)
pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/2000, e=0/2000)
pmvarrun(pmvarrun.c:252): parsed count value 0
pam_mount(pam_mount.c:440): pmvarrun says login count is 1
pam_mount(pam_mount.c:645): done opening session (ret=0)
uid=0(root) gid=0(root) Gruppen=0(root)
pam_mount(pam_mount.c:691): received order to close things
pam_mount(pam_mount.c:693): No volumes to umount
command: 'pmvarrun' '-u' 'root' '-o' '-1' 
pam_mount(misc.c:38): set_myuid<pre>: (ruid/rgid=1014/2000, e=0/2000)
pam_mount(misc.c:38): set_myuid<post>: (ruid/rgid=0/2000, e=0/2000)
pmvarrun(pmvarrun.c:252): parsed count value 1
pam_mount(pam_mount.c:440): pmvarrun says login count is 0
pam_mount(pam_mount.c:728): pam_mount execution complete
pam_mount(pam_mount.c:115): Clean global config (1073741824)
pam_mount(pam_mount.c:132): clean system authtok=0x151b270 (1073741824)
[END OF LOG]


@aldebx:
I can reproduce your problem with sudo in version 1.8.3p1-1ubuntu3.2:
My mount-line in /etc/security/pam_mount.conf.xml is limited to user "user=USER". If I change this to "user=root" or remove the limitation altogether, I get "reenter password for pam_mount" when running "sudo id". Can you confirm this is similar to your config?

Without such a change to my configs, you can see in the above sudo log that pam_mount would like to mess with mounts too but can't because there are none available for user root ("no volumes to mount").


So IMHO there are two different issues to address:

1. fixing sudo/sudoedit:
sudoedit's interaction with pam_mount regarding the user is bogus. It should be just like sudo does it. (Why is it different in the first place?)

2. fixing pam_mount:
- First, there are good reasons to run pam_mount from sudo: Consider a user cron job running "sudo foo" where the user is allowed (by /etc/sudoers) to run "sudo foo" without entering a password. The Command "foo" may need access to a certain partition. The partition may be mounted on-demand by pam_mount for various reasons (to save resources, ...).
- But there is absolutely no use in asking for a unlock password in this use case. So pam_mount should skip encrypted partitions if there is no way to ask for a password (This may already be the current behavior. I haven't tested it.)
- If there is an encrypted partition for user root available that is not yet mounted and we're in an interactive shell, ask for the password to unlock it. If root does not need the mount, then don't configure it this way.
- If a partition is already mounted by pam_mount, even because of another users login-session, pam_mount should not try to mount it again and therefore not ask for a password. It should keep track of unlocked and mounted partitions for this.
- pam_mount is too eager to unmount partitions. It should only unmount them when the login counts of _all_ affected users reach 0. Affected users are all those for which pam_mount would have tried to mount the partition on login.