BUGS for pam_mount >= 0.2

You must include two entries in the /etc/pam.d/login config file, as the
following example shows:

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_pwdb.so shadow nullok
auth       required     /lib/security/pam_nologin.so
auth       required     /lib/security/pam_mount.so use_firstpass
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
session    required     /lib/security/pam_pwdb.so
session    optional     /lib/security/pam_console.so
session    optional     /lib/security/pam_mount.so

In the first (auth) entry, the PAM module can grab the password to mount the 
SMB or NCP volume. The second entry (session) is dummy for the login, but
unmounts the volume in the logout process. 

Since I could not find a way to transmit the password for a "session" PAM
module, and there is no "auth_logout"-like callback function, I had to
include the same PAM module twice.


Why was not it needed in pam_mount 0.1 ?

The former approach (that didn't need a session entry) was to keep a quiet
subprocess during all the user session. When login is closed, it will send
SIGINT to all its subprocesses. The former "pmhelper" would unmount its
corresponding volume in the signal handler.

That approach was working but had 2 problems:

- pmhelper keeps hanging during all the user session, eating memory,
  resources etc.
- Worse yet, if the user tried to log in twice or 3 times before typing
  his/her right password, every failed login trail would generate a 
  hanging pmhelper, that would exit only then the last (sucessfull) 
  session were closed.

And, for the second problem, pmhelper could not simply exit, because it
generates a SIGCHLD for login - it would kill login AND the user session ;P

Including a SIGCHLD handler in pam_mount is not an option because we can not
override the login's default handler, since that one serves other, bigger
purposes (e.g. detecting that user has closed the session shell).

So, I still believe that the present "bug" is better than the past one ;)
