prologin.presenced.pam_prologin module¶

PAM script to handle account, open_session, close_session hooks.

Intended integration inside /etc/pam.d/system-login:

account   requisite   pam_exec.so stdout /path/to/pam_prologin.py
session   requisite   pam_exec.so stdout /path/to/pam_prologin.py

The account hook is responsible for checking the user is allowed to log-on this particular machine by asking presencesync, and also does a mount/umount cycle of the user home directory to ensure it will (most likely) succeed in the next stage (open_session). This will possibly trigger an HFS move. We do most of the blocking/long work inside account because it’s the only stage where we can send interactive messages to the PAM application (typically, a greeter like lightdm). We cannot do that cleanly in open_session.

Note: the account hook depends on a successful PAM auth stage, typically through pam_passwd and udbsync_passwd.

The open_session hook mounts the user’s home directory.

The close_session hook umounts the user’s home directory.

exception prologin.presenced.pam_prologin.LoginError¶: Bases: Exception

prologin.presenced.pam_prologin.check_presencesync_authorized(username: str, hostname: str)¶

prologin.presenced.pam_prologin.format_exc_chain(exc)¶

prologin.presenced.pam_prologin.get_block_device(username)¶

prologin.presenced.pam_prologin.get_hfs_host_port(username: str, hostname: str)¶: Requests user NBD (can involve a migration) and waits for it.

prologin.presenced.pam_prologin.get_home_dir(username: str)¶

prologin.presenced.pam_prologin.handle_account(username: str)¶: Checks the user is allowed to log on and does a dry-run mount/umount cycle.

prologin.presenced.pam_prologin.handle_close_session(username: str)¶: Cleans up user session by killing all processes and umounting.

prologin.presenced.pam_prologin.handle_open_session(username: str)¶

Same as handle_account(), but doesn’t do the final umount.

In-situ, we expect this function to fail less often than handle_account().

prologin.presenced.pam_prologin.invoke_redirect_std(cmd, **kwargs)¶

prologin.presenced.pam_prologin.main()¶

prologin.presenced.pam_prologin.mount_home(username: str, host: str, port: int)¶: Mounts block device for username using HFS host:port.

prologin.presenced.pam_prologin.pause()¶

prologin.presenced.pam_prologin.send(msg: str, error: bool = False)¶

prologin.presenced.pam_prologin.umount_home(username: str)¶: Unmounts block device for username.