Difference between revisions of "Pam mount"

From ArchWiki
Jump to: navigation, search
m (" don't " -> " do not ")
(Updated primarily so that it is compatible with GDM 3.2.)
Line 1: Line 1:
 
[[Category:Security (English)]]
 
[[Category:Security (English)]]
To have an encrypted home partition mounted automatically when logging in, you can use pam_mount. It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.
+
To have an encrypted home partition (encrypted with, for example, LUKS or ecryptfs) mounted automatically when logging in, you can use pam_mount. It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.
  
 
==General Setup==
 
==General Setup==
Line 8: Line 8:
  
 
Insert 2 new lines at the end of the file, but '''before''' the last closing tag, ''</pam_mount>''.
 
Insert 2 new lines at the end of the file, but '''before''' the last closing tag, ''</pam_mount>''.
Replace
+
Notes:
*USERNAME with your linux-username
+
*USERNAME should be replaced with your linux-username.
*sdaX with the corresponding device.
+
*/dev/sdaX should be replaced with the corresponding device.
 
+
*fstype="crypt" can be changed to any <type> that is present in /sbin/mount.<type>. Try "auto" if in doubt.
Add mount options, if needed.
+
*Add mount options, if needed.
  
 
{{File|name=/etc/security/pam_mount.conf.xml|content=
 
{{File|name=/etc/security/pam_mount.conf.xml|content=
Line 23: Line 23:
 
==Login Manager Configuration==
 
==Login Manager Configuration==
  
In general, you have to edit the corresponding file in /etc/pam.d . After adding some lines, pam_mount will be called on login. The correct order of entries in each file is important.
+
In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is probably necessary to change both /etc/pam.d/login and the file for your display manager (e.g., Slim or GDM). Example configuration files follow, with the added lines in bold.
 +
 
 +
{{File|name=/etc/pam.d/login|content=
 +
#%PAM-1.0
 +
auth required pam_securetty.so
 +
auth requisite pam_nologin.so
 +
auth required pam_unix.so nullok
 +
auth required pam_tally.so onerr=succeed file=/var/log/faillog
 +
'''auth optional pam_mount.so'''
 +
# use this to lockout accounts for 10 minutes after 3 failed attempts
 +
#auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
 +
account required pam_access.so
 +
account required pam_time.so
 +
account required pam_unix.so
 +
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
 +
'''password optional pam_mount.so'''
 +
#password required pam_unix.so md5 shadow use_authtok
 +
session required pam_unix.so
 +
'''session optional pam_mount.so'''
 +
session required pam_env.so
 +
session required pam_motd.so
 +
session required pam_limits.so
 +
session optional pam_mail.so dir=/var/spool/mail standard
 +
session optional pam_lastlog.so
 +
session optional pam_loginuid.so
 +
-session optional pam_ck_connector.so nox11
 +
}}
 +
 
 +
 
  
 
=== [[Slim]] ===
 
=== [[Slim]] ===
Line 43: Line 71:
 
'''session        optional        pam_mount.so'''
 
'''session        optional        pam_mount.so'''
 
}}
 
}}
 +
 +
=== [[GDM]] ===
 +
 +
Note that the configuration file has changed to be /etc/pam.d/gdm-password (instead of /etc/pam.d/gdm) as of GDM version 3.2.
 +
 +
{{File|name=/etc/pam.d/gdm.password|content=
 +
#%PAM-1.0
 +
auth            requisite      pam_nologin.so
 +
auth            required        pam_env.so
 +
 +
auth            requisite      pam_unix.so nullok
 +
'''auth optional pam_mount.so'''
 +
auth            optional        pam_gnome_keyring.so
 +
 +
auth            sufficient      pam_succeed_if.so uid >= 1000 quiet
 +
auth            required        pam_deny.so
 +
 +
account        required        pam_unix.so
 +
 +
password        required        pam_unix.so
 +
'''password optional pam_mount.so'''
 +
 +
session        required        pam_loginuid.so
 +
-session        optional        pam_systemd.so
 +
session        optional        pam_keyinit.so force revoke
 +
session        required        pam_limits.so
 +
session        required        pam_unix.so
 +
'''session optional pam_mount.so'''
 +
session        optional        pam_gnome_keyring.so auto_start
 +
}}}

Revision as of 20:55, 25 October 2011

To have an encrypted home partition (encrypted with, for example, LUKS or ecryptfs) mounted automatically when logging in, you can use pam_mount. It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.

General Setup

  1. Install Template:Package AUR from the AUR
  2. Edit /etc/security/pam_mount.conf.xml as follows:

Insert 2 new lines at the end of the file, but before the last closing tag, </pam_mount>. Notes:

  • USERNAME should be replaced with your linux-username.
  • /dev/sdaX should be replaced with the corresponding device.
  • fstype="crypt" can be changed to any <type> that is present in /sbin/mount.<type>. Try "auto" if in doubt.
  • Add mount options, if needed.

Template:File

Login Manager Configuration

In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is probably necessary to change both /etc/pam.d/login and the file for your display manager (e.g., Slim or GDM). Example configuration files follow, with the added lines in bold.

Template:File


Slim

Template:File

GDM

Note that the configuration file has changed to be /etc/pam.d/gdm-password (instead of /etc/pam.d/gdm) as of GDM version 3.2.

Template:File}