Difference between revisions of "Pam mount"

From ArchWiki
Jump to: navigation, search
m (GDM)
(update templates, see Help:Style)
Line 4: Line 4:
 
==General Setup==
 
==General Setup==
  
#Install {{Package AUR|pam_mount}} from the AUR
+
#Install {{AUR|pam_mount}} from the AUR
 
#Edit /etc/security/pam_mount.conf.xml as follows:
 
#Edit /etc/security/pam_mount.conf.xml as follows:
  
Line 14: Line 14:
 
*Add mount options, if needed.
 
*Add mount options, if needed.
  
{{File|name=/etc/security/pam_mount.conf.xml|content=
+
{{hc|/etc/security/pam_mount.conf.xml|2=
 
'''<volume user="USERNAME" fstype="crypt" path="/dev/sdaX" mountpoint="/home" options="fsck,noatime" />'''
 
'''<volume user="USERNAME" fstype="crypt" path="/dev/sdaX" mountpoint="/home" options="fsck,noatime" />'''
 
'''<mkmountpoint enable="1" remove="true" />'''
 
'''<mkmountpoint enable="1" remove="true" />'''
Line 25: Line 25:
 
In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is probably necessary to change both /etc/pam.d/login and the file for your display manager (e.g., Slim or GDM). Example configuration files follow, with the added lines in bold.
 
In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is probably necessary to change both /etc/pam.d/login and the file for your display manager (e.g., Slim or GDM). Example configuration files follow, with the added lines in bold.
  
{{File|name=/etc/pam.d/login|content=
+
{{hc|/etc/pam.d/login|2=
 
#%PAM-1.0
 
#%PAM-1.0
 
auth required pam_securetty.so
 
auth required pam_securetty.so
Line 50: Line 50:
 
-session optional pam_ck_connector.so nox11
 
-session optional pam_ck_connector.so nox11
 
}}
 
}}
 
 
  
 
=== [[Slim]] ===
 
=== [[Slim]] ===
  
{{File|name=/etc/pam.d/slim|content=
+
{{hc|/etc/pam.d/slim|
 
auth            requisite      pam_nologin.so
 
auth            requisite      pam_nologin.so
  
Line 76: Line 74:
 
Note that the configuration file has changed to be /etc/pam.d/gdm-password (instead of /etc/pam.d/gdm) as of GDM version 3.2.
 
Note that the configuration file has changed to be /etc/pam.d/gdm-password (instead of /etc/pam.d/gdm) as of GDM version 3.2.
  
{{File|name=/etc/pam.d/gdm.password|content=
+
{{hc|/etc/pam.d/gdm.password|2=
 
#%PAM-1.0
 
#%PAM-1.0
 
auth            requisite      pam_nologin.so
 
auth            requisite      pam_nologin.so

Revision as of 11:51, 5 January 2012

To have an encrypted home partition (encrypted with, for example, LUKS or ecryptfs) mounted automatically when logging in, you can use pam_mount. It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.

General Setup

  1. Install pam_mountAUR from the AUR
  2. Edit /etc/security/pam_mount.conf.xml as follows:

Insert 2 new lines at the end of the file, but before the last closing tag, </pam_mount>. Notes:

  • USERNAME should be replaced with your linux-username.
  • /dev/sdaX should be replaced with the corresponding device.
  • fstype="crypt" can be changed to any <type> that is present in /sbin/mount.<type>. Try "auto" if in doubt.
  • Add mount options, if needed.
/etc/security/pam_mount.conf.xml
<volume user="USERNAME" fstype="crypt" path="/dev/sdaX" mountpoint="/home" options="fsck,noatime" />
<mkmountpoint enable="1" remove="true" />

</pam_mount>

Login Manager Configuration

In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is probably necessary to change both /etc/pam.d/login and the file for your display manager (e.g., Slim or GDM). Example configuration files follow, with the added lines in bold.

/etc/pam.d/login
#%PAM-1.0
auth		required	pam_securetty.so
auth		requisite	pam_nologin.so
auth		required	pam_unix.so nullok
auth		required	pam_tally.so onerr=succeed file=/var/log/faillog
auth		optional	pam_mount.so
# use this to lockout accounts for 10 minutes after 3 failed attempts
#auth		required	pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
account		required	pam_access.so
account		required	pam_time.so
account		required	pam_unix.so
#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password	optional	pam_mount.so
#password	required	pam_unix.so md5 shadow use_authtok
session		required	pam_unix.so
session		optional	pam_mount.so
session		required	pam_env.so
session		required	pam_motd.so
session		required	pam_limits.so
session		optional	pam_mail.so dir=/var/spool/mail standard
session		optional	pam_lastlog.so
session		optional	pam_loginuid.so
-session	optional	pam_ck_connector.so nox11

Slim

/etc/pam.d/slim
auth            requisite       pam_nologin.so

auth            optional        pam_mount.so

auth            required        pam_env.so
auth            required        pam_unix.so
account         required        pam_unix.so
password        required        pam_unix.so
session         required        pam_limits.so
session         required        pam_unix.so
session         optional        pam_loginuid.so
session         optional        pam_ck_connector.so

session         optional        pam_mount.so

GDM

Note that the configuration file has changed to be /etc/pam.d/gdm-password (instead of /etc/pam.d/gdm) as of GDM version 3.2.

/etc/pam.d/gdm.password
#%PAM-1.0
auth            requisite       pam_nologin.so
auth            required        pam_env.so

auth            requisite       pam_unix.so nullok
auth		optional	pam_mount.so
auth            optional        pam_gnome_keyring.so

auth            sufficient      pam_succeed_if.so uid >= 1000 quiet
auth            required        pam_deny.so

account         required        pam_unix.so

password        required        pam_unix.so
password	optional	pam_mount.so

session         required        pam_loginuid.so
-session        optional        pam_systemd.so
session         optional        pam_keyinit.so force revoke
session         required        pam_limits.so
session         required        pam_unix.so
session		optional	pam_mount.so
session         optional        pam_gnome_keyring.so auto_start