Difference between revisions of "Pam mount"

From ArchWiki
Jump to: navigation, search
m (GDM)
m (GDM)
(8 intermediate revisions by 7 users not shown)
Line 1: Line 1:
[[Category:Security (English)]]
+
[[Category:Security]]
 
To have an encrypted home partition (encrypted with, for example, LUKS or ecryptfs) mounted automatically when logging in, you can use pam_mount. It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.
 
To have an encrypted home partition (encrypted with, for example, LUKS or ecryptfs) mounted automatically when logging in, you can use pam_mount. It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.
  
 
==General Setup==
 
==General Setup==
  
#Install {{Package AUR|pam_mount}} from the AUR
+
#Install {{pkg|pam_mount}} from the [[Official Repositories]].
 
#Edit /etc/security/pam_mount.conf.xml as follows:
 
#Edit /etc/security/pam_mount.conf.xml as follows:
  
Line 10: Line 10:
 
Notes:
 
Notes:
 
*USERNAME should be replaced with your linux-username.
 
*USERNAME should be replaced with your linux-username.
*/dev/sdaX should be replaced with the corresponding device.
+
*/dev/sdaX should be replaced with the corresponding device or container file.
*fstype="crypt" can be changed to any <type> that is present in /sbin/mount.<type>. Try "auto" if in doubt.
+
*fstype="auto" can be changed to any <type> that is present in /sbin/mount.<type>. "auto" should work fine in most cases.
 
*Add mount options, if needed.
 
*Add mount options, if needed.
  
{{File|name=/etc/security/pam_mount.conf.xml|content=
+
{{hc|/etc/security/pam_mount.conf.xml|2=
'''<volume user="USERNAME" fstype="crypt" path="/dev/sdaX" mountpoint="/home" options="fsck,noatime" />'''
+
'''<volume user="USERNAME" fstype="auto" path="/dev/sdaX" mountpoint="/home" options="fsck,noatime" />'''
 
'''<mkmountpoint enable="1" remove="true" />'''
 
'''<mkmountpoint enable="1" remove="true" />'''
  
Line 25: Line 25:
 
In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is probably necessary to change both /etc/pam.d/login and the file for your display manager (e.g., Slim or GDM). Example configuration files follow, with the added lines in bold.
 
In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is probably necessary to change both /etc/pam.d/login and the file for your display manager (e.g., Slim or GDM). Example configuration files follow, with the added lines in bold.
  
{{File|name=/etc/pam.d/login|content=
+
{{hc|/etc/pam.d/system-auth|2=
 
#%PAM-1.0
 
#%PAM-1.0
auth required pam_securetty.so
 
auth requisite pam_nologin.so
 
auth required pam_unix.so nullok
 
auth required pam_tally.so onerr=succeed file=/var/log/faillog
 
'''auth optional pam_mount.so'''
 
# use this to lockout accounts for 10 minutes after 3 failed attempts
 
#auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/var/log/faillog
 
account required pam_access.so
 
account required pam_time.so
 
account required pam_unix.so
 
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
 
'''password optional pam_mount.so'''
 
#password required pam_unix.so md5 shadow use_authtok
 
session required pam_unix.so
 
'''session optional pam_mount.so'''
 
session required pam_env.so
 
session required pam_motd.so
 
session required pam_limits.so
 
session optional pam_mail.so dir=/var/spool/mail standard
 
session optional pam_lastlog.so
 
session optional pam_loginuid.so
 
-session optional pam_ck_connector.so nox11
 
}}
 
  
 +
auth      required  pam_env.so
 +
auth      required  pam_unix.so    try_first_pass nullok
 +
'''auth      optional  pam_mount.so'''
 +
auth      optional  pam_permit.so
  
 +
account  required  pam_unix.so
 +
account  optional  pam_permit.so
 +
account  required  pam_time.so
  
=== [[Slim]] ===
+
'''password  optional  pam_mount.so'''
 +
password  required  pam_unix.so    try_first_pass nullok sha512 shadow
 +
password  optional  pam_permit.so
  
{{File|name=/etc/pam.d/slim|content=
+
'''session  optional  pam_mount.so'''
auth            requisite      pam_nologin.so
+
session  required  pam_limits.so
 +
session  required  pam_env.so
 +
session  required  pam_unix.so
 +
session  optional  pam_permit.so
 +
}}
  
'''auth            optional        pam_mount.so'''
+
You may need to add similar lines to /etc/pam.d/su and /etc/pam.d/sudo, depending on how you use su and sudo, respectively.
  
 +
=== [[Slim]] ===
 +
 +
{{hc|/etc/pam.d/slim|
 +
auth            requisite      pam_nologin.so
 
auth            required        pam_env.so
 
auth            required        pam_env.so
 
auth            required        pam_unix.so
 
auth            required        pam_unix.so
 +
'''auth            optional        pam_mount.so'''
 
account        required        pam_unix.so
 
account        required        pam_unix.so
 
password        required        pam_unix.so
 
password        required        pam_unix.so
 +
'''password        optional        pam_mount.so'''
 
session        required        pam_limits.so
 
session        required        pam_limits.so
 
session        required        pam_unix.so
 
session        required        pam_unix.so
 +
'''session        optional        pam_mount.so'''
 
session        optional        pam_loginuid.so
 
session        optional        pam_loginuid.so
 
session        optional        pam_ck_connector.so
 
session        optional        pam_ck_connector.so
 
'''session        optional        pam_mount.so'''
 
 
}}
 
}}
  
Line 76: Line 71:
 
Note that the configuration file has changed to be /etc/pam.d/gdm-password (instead of /etc/pam.d/gdm) as of GDM version 3.2.
 
Note that the configuration file has changed to be /etc/pam.d/gdm-password (instead of /etc/pam.d/gdm) as of GDM version 3.2.
  
{{File|name=/etc/pam.d/gdm.password|content=
+
{{hc|/etc/pam.d/gdm.password|2=
 
#%PAM-1.0
 
#%PAM-1.0
 
auth            requisite      pam_nologin.so
 
auth            requisite      pam_nologin.so
Line 82: Line 77:
  
 
auth            requisite      pam_unix.so nullok
 
auth            requisite      pam_unix.so nullok
'''auth optional pam_mount.so'''
+
'''auth         optional       pam_mount.so'''
 
auth            optional        pam_gnome_keyring.so
 
auth            optional        pam_gnome_keyring.so
  
Line 91: Line 86:
  
 
password        required        pam_unix.so
 
password        required        pam_unix.so
'''password optional pam_mount.so'''
+
'''password       optional       pam_mount.so'''
  
 
session        required        pam_loginuid.so
 
session        required        pam_loginuid.so
Line 98: Line 93:
 
session        required        pam_limits.so
 
session        required        pam_limits.so
 
session        required        pam_unix.so
 
session        required        pam_unix.so
'''session optional pam_mount.so'''
+
'''session         optional       pam_mount.so'''
 
session        optional        pam_gnome_keyring.so auto_start
 
session        optional        pam_gnome_keyring.so auto_start
 
}}
 
}}

Revision as of 05:55, 27 December 2012

To have an encrypted home partition (encrypted with, for example, LUKS or ecryptfs) mounted automatically when logging in, you can use pam_mount. It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.

General Setup

  1. Install pam_mount from the Official Repositories.
  2. Edit /etc/security/pam_mount.conf.xml as follows:

Insert 2 new lines at the end of the file, but before the last closing tag, </pam_mount>. Notes:

  • USERNAME should be replaced with your linux-username.
  • /dev/sdaX should be replaced with the corresponding device or container file.
  • fstype="auto" can be changed to any <type> that is present in /sbin/mount.<type>. "auto" should work fine in most cases.
  • Add mount options, if needed.
/etc/security/pam_mount.conf.xml
<volume user="USERNAME" fstype="auto" path="/dev/sdaX" mountpoint="/home" options="fsck,noatime" />
<mkmountpoint enable="1" remove="true" />

</pam_mount>

Login Manager Configuration

In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is probably necessary to change both /etc/pam.d/login and the file for your display manager (e.g., Slim or GDM). Example configuration files follow, with the added lines in bold.

/etc/pam.d/system-auth
#%PAM-1.0

auth      required  pam_env.so
auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_mount.so
auth      optional  pam_permit.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  optional  pam_mount.so
password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session   optional  pam_mount.so
session   required  pam_limits.so
session   required  pam_env.so
session   required  pam_unix.so
session   optional  pam_permit.so

You may need to add similar lines to /etc/pam.d/su and /etc/pam.d/sudo, depending on how you use su and sudo, respectively.

Slim

/etc/pam.d/slim
auth            requisite       pam_nologin.so
auth            required        pam_env.so
auth            required        pam_unix.so
auth            optional        pam_mount.so
account         required        pam_unix.so
password        required        pam_unix.so
password        optional        pam_mount.so
session         required        pam_limits.so
session         required        pam_unix.so
session         optional        pam_mount.so
session         optional        pam_loginuid.so
session         optional        pam_ck_connector.so

GDM

Note that the configuration file has changed to be /etc/pam.d/gdm-password (instead of /etc/pam.d/gdm) as of GDM version 3.2.

/etc/pam.d/gdm.password
#%PAM-1.0
auth            requisite       pam_nologin.so
auth            required        pam_env.so

auth            requisite       pam_unix.so nullok
auth	        optional        pam_mount.so
auth            optional        pam_gnome_keyring.so

auth            sufficient      pam_succeed_if.so uid >= 1000 quiet
auth            required        pam_deny.so

account         required        pam_unix.so

password        required        pam_unix.so
password        optional        pam_mount.so

session         required        pam_loginuid.so
-session        optional        pam_systemd.so
session         optional        pam_keyinit.so force revoke
session         required        pam_limits.so
session         required        pam_unix.so
session         optional        pam_mount.so
session         optional        pam_gnome_keyring.so auto_start