Difference between revisions of "Pam mount"

From ArchWiki
Jump to: navigation, search
m (fixed typo)
(please do not use HTML comments; replace with Remove template)
 
(29 intermediate revisions by 16 users not shown)
Line 1: Line 1:
 +
{{DISPLAYTITLE:pam_mount}}
 
[[Category:Security]]
 
[[Category:Security]]
To have an encrypted home partition (encrypted with, for example, LUKS or ecryptfs) mounted automatically when logging in, you can use pam_mount. It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.
+
[[ja:Pam mount]]
 +
{{Style|See [[Help:Style]] and related.}}
 +
 
 +
{{Related articles start}}
 +
{{Related|dm-crypt/Mounting at login}}
 +
{{Related|PAM}}
 +
{{Related articles end}}
 +
[http://pam-mount.sourceforge.net/ pam_mount] can be used to automatically mount an encrypted home partition (encrypted with, for example, [[LUKS]] or [[ECryptfs]]) on user log in.  
 +
It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.
 +
 
 +
{{Warning|{{Remove|24 May 2017 - I (gerdesj) believe this is now fixed.  Please re-instate this warning if adding pam_succeed does not work correctly.}}
 +
Pam_mount can also unmount your partitions when you close your last session but this is currently not working due to the use of pam_systemd.so in the pam stack.}}
  
 
==General Setup==
 
==General Setup==
  
#Install {{pkg|pam_mount}} from the [[Official Repositories]].
+
#Install {{pkg|pam_mount}} from the [[Official repositories]].
 
#Edit /etc/security/pam_mount.conf.xml as follows:
 
#Edit /etc/security/pam_mount.conf.xml as follows:
  
 
Insert 2 new lines at the end of the file, but '''before''' the last closing tag, ''</pam_mount>''.
 
Insert 2 new lines at the end of the file, but '''before''' the last closing tag, ''</pam_mount>''.
 
Notes:
 
Notes:
*USERNAME should be replaced with your linux-username.
+
* USERNAME should be replaced with your linux-username.
 
*/dev/sdaX should be replaced with the corresponding device or container file.
 
*/dev/sdaX should be replaced with the corresponding device or container file.
*fstype="auto" can be changed to any <type> that is present in /sbin/mount.<type>. "auto" should work fine in most cases.
+
* fstype="auto" can be changed to any <type> that is present in /usr/bin/mount.<type>. "auto" should work fine in most cases.  Use fstype="crypt" so that the loop device gets closed at logout for volumes needing it.
*Add mount options, if needed.
+
* Add mount options, if needed.  Note that mount.cifs does not read smb.conf and so all options must be specified.  In the example, uid matches the local smb.conf parameter idmap config ... : range = so that pam_mount is not called for a unix only user.  Kerberos is indicated by krb5, SMB3.0 is specified because the other end may not support SMB1 which is the default.  Signing is enabled with the i on the end of krb5i.  See man mount.cifs for more details.
  
 
{{hc|/etc/security/pam_mount.conf.xml|2=
 
{{hc|/etc/security/pam_mount.conf.xml|2=
'''<volume user="USERNAME" fstype="auto" path="/dev/sdaX" mountpoint="/home" options="fsck,noatime" />'''
+
  <volume user="USERNAME" fstype="auto" path="/dev/sdaX" mountpoint="/home" options="fsck,noatime" />
'''<mkmountpoint enable="1" remove="true" />'''
+
  <volume
 +
      fstype="cifs"
 +
      server="server.example.co.uk"
 +
      path="share_name"
 +
      mountpoint="~/mnt/share_name"
 +
      uid="10000-19999"
 +
      options="sec=krb5i,vers=3.0,cruid=%(USERUID)"
 +
  />
 +
  <mkmountpoint enable="1" remove="true" />
  
 
</pam_mount>
 
</pam_mount>
Line 22: Line 42:
  
 
==Login Manager Configuration==
 
==Login Manager Configuration==
 
+
{{accuracy|See [[Talk:Pam_mount#system-auth template out of date]]|section=automatic unmounting and systemd}}
In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is probably necessary to change both /etc/pam.d/login and the file for your display manager (e.g., Slim or GDM). Example configuration files follow, with the added lines in bold.
+
In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is necessary to edit /etc/pam.d/system-auth as shown below. If you use a display manager (e.g., Slim) edit its file, too. Example configuration files follow, with the added lines in bold.  The pam_succeed line before pam_mount in session skips pam_mount (success=n means skip the next n lines) if the systemd-user service is running through the PAM stack.  This avoids double mount attempts and errors relating to dropped privileges.
  
 
{{hc|/etc/pam.d/system-auth|2=
 
{{hc|/etc/pam.d/system-auth|2=
Line 41: Line 61:
 
password  optional  pam_permit.so
 
password  optional  pam_permit.so
  
 +
'''session [success=1 default=ignore]  pam_succeed_if.so  service = systemd-user quiet'''
 
'''session  optional  pam_mount.so'''
 
'''session  optional  pam_mount.so'''
 
session  required  pam_limits.so
 
session  required  pam_limits.so
Line 48: Line 69:
 
}}
 
}}
  
You may need to add similar lines to /etc/pam.d/su and /etc/pam.d/sudo, depending on how you use su and sudo, respectively.
+
=== SLiM ===
  
=== [[Slim]] ===
+
For [[SLiM]]:
  
 
{{hc|/etc/pam.d/slim|
 
{{hc|/etc/pam.d/slim|
Line 67: Line 88:
 
}}
 
}}
  
=== [[GDM]] ===
+
=== GDM ===
 
 
Note that the configuration file has changed to be /etc/pam.d/gdm-password (instead of /etc/pam.d/gdm) as of GDM version 3.2.
 
 
 
{{hc|/etc/pam.d/gdm-password|2=
 
#%PAM-1.0
 
auth            requisite      pam_nologin.so
 
auth            required        pam_env.so
 
  
auth            requisite      pam_unix.so nullok
+
Manual configuration for GDM is not needed, since it relies on {{ic|/etc/pam.d/system-auth}}.
'''auth         optional        pam_mount.so'''
 
auth           optional        pam_gnome_keyring.so
 
 
 
auth            sufficient      pam_succeed_if.so uid >= 1000 quiet
 
auth            required        pam_deny.so
 
 
 
account        required        pam_unix.so
 
 
 
password        required        pam_unix.so
 
'''password        optional        pam_mount.so'''
 
 
 
session        required        pam_loginuid.so
 
-session        optional        pam_systemd.so
 
session        optional        pam_keyinit.so force revoke
 
session        required        pam_limits.so
 
session        required        pam_unix.so
 
'''session        optional        pam_mount.so'''
 
session        optional        pam_gnome_keyring.so auto_start
 
}}
 

Latest revision as of 11:59, 25 May 2017

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: See Help:Style and related. (Discuss in Talk:Pam mount#)

pam_mount can be used to automatically mount an encrypted home partition (encrypted with, for example, LUKS or ECryptfs) on user log in. It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.

Warning:

Tango-edit-cut.pngThis section is being considered for removal.Tango-edit-cut.png

Reason: 24 May 2017 - I (gerdesj) believe this is now fixed. Please re-instate this warning if adding pam_succeed does not work correctly. (Discuss in Talk:Pam mount#)
Pam_mount can also unmount your partitions when you close your last session but this is currently not working due to the use of pam_systemd.so in the pam stack.

General Setup

  1. Install pam_mount from the Official repositories.
  2. Edit /etc/security/pam_mount.conf.xml as follows:

Insert 2 new lines at the end of the file, but before the last closing tag, </pam_mount>. Notes:

  • USERNAME should be replaced with your linux-username.
  • /dev/sdaX should be replaced with the corresponding device or container file.
  • fstype="auto" can be changed to any <type> that is present in /usr/bin/mount.<type>. "auto" should work fine in most cases. Use fstype="crypt" so that the loop device gets closed at logout for volumes needing it.
  • Add mount options, if needed. Note that mount.cifs does not read smb.conf and so all options must be specified. In the example, uid matches the local smb.conf parameter idmap config ... : range = so that pam_mount is not called for a unix only user. Kerberos is indicated by krb5, SMB3.0 is specified because the other end may not support SMB1 which is the default. Signing is enabled with the i on the end of krb5i. See man mount.cifs for more details.
/etc/security/pam_mount.conf.xml
<volume user="USERNAME" fstype="auto" path="/dev/sdaX" mountpoint="/home" options="fsck,noatime" />
  <volume
      fstype="cifs"
      server="server.example.co.uk"
      path="share_name"
      mountpoint="~/mnt/share_name"
      uid="10000-19999"
      options="sec=krb5i,vers=3.0,cruid=%(USERUID)"
  />
  <mkmountpoint enable="1" remove="true" />

</pam_mount>

Login Manager Configuration

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is necessary to edit /etc/pam.d/system-auth as shown below. If you use a display manager (e.g., Slim) edit its file, too. Example configuration files follow, with the added lines in bold. The pam_succeed line before pam_mount in session skips pam_mount (success=n means skip the next n lines) if the systemd-user service is running through the PAM stack. This avoids double mount attempts and errors relating to dropped privileges.

/etc/pam.d/system-auth
#%PAM-1.0

auth      required  pam_env.so
auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_mount.so
auth      optional  pam_permit.so

account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so

password  optional  pam_mount.so
password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so

session [success=1 default=ignore]  pam_succeed_if.so  service = systemd-user quiet
session   optional  pam_mount.so
session   required  pam_limits.so
session   required  pam_env.so
session   required  pam_unix.so
session   optional  pam_permit.so

SLiM

For SLiM:

/etc/pam.d/slim
auth            requisite       pam_nologin.so
auth            required        pam_env.so
auth            required        pam_unix.so
auth            optional        pam_mount.so
account         required        pam_unix.so
password        required        pam_unix.so
password        optional        pam_mount.so
session         required        pam_limits.so
session         required        pam_unix.so
session         optional        pam_mount.so
session         optional        pam_loginuid.so
session         optional        pam_ck_connector.so

GDM

Manual configuration for GDM is not needed, since it relies on /etc/pam.d/system-auth.