Difference between revisions of "Pam mount"

From ArchWiki
Jump to: navigation, search
(Login Manager Configuration: su and sudo have nothing to do with this)
(General setup: Added Veracrypt workaround)
 
(38 intermediate revisions by 17 users not shown)
Line 1: Line 1:
 +
{{DISPLAYTITLE:pam_mount}}
 
[[Category:Security]]
 
[[Category:Security]]
To have an encrypted home partition (encrypted with, for example, LUKS or ecryptfs) mounted automatically when logging in, you can use pam_mount. It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.
+
[[ja:Pam mount]]
 +
{{Related articles start}}
 +
{{Related|dm-crypt/Mounting at login}}
 +
{{Related|PAM}}
 +
{{Related articles end}}
  
==General Setup==
+
[http://pam-mount.sourceforge.net/ pam_mount] can be used to automatically mount an encrypted home partition (encrypted with, for example, [[LUKS]] or [[ECryptfs]]) on user log in.
 +
It will mount your {{ic|/home}} (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.
  
#Install {{pkg|pam_mount}} from the [[Official Repositories]].
+
{{Warning|''pam_mount'' can also unmount your partitions when you close your last session but this does not work out of the box due to the use of {{ic|pam_systemd.so}} in the pam stack, see [[Talk:Pam mount#automatic unmounting and systemd]].}}
#Edit /etc/security/pam_mount.conf.xml as follows:
 
  
Insert 2 new lines at the end of the file, but '''before''' the last closing tag, ''</pam_mount>''.
+
==General setup==
Notes:
+
 
*USERNAME should be replaced with your linux-username.
+
Install the {{pkg|pam_mount}} package.
*/dev/sdaX should be replaced with the corresponding device or container file.
+
 
*fstype="auto" can be changed to any <type> that is present in /usr/bin/mount.<type>. "auto" should work fine in most cases.
+
Edit {{ic|/etc/security/pam_mount.conf.xml}} as follows:
*Add mount options, if needed.
 
  
 
{{hc|/etc/security/pam_mount.conf.xml|2=
 
{{hc|/etc/security/pam_mount.conf.xml|2=
'''<volume user="USERNAME" fstype="auto" path="/dev/sdaX" mountpoint="/home" options="fsck,noatime" />'''
+
  <volume user="''USERNAME''" fstype="auto" path="/dev/''sdaX''" mountpoint="/home" options="fsck,noatime" />
'''<mkmountpoint enable="1" remove="true" />'''
+
  <volume
 +
      fstype="cifs"
 +
      server="''server.example.com''"
 +
      path="''share_name''"
 +
      mountpoint="~/mnt/''share_name''"
 +
      uid="10000-19999"
 +
      options="sec=krb5i,vers=3.0,cruid=%(''USERUID'')"
 +
  />
 +
  <mkmountpoint enable="1" remove="true" />
  
 
</pam_mount>
 
</pam_mount>
 
}}
 
}}
  
==Login Manager Configuration==
+
Notes:
 +
* Insert 2 new lines at the end of the file, but ''before'' the last closing tag, {{ic|</pam_mount>}}.
 +
* {{ic|''USERNAME''}} should be replaced with your user name.
 +
* {{ic|/dev/''sdaX''}} should be replaced with the corresponding device or container file.
 +
* {{ic|1=fstype="auto"}} can be changed to any {{ic|''type''}} that is present in {{ic|/usr/bin/mount.''type''}}. {{ic|"auto"}} should work fine in most cases. Use {{ic|1=fstype="crypt"}} so that the loop device gets closed at logout for volumes needing it.
 +
* Add mount options, if needed. Note that {{ic|mount.cifs}} does not read {{ic|smb.conf}} and so all options must be specified. In the example, {{ic|uid}} matches the local {{ic|smb.conf}} parameter idmap config ... : range = so that ''pam_mount'' is not called for a Unix only user. Kerberos is indicated by krb5, SMB3.0 is specified because the other end may not support SMB1 which is the default. Signing is enabled with the i on the end of krb5i. See {{man|8|mount.cifs}} for more details.
 +
=== Veracrypt volumes ===
 +
pam_mount doesn't support Veracrypt volumes natively, but there is a [https://forum.ubuntuusers.de/post/8882122/ workaround]
 +
{{hc|/etc/security/pam_mount.conf.xml|2=
 +
<volume user="''username''" fstype="crypt" path="/dev/disk/by-partuuid/''partition_uuid''" mountpoint="''vcrypt''"/>
 +
<volume user="''username''" fstype="auto" path="/dev/mapper/''vcrypt''" mountpoint="/media/''mountpoint''"/>
 +
 
 +
<cryptmount>cryptsetup --veracrypt open --type tcrypt %(VOLUME) %(MNTPT)</cryptmount>
 +
<cryptumount>cryptsetup close %(MNTPT)</cryptumount>
 +
}}
 +
If you also have LUKS volumes, you can use a different ''fstype'' for Veracrypt volume instead of {{ic|crypt}} with {{ic|cryptmount/cryptumount}}, for example {{ic|ncpfs}} with {{ic|ncpmount/ncpumount}}. Just make sure you don't use NCP filesystem.
 +
 
 +
== Login manager configuration ==
  
In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is necessary to edit /etc/pam.d/system-auth as shown below. If you use a display manager (e.g., Slim or GDM) edit its file, too. Example configuration files follow, with the added lines in bold.
+
In general, you have to edit configuration files in {{ic|/etc/pam.d}} so that ''pam_mount'' will be called on login. The correct order of entries in each file is important. It is necessary to edit {{ic|/etc/pam.d/system-login}} as shown below. If you use a [[display manager]] make sure its file includes {{ic|system-login}}. Example configuration files follow, with the added lines in bold. The {{ic|pam_succeed}} line before {{ic|pam_mount}} in session skips {{ic|pam_mount}} ({{ic|1=success=''n''}} means skip the next {{ic|''n''}} lines) if the {{ic|systemd-user}} service is running through the PAM stack. This avoids double mount attempts and errors relating to dropped privileges.
  
{{hc|/etc/pam.d/system-auth|2=
+
{{hc|/etc/pam.d/system-login|2=
 
#%PAM-1.0
 
#%PAM-1.0
  
auth     required pam_env.so
+
auth       required   pam_tally.so         onerr=succeed file=/var/log/faillog
auth     required  pam_unix.so     try_first_pass nullok
+
auth       required   pam_shells.so
'''auth     optional pam_mount.so'''
+
auth      requisite pam_nologin.so
auth     optional  pam_permit.so
+
'''auth       optional   pam_mount.so'''
 +
auth       include    system-auth
  
account  required  pam_unix.so
+
account   required   pam_access.so
account  optional  pam_permit.so
+
account   required   pam_nologin.so
account   required  pam_time.so
+
account   include    system-auth
  
'''password optional pam_mount.so'''
+
'''password   optional   pam_mount.so'''
password required  pam_unix.so    try_first_pass nullok sha512 shadow
+
password   include    system-auth
password  optional  pam_permit.so
 
  
'''session  optional  pam_mount.so'''
+
session    optional  pam_loginuid.so
session  required  pam_limits.so
+
session    optional  pam_keyinit.so      force revoke
session  required  pam_env.so
+
'''session [success=1 default=ignore]  pam_succeed_if.so  service = systemd-user quiet'''
session  required  pam_unix.so
+
'''session   optional   pam_mount.so'''
session  optional  pam_permit.so
+
session   include    system-auth
 +
session    optional   pam_motd.so         motd=/etc/motd
 +
session   optional   pam_mail.so         dir=/var/spool/mail standard quiet
 +
-session  optional  pam_systemd.so
 +
session   required   pam_env.so
 
}}
 
}}
  
=== [[Slim]] ===
+
=== SLiM ===
 +
 
 +
{{Move|SLiM|We are discouraging the use of SLiM in its article, there's not much of a point in highlighting this here.}}
 +
 
 +
For [[SLiM]]:
  
 
{{hc|/etc/pam.d/slim|
 
{{hc|/etc/pam.d/slim|
Line 63: Line 100:
 
session        optional        pam_loginuid.so
 
session        optional        pam_loginuid.so
 
session        optional        pam_ck_connector.so
 
session        optional        pam_ck_connector.so
}}
 
 
=== [[GDM]] ===
 
 
Note that the configuration file has changed to be /etc/pam.d/gdm-password (instead of /etc/pam.d/gdm) as of GDM version 3.2.
 
 
{{hc|/etc/pam.d/gdm-password|2=
 
#%PAM-1.0
 
auth            requisite      pam_nologin.so
 
auth            required        pam_env.so
 
 
auth            requisite      pam_unix.so nullok
 
'''auth         optional        pam_mount.so'''
 
auth            optional        pam_gnome_keyring.so
 
 
auth            sufficient      pam_succeed_if.so uid >= 1000 quiet
 
auth            required        pam_deny.so
 
 
account        required        pam_unix.so
 
 
password        required        pam_unix.so
 
'''password        optional        pam_mount.so'''
 
 
session        required        pam_loginuid.so
 
-session        optional        pam_systemd.so
 
session        optional        pam_keyinit.so force revoke
 
session        required        pam_limits.so
 
session        required        pam_unix.so
 
'''session        optional        pam_mount.so'''
 
session        optional        pam_gnome_keyring.so auto_start
 
 
}}
 
}}

Latest revision as of 08:45, 5 November 2017

pam_mount can be used to automatically mount an encrypted home partition (encrypted with, for example, LUKS or ECryptfs) on user log in. It will mount your /home (or whatever mount point you like) when you log in using your login manager or when logging in on console. The encrypted drive's passphrase should be the same as your linux user's password, so you do not have to type in two different passphrases to login.

Warning: pam_mount can also unmount your partitions when you close your last session but this does not work out of the box due to the use of pam_systemd.so in the pam stack, see Talk:Pam mount#automatic unmounting and systemd.

General setup

Install the pam_mount package.

Edit /etc/security/pam_mount.conf.xml as follows:

/etc/security/pam_mount.conf.xml
<volume user="USERNAME" fstype="auto" path="/dev/sdaX" mountpoint="/home" options="fsck,noatime" />
  <volume
      fstype="cifs"
      server="server.example.com"
      path="share_name"
      mountpoint="~/mnt/share_name"
      uid="10000-19999"
      options="sec=krb5i,vers=3.0,cruid=%(USERUID)"
  />
  <mkmountpoint enable="1" remove="true" />

</pam_mount>

Notes:

  • Insert 2 new lines at the end of the file, but before the last closing tag, </pam_mount>.
  • USERNAME should be replaced with your user name.
  • /dev/sdaX should be replaced with the corresponding device or container file.
  • fstype="auto" can be changed to any type that is present in /usr/bin/mount.type. "auto" should work fine in most cases. Use fstype="crypt" so that the loop device gets closed at logout for volumes needing it.
  • Add mount options, if needed. Note that mount.cifs does not read smb.conf and so all options must be specified. In the example, uid matches the local smb.conf parameter idmap config ... : range = so that pam_mount is not called for a Unix only user. Kerberos is indicated by krb5, SMB3.0 is specified because the other end may not support SMB1 which is the default. Signing is enabled with the i on the end of krb5i. See mount.cifs(8) for more details.

Veracrypt volumes

pam_mount doesn't support Veracrypt volumes natively, but there is a workaround

/etc/security/pam_mount.conf.xml
<volume user="username" fstype="crypt" path="/dev/disk/by-partuuid/partition_uuid" mountpoint="vcrypt"/>
<volume user="username" fstype="auto" path="/dev/mapper/vcrypt" mountpoint="/media/mountpoint"/>

<cryptmount>cryptsetup --veracrypt open --type tcrypt %(VOLUME) %(MNTPT)</cryptmount>
<cryptumount>cryptsetup close %(MNTPT)</cryptumount>

If you also have LUKS volumes, you can use a different fstype for Veracrypt volume instead of crypt with cryptmount/cryptumount, for example ncpfs with ncpmount/ncpumount. Just make sure you don't use NCP filesystem.

Login manager configuration

In general, you have to edit configuration files in /etc/pam.d so that pam_mount will be called on login. The correct order of entries in each file is important. It is necessary to edit /etc/pam.d/system-login as shown below. If you use a display manager make sure its file includes system-login. Example configuration files follow, with the added lines in bold. The pam_succeed line before pam_mount in session skips pam_mount (success=n means skip the next n lines) if the systemd-user service is running through the PAM stack. This avoids double mount attempts and errors relating to dropped privileges.

/etc/pam.d/system-login
#%PAM-1.0

auth       required   pam_tally.so         onerr=succeed file=/var/log/faillog
auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       optional   pam_mount.so
auth       include    system-auth

account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   optional   pam_mount.so
password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session [success=1 default=ignore]  pam_succeed_if.so  service = systemd-user quiet
session    optional   pam_mount.so
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session   optional   pam_systemd.so
session    required   pam_env.so

SLiM

Tango-go-next.pngThis article or section is a candidate for moving to SLiM.Tango-go-next.png

Notes: We are discouraging the use of SLiM in its article, there's not much of a point in highlighting this here. (Discuss in Talk:Pam mount#)

For SLiM:

/etc/pam.d/slim
auth            requisite       pam_nologin.so
auth            required        pam_env.so
auth            required        pam_unix.so
auth            optional        pam_mount.so
account         required        pam_unix.so
password        required        pam_unix.so
password        optional        pam_mount.so
session         required        pam_limits.so
session         required        pam_unix.so
session         optional        pam_mount.so
session         optional        pam_loginuid.so
session         optional        pam_ck_connector.so