diff options
-rw-r--r-- | Mounting-on-login-using-pam_mount.md | 52 |
1 files changed, 22 insertions, 30 deletions
diff --git a/Mounting-on-login-using-pam_mount.md b/Mounting-on-login-using-pam_mount.md index 9d4facc..d499975 100644 --- a/Mounting-on-login-using-pam_mount.md +++ b/Mounting-on-login-using-pam_mount.md @@ -4,11 +4,7 @@ is welcome. gocryptfs --------- -Copy the `gocryptfs` binary and `gocryptfs_pam_mount.bash` into -`/usr/local/bin` . - -The bash wrapper is neccessary because of the different calling -conventions between pam_mount and gocryptfs. +Copy the `gocryptfs` binary into `/usr/local/bin` . Create a gocryptfs filesystem: ``` @@ -23,43 +19,42 @@ Put the following into `/etc/security/pam_mount.conf.xml`, just before the closing `</pam_mount>` tag at the bottom: ``` -<volume user="testuser" fstype="fuse" options="defaults" -path="/usr/local/bin/gocryptfs_pam_mount.bash#/home/%(USER)/cipher" -mountpoint="/home/%(USER)/plain" /> +<volume user="testuser" fstype="fuse" options="nodev,nosuid,quiet" +path="/usr/local/bin/gocryptfs#/home/%(USER)/cipher" mountpoint="/home/%(USER)/plain" /> ``` Replace `testuser` with your user name. -If you want to disable the display of the masterkey on mount, replace -`options="defaults"` with `options="quiet"`. - PAM config ---------- -An example `/etc/pam.d/login` on Fedora 24 is shown below. pam_mount -MUST be called AFTER `pam_selinux.so open` because that puts us in the -right SELinux context. If are logging in via gcm, also add the line in -`/etc/pam.d/gdm-password`. +An example `/etc/pam.d/sshd` on Fedora 24 is shown below. Basically, pam_mount must be called two times: +1) as the last element in "auth" so it gets the password. +2) as the last element in "session", where it performs the actual mount. ``` #%PAM-1.0 -auth substack system-auth +auth required pam_sepermit.so +auth substack password-auth auth include postlogin +# Used with polkit to reauthorize users in remote sessions +-auth optional pam_reauthorize.so prepare +auth optional pam_mount.so account required pam_nologin.so -account include system-auth -password include system-auth +account include password-auth +password include password-auth +# pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so -session optional pam_console.so -session required pam_selinux.so open +# pam_selinux.so open should only be followed by sessions to be executed in the user context +session required pam_selinux.so open env_params session required pam_namespace.so -# vvv insert pam_mount here -session optional pam_mount.so -# ^^^ insert pam_mount here session optional pam_keyinit.so force revoke -session include system-auth +session include password-auth session include postlogin --session optional pam_ck_connector.so +# Used with polkit to reauthorize users in remote sessions +-session optional pam_reauthorize.so prepare +session optional pam_mount.so ``` Encrypting the whole home directory @@ -68,9 +63,6 @@ Encrypting the whole home directory Use this volume definition in `/etc/security/pam_mount.conf.xml`: ``` -<volume user="testuser-whole-home" fstype="fuse" options="nonempty,allow_other" -path="/usr/local/bin/gocryptfs_pam_mount.bash#/home/%(USER).cipher" -mountpoint="/home/%(USER)" /> +<volume user="testuser" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other" +path="/usr/local/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" /> ``` - -Replace `testuser-whole-home` with your user name.
\ No newline at end of file |