From 436353d888f560dc703fb89bb87600c8191a587c Mon Sep 17 00:00:00 2001
From: rfjakob
Date: Sun, 9 Oct 2016 21:21:07 +0200
Subject: Updated Mounting on login using pam_mount (markdown)

---
 Mounting-on-login-using-pam_mount.md | 52 +++++++++++++++---------------------
 1 file changed, 22 insertions(+), 30 deletions(-)
diff --git a/Mounting-on-login-using-pam_mount.md b/Mounting-on-login-using-pam_mount.md
index 9d4facc..d499975 100644
--- a/Mounting-on-login-using-pam_mount.md
+++ b/Mounting-on-login-using-pam_mount.md
@@ -4,11 +4,7 @@ is welcome.
 gocryptfs
 ---------
 
-Copy the `gocryptfs` binary and `gocryptfs_pam_mount.bash` into
-`/usr/local/bin` .
-
-The bash wrapper is neccessary because of the different calling
-conventions between pam_mount and gocryptfs.
+Copy the `gocryptfs` binary into `/usr/local/bin` .
 
 Create a gocryptfs filesystem:
 ```
@@ -23,43 +19,42 @@ Put the following into `/etc/security/pam_mount.conf.xml`, just before
 the closing `</pam_mount>` tag at the bottom:
 
 ```
-<volume user="testuser" fstype="fuse" options="defaults"
-path="/usr/local/bin/gocryptfs_pam_mount.bash#/home/%(USER)/cipher"
-mountpoint="/home/%(USER)/plain" />
+<volume user="testuser" fstype="fuse" options="nodev,nosuid,quiet"
+path="/usr/local/bin/gocryptfs#/home/%(USER)/cipher" mountpoint="/home/%(USER)/plain" />
 ```
 
 Replace `testuser` with your user name.
 
-If you want to disable the display of the masterkey on mount, replace
-`options="defaults"` with `options="quiet"`.
-
 PAM config
 ----------
 
-An example `/etc/pam.d/login` on Fedora 24 is shown below. pam_mount
-MUST be called AFTER `pam_selinux.so open` because that puts us in the
-right SELinux context. If are logging in via gcm, also add the line in
-`/etc/pam.d/gdm-password`.
+An example `/etc/pam.d/sshd` on Fedora 24 is shown below. Basically, pam_mount must be called two times:
+1) as the last element in "auth" so it gets the password.
+2) as the last element in "session", where it performs the actual mount.
 
 ```
 #%PAM-1.0
-auth       substack     system-auth
+auth	   required	pam_sepermit.so
+auth       substack     password-auth
 auth       include      postlogin
+# Used with polkit to reauthorize users in remote sessions
+-auth      optional     pam_reauthorize.so prepare
+auth optional pam_mount.so 
 account    required     pam_nologin.so
-account    include      system-auth
-password   include      system-auth
+account    include      password-auth
+password   include      password-auth
+# pam_selinux.so close should be the first session rule
 session    required     pam_selinux.so close
 session    required     pam_loginuid.so
-session    optional     pam_console.so
-session    required     pam_selinux.so open
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open env_params
 session    required     pam_namespace.so
-# vvv insert pam_mount here
-session optional pam_mount.so
-# ^^^ insert pam_mount here
 session    optional     pam_keyinit.so force revoke
-session    include      system-auth
+session    include      password-auth
 session    include      postlogin
--session   optional     pam_ck_connector.so
+# Used with polkit to reauthorize users in remote sessions
+-session   optional     pam_reauthorize.so prepare
+session optional pam_mount.so
 ```
 
 Encrypting the whole home directory
@@ -68,9 +63,6 @@ Encrypting the whole home directory
 Use this volume definition in `/etc/security/pam_mount.conf.xml`:
 
 ```
-<volume user="testuser-whole-home" fstype="fuse" options="nonempty,allow_other"
-path="/usr/local/bin/gocryptfs_pam_mount.bash#/home/%(USER).cipher"
-mountpoint="/home/%(USER)" />
+<volume user="testuser" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other"
+path="/usr/local/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" />
 ```
-
-Replace `testuser-whole-home` with your user name.
\ No newline at end of file
-- 
cgit v1.2.3

