path: root/Mounting-on-login-using-pam_mount.md

From https://inai.de/projects/pam_mount/ :
> pam_mount is a Pluggable Authentication Module that can mount volumes for a user session.

Man pages:

* https://manned.org/pam_mount.8
* https://manned.org/pam_mount.conf.5

The instructions here are tested on Fedora 24 and Fedora 31 Workstation with active SELinux.

This also works on Ubuntu 16.04 LTS after installing libpam-mount:
```
$ sudo apt-get install libpam-mount
```


Feedback on other platforms
is welcome.

gocryptfs
---------

Copy the `gocryptfs` binary into `/usr/local/bin` .

Create a gocryptfs filesystem:
```
$ mkdir $HOME/cipher $HOME/plain
$ gocryptfs -init $HOME/cipher
```

pam_mount config
----------------

Put the following into `/etc/security/pam_mount.conf.xml`, just before
the closing `</pam_mount>` tag at the bottom:

```
<volume
fstype="fuse"
mountpoint="/home/%(USER)/plain"
options="nodev,nosuid,quiet"
path="/usr/local/bin/gocryptfs#/home/%(USER)/cipher"
user="YOURUSERNAME"
/>
```

Replace `YOURUSERNAME` with your user name.

PAM config
----------
PAM config located at `/etc/pam.d/`.
Basically, pam_mount must be called two times:
 1. As the last element in "auth" so it gets the password.
 2. As the last element in "session", where it performs the actual mount.

#### Debian 12

No special config is required, since `/etc/pam.d/common-auth` and `/etc/pam.d/common-session` contains required lines.

#### Fedora 24 example
An example `/etc/pam.d/sshd` on Fedora 24 and an example `/etc/pam.d/sddm` on Fedora 31 Workstation is shown below. 

`/etc/pam.d/sshd`
```
#%PAM-1.0
auth	   required	pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
# vvv insert here #
auth optional pam_mount.so
# ^^^ insert here #
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
# vvv insert here #
session optional pam_mount.so
# ^^^ insert here #
```

`/etc/pam.d/sddm`
```
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        substack      password-auth
-auth        optional      pam_gnome_keyring.so
-auth        optional      pam_kwallet5.so
-auth        optional      pam_kwallet.so
auth        include       postlogin

# vvv insert here #
auth       optional     pam_mount.so
# ^^^ insert here #

account     required      pam_nologin.so
account     include       password-auth

password    include       password-auth

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
-session    optional    pam_ck_connector.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     include       password-auth
-session     optional      pam_gnome_keyring.so auto_start
-session     optional      pam_kwallet5.so auto_start
-session     optional      pam_kwallet.so auto_start
session     include       postlogin

# vvv insert here #
session    optional     pam_mount.so
# ^^^ insert here #
```

Encrypting the whole home directory
-----------------------------------

Use this volume definition in `/etc/security/pam_mount.conf.xml`:

```
<volume user="testuser" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other"
path="/usr/local/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" />
```