blob: 783a05526b62433f00ef11a9a090e1fed6c0e8e2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
This is tested on Fedora 24 and Fedora 31 Workstation with active SELinux.
This also works on Ubuntu 16.04 LTS after installing libpam-mount:
```
$ sudo apt-get install libpam-mount
```
Feedback on other platforms
is welcome.
gocryptfs
---------
Copy the `gocryptfs` binary into `/usr/local/bin` .
Create a gocryptfs filesystem:
```
$ mkdir /home/testuser/cipher /home/testuser/plain
$ gocryptfs -init /home/testuser/cipher
```
pam_mount config
----------------
Put the following into `/etc/security/pam_mount.conf.xml`, just before
the closing `</pam_mount>` tag at the bottom:
```
<volume user="testuser" fstype="fuse" options="nodev,nosuid,quiet"
path="/usr/local/bin/gocryptfs#/home/%(USER)/cipher" mountpoint="/home/%(USER)/plain" />
```
Replace `testuser` with your user name.
PAM config
----------
An example `/etc/pam.d/sshd` on Fedora 24 and an example `/etc/pam.d/sddm` on Fedora 31 Workstation is shown below. Basically, pam_mount must be called two times:
1. As the last element in "auth" so it gets the password.
2. As the last element in "session", where it performs the actual mount.
`/etc/pam.d/sshd`
```
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
# vvv insert here #
auth optional pam_mount.so
# ^^^ insert here #
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
# vvv insert here #
session optional pam_mount.so
# ^^^ insert here #
```
`/etc/pam.d/sddm`
```
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
-auth optional pam_gnome_keyring.so
-auth optional pam_kwallet5.so
-auth optional pam_kwallet.so
auth include postlogin
# vvv insert here #
auth optional pam_mount.so
# ^^^ insert here #
account required pam_nologin.so
account include password-auth
password include password-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
-session optional pam_ck_connector.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session include password-auth
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet5.so auto_start
-session optional pam_kwallet.so auto_start
session include postlogin
# vvv insert here #
session optional pam_mount.so
# ^^^ insert here #
```
Encrypting the whole home directory
-----------------------------------
Use this volume definition in `/etc/security/pam_mount.conf.xml`:
```
<volume user="testuser" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other"
path="/usr/local/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" />
```
|
