summaryrefslogtreecommitdiff
path: root/Mounting-on-login-using-pam_mount.md
blob: 783a05526b62433f00ef11a9a090e1fed6c0e8e2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
This is tested on Fedora 24 and Fedora 31 Workstation with active SELinux.

This also works on Ubuntu 16.04 LTS after installing libpam-mount:
```
$ sudo apt-get install libpam-mount
```


Feedback on other platforms
is welcome.

gocryptfs
---------

Copy the `gocryptfs` binary into `/usr/local/bin` .

Create a gocryptfs filesystem:
```
$ mkdir /home/testuser/cipher /home/testuser/plain
$ gocryptfs -init /home/testuser/cipher
```

pam_mount config
----------------

Put the following into `/etc/security/pam_mount.conf.xml`, just before
the closing `</pam_mount>` tag at the bottom:

```
<volume user="testuser" fstype="fuse" options="nodev,nosuid,quiet"
path="/usr/local/bin/gocryptfs#/home/%(USER)/cipher" mountpoint="/home/%(USER)/plain" />
```

Replace `testuser` with your user name.

PAM config
----------

An example `/etc/pam.d/sshd` on Fedora 24 and an example `/etc/pam.d/sddm` on Fedora 31 Workstation is shown below. Basically, pam_mount must be called two times:
 1. As the last element in "auth" so it gets the password.
 2. As the last element in "session", where it performs the actual mount.

`/etc/pam.d/sshd`
```
#%PAM-1.0
auth	   required	pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
# vvv insert here #
auth optional pam_mount.so
# ^^^ insert here #
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
# vvv insert here #
session optional pam_mount.so
# ^^^ insert here #
```

`/etc/pam.d/sddm`
```
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        substack      password-auth
-auth        optional      pam_gnome_keyring.so
-auth        optional      pam_kwallet5.so
-auth        optional      pam_kwallet.so
auth        include       postlogin

# vvv insert here #
auth       optional     pam_mount.so
# ^^^ insert here #

account     required      pam_nologin.so
account     include       password-auth

password    include       password-auth

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
-session    optional    pam_ck_connector.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     include       password-auth
-session     optional      pam_gnome_keyring.so auto_start
-session     optional      pam_kwallet5.so auto_start
-session     optional      pam_kwallet.so auto_start
session     include       postlogin

# vvv insert here #
session    optional     pam_mount.so
# ^^^ insert here #
```

Encrypting the whole home directory
-----------------------------------

Use this volume definition in `/etc/security/pam_mount.conf.xml`:

```
<volume user="testuser" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other"
path="/usr/local/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" />
```