aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md2
-rw-r--r--contrib/pam_mount/README.md79
-rwxr-xr-xcontrib/pam_mount/gocryptfs_pam_mount.bash37
3 files changed, 2 insertions, 116 deletions
diff --git a/README.md b/README.md
index a197e4a..b8eeba4 100644
--- a/README.md
+++ b/README.md
@@ -130,6 +130,8 @@ v1.1 (not yet released)
precede the passed paths.
* This allows mounting from /etc/fstab. See
(#45)[https://github.com/rfjakob/gocryptfs/issues/45] for details.
+ * Mounting on login using pam_mount works as well. It is
+ [described in the wiki](https://github.com/rfjakob/gocryptfs/wiki/Mounting-on-login-using-pam_mount).
* To prevent confusion, the old `-o` option had to be renamed. It is now
called `-ko`. Arguments to `-ko` are passed directly to the kernel.
* New `-passfile` command-line option. Provides an easier way to read
diff --git a/contrib/pam_mount/README.md b/contrib/pam_mount/README.md
deleted file mode 100644
index 8b87f71..0000000
--- a/contrib/pam_mount/README.md
+++ /dev/null
@@ -1,79 +0,0 @@
-Mounting gocryptfs on login using pam_mount
-===========================================
-
-This works on Fedora 24 with active SELinux. Feedback on other platforms
-is welcome.
-
-gocryptfs
----------
-
-Copy the `gocryptfs` binary and `gocryptfs_pam_mount.bash` into
-`/usr/local/bin` .
-
-The bash wrapper is neccessary because of the different calling
-conventions between pam_mount and gocryptfs.
-
-Create a gocryptfs filesystem:
-```
-$ mkdir /home/testuser/cipher /home/testuser/plain
-$ gocryptfs -init /home/testuser/cipher
-```
-
-pam_mount config
-----------------
-
-Put the following into `/etc/security/pam_mount.conf.xml`, just before
-the closing `</pam_mount>` tag at the bottom:
-
-```
-<volume user="testuser" fstype="fuse" options="defaults"
-path="/usr/local/bin/gocryptfs_pam_mount.bash#/home/%(USER)/cipher"
-mountpoint="/home/%(USER)/plain" />
-```
-
-Replace `testuser` with your user name.
-
-If you want to disable the display of the masterkey on mount, replace
-`options="defaults"` with `options="quiet"`.
-
-PAM config
-----------
-
-An example `/etc/pam.d/login` on Fedora 24 is shown below. pam_mount
-MUST be called AFTER `pam_selinux.so open` because that puts us in the
-right SELinux context. If are logging in via gcm, also add the line in
-`/etc/pam.d/gdm-password`.
-
-```
-#%PAM-1.0
-auth substack system-auth
-auth include postlogin
-account required pam_nologin.so
-account include system-auth
-password include system-auth
-session required pam_selinux.so close
-session required pam_loginuid.so
-session optional pam_console.so
-session required pam_selinux.so open
-session required pam_namespace.so
-# vvv insert pam_mount here
-session optional pam_mount.so
-# ^^^ insert pam_mount here
-session optional pam_keyinit.so force revoke
-session include system-auth
-session include postlogin
--session optional pam_ck_connector.so
-```
-
-Encrypting the whole home directory
------------------------------------
-
-Use this volume definition in `/etc/security/pam_mount.conf.xml`:
-
-```
-<volume user="testuser-whole-home" fstype="fuse" options="nonempty,allow_other"
-path="/usr/local/bin/gocryptfs_pam_mount.bash#/home/%(USER).cipher"
-mountpoint="/home/%(USER)" />
-```
-
-Replace `testuser-whole-home` with your user name.
diff --git a/contrib/pam_mount/gocryptfs_pam_mount.bash b/contrib/pam_mount/gocryptfs_pam_mount.bash
deleted file mode 100755
index e6f31ba..0000000
--- a/contrib/pam_mount/gocryptfs_pam_mount.bash
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/bash
-#
-# Simple bash script to transform the command-line arguments that
-# pam_mount passes to gocryptfs into something that gocryptfs
-# understands.
-#
-# Currently understood: nonempty,allow_other,quiet.
-# Unknown options are ignored.
-
-exec >&2
-set -eu
-MYNAME=$(basename $0)
-
-if [[ $# != 4 ]]; then
- echo "$MYNAME: expected 4 arguments, got $#"
- echo "Example: $MYNAME /home/user.crypt /home/user.plain -o allow_other"
- echo "Example: $MYNAME /home/user.crypt /home/user.plain -o defaults"
- exit 1
-fi
-
-SRC=$1
-DST=$2
-
-if mountpoint "$DST" > /dev/null; then
- echo "$MYNAME: something is already mounted on $DST, refusing"
- exit 2
-fi
-
-GOPTS=""
-for OPT in nonempty allow_other quiet; do
- if [[ $4 == *$OPT* ]]; then
- GOPTS="$GOPTS -$OPT"
- fi
-done
-
-cd "$(dirname "$0")"
-exec ./gocryptfs $GOPTS $SRC $DST