diff options
Diffstat (limited to 'contrib/pam_mount')
-rw-r--r-- | contrib/pam_mount/README.md | 79 | ||||
-rwxr-xr-x | contrib/pam_mount/gocryptfs_pam_mount.bash | 37 |
2 files changed, 0 insertions, 116 deletions
diff --git a/contrib/pam_mount/README.md b/contrib/pam_mount/README.md deleted file mode 100644 index 8b87f71..0000000 --- a/contrib/pam_mount/README.md +++ /dev/null @@ -1,79 +0,0 @@ -Mounting gocryptfs on login using pam_mount -=========================================== - -This works on Fedora 24 with active SELinux. Feedback on other platforms -is welcome. - -gocryptfs ---------- - -Copy the `gocryptfs` binary and `gocryptfs_pam_mount.bash` into -`/usr/local/bin` . - -The bash wrapper is neccessary because of the different calling -conventions between pam_mount and gocryptfs. - -Create a gocryptfs filesystem: -``` -$ mkdir /home/testuser/cipher /home/testuser/plain -$ gocryptfs -init /home/testuser/cipher -``` - -pam_mount config ----------------- - -Put the following into `/etc/security/pam_mount.conf.xml`, just before -the closing `</pam_mount>` tag at the bottom: - -``` -<volume user="testuser" fstype="fuse" options="defaults" -path="/usr/local/bin/gocryptfs_pam_mount.bash#/home/%(USER)/cipher" -mountpoint="/home/%(USER)/plain" /> -``` - -Replace `testuser` with your user name. - -If you want to disable the display of the masterkey on mount, replace -`options="defaults"` with `options="quiet"`. - -PAM config ----------- - -An example `/etc/pam.d/login` on Fedora 24 is shown below. pam_mount -MUST be called AFTER `pam_selinux.so open` because that puts us in the -right SELinux context. If are logging in via gcm, also add the line in -`/etc/pam.d/gdm-password`. - -``` -#%PAM-1.0 -auth substack system-auth -auth include postlogin -account required pam_nologin.so -account include system-auth -password include system-auth -session required pam_selinux.so close -session required pam_loginuid.so -session optional pam_console.so -session required pam_selinux.so open -session required pam_namespace.so -# vvv insert pam_mount here -session optional pam_mount.so -# ^^^ insert pam_mount here -session optional pam_keyinit.so force revoke -session include system-auth -session include postlogin --session optional pam_ck_connector.so -``` - -Encrypting the whole home directory ------------------------------------ - -Use this volume definition in `/etc/security/pam_mount.conf.xml`: - -``` -<volume user="testuser-whole-home" fstype="fuse" options="nonempty,allow_other" -path="/usr/local/bin/gocryptfs_pam_mount.bash#/home/%(USER).cipher" -mountpoint="/home/%(USER)" /> -``` - -Replace `testuser-whole-home` with your user name. diff --git a/contrib/pam_mount/gocryptfs_pam_mount.bash b/contrib/pam_mount/gocryptfs_pam_mount.bash deleted file mode 100755 index e6f31ba..0000000 --- a/contrib/pam_mount/gocryptfs_pam_mount.bash +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash -# -# Simple bash script to transform the command-line arguments that -# pam_mount passes to gocryptfs into something that gocryptfs -# understands. -# -# Currently understood: nonempty,allow_other,quiet. -# Unknown options are ignored. - -exec >&2 -set -eu -MYNAME=$(basename $0) - -if [[ $# != 4 ]]; then - echo "$MYNAME: expected 4 arguments, got $#" - echo "Example: $MYNAME /home/user.crypt /home/user.plain -o allow_other" - echo "Example: $MYNAME /home/user.crypt /home/user.plain -o defaults" - exit 1 -fi - -SRC=$1 -DST=$2 - -if mountpoint "$DST" > /dev/null; then - echo "$MYNAME: something is already mounted on $DST, refusing" - exit 2 -fi - -GOPTS="" -for OPT in nonempty allow_other quiet; do - if [[ $4 == *$OPT* ]]; then - GOPTS="$GOPTS -$OPT" - fi -done - -cd "$(dirname "$0")" -exec ./gocryptfs $GOPTS $SRC $DST |