pam_mount

From Gentoo Wiki
Jump to: navigation, search


Resources

The pam_mount.so PAM module allows systems to automatically mount file systems when a user logs on, and unmount file systems when the user logs off.

Installation

USE flags

The sys-auth/pam_mount package has a few USE flags that it supports:

USE flags for sys-auth/pam_mount A PAM module that can mount volumes for a user session

crypt Add support for encryption -- using mcrypt or gpg where applicable global
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur global
ssl Add support for Secure Socket Layer connections global

Emerge

To install the package, just emerge it:

root #emerge --ask sys-auth/pam_mount

Configuration

No specific configuration is needed for the installation itself. The actual configuration entries are mentioned below under the [#Usage|Usage] section.

Usage

Mounting regular file systems

Edit the PAM configuration file in which the mount action has to be configured. Add the required call to pam_mount.so for auth and session as shown in the next example:

FILE /etc/pam.d/system-auth"Enable pam_mount in the proper service"
auth		required	pam_env.so 
auth		required	pam_unix.so try_first_pass likeauth nullok 
auth		optional	pam_permit.so
auth            optional        pam_mount.so
 
account		required	pam_unix.so 
account		optional	pam_permit.so
 
password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
password	required	pam_unix.so try_first_pass use_authtok nullok sha512 shadow 
password	optional	pam_permit.so
 
session		required	pam_limits.so 
session		required	pam_env.so 
session		required	pam_unix.so 
session		optional	pam_permit.so
session         optional        pam_mount.so

Next, edit or create the following configuration file:

FILE /etc/security/pam_mount.conf.xml"Configure pam_mount"
<pam_mount>
  <volume user="your username" fstype="ext4" path="/dev/sdxn" mountpoint="/somewhere" option="fsck" />
  <debug enable="1" />
</pam_mount>

This file will establish the file systems to mount when a particular user logs on. Of course, replace the example values with actual ones.

Mounting LUKS encrypted file systems

One might want to mount devices encrypted with cryptsetup. Edit the PAM configuration file of choice (such as system-auth) and add calls to pam_exec.so in the auth and session sections:

FILE /etc/pam.d/system-auth"Enable pam_exec.so"
auth		required	pam_env.so 
auth		required	pam_unix.so try_first_pass likeauth nullok 
auth		optional	pam_permit.so
auth            optional        pam_mount.so
auth            optional        pam_exec.so expose_authtok quiet /sbin/cryptsetup luksOpen /dev/sdxn target
 
account		required	pam_unix.so 
account		optional	pam_permit.so
 
password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 
password	required	pam_unix.so try_first_pass use_authtok nullok sha512 shadow 
password	optional	pam_permit.so
 
session		required	pam_limits.so 
session		required	pam_env.so 
session		required	pam_unix.so 
session		optional	pam_permit.so
session         optional        pam_mount.so
session         optional        pam_exec.so quiet /sbin/luksClose

The first one opens the encrypted device located in /dev/sdxn and maps it to /dev/mapper/target.

The second one calls a script for closing the encrypted device on logout. It may look like this:

FILE /sbin/luksClose"Close encrypted device script"
#!/bin/bash
if [ "$PAM_TYPE" = "close_session" ]; then
  cryptsetup luksClose /dev/mapper/target
fi

Do not forget to use the proper map (the one defined in /etc/security/pam_mount.conf.xml.

Unmerge

Before removing the package, make sure that no PAM configuration file refers to the module anymore:

user $grep pam_mount /etc/pam.d/*

If no file refers to it anymore, then the package is safe to unmerge:

root #emerge --ask --depclean sys-auth/pam_mount

See also

  • PAM - the main PAM article on the Gentoo wiki