summaryrefslogtreecommitdiffstats
path: root/upstream/fedora-rawhide/man8/pam_systemd_home.8
blob: 866cecd2b60146c8ecde9ff79f24660ff5b55b13 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
'\" t
.TH "PAM_SYSTEMD_HOME" "8" "" "systemd 255" "pam_systemd_home"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
pam_systemd_home \- Authenticate users and mount home directories via systemd\-homed\&.service
.SH "SYNOPSIS"
.PP
pam_systemd_home\&.so
.SH "DESCRIPTION"
.PP
\fBpam_systemd_home\fR
ensures that home directories managed by
\fBsystemd-homed.service\fR(8)
are automatically activated (mounted) on user login, and are deactivated (unmounted) when the last session of the user ends\&. For such users, it also provides authentication (when per\-user disk encryption is used, the disk encryption key is derived from the authentication credential supplied at login time), account management (the
\m[blue]\fBJSON user record\fR\m[]\&\s-2\u[1]\d\s+2
embedded in the home store contains account details), and implements the updating of the encryption password (which is also used for user authentication)\&.
.SH "OPTIONS"
.PP
The following options are understood:
.PP
\fIsuspend=\fR
.RS 4
Takes a boolean argument\&. If true, the home directory of the user will be suspended automatically during system suspend; if false it will remain active\&. Automatic suspending of the home directory improves security substantially as secret key material is automatically removed from memory before the system is put to sleep and must be re\-acquired (through user re\-authentication) when coming back from suspend\&. It is recommended to set this parameter for all PAM applications that have support for automatically re\-authenticating via PAM on system resume\&. If multiple sessions of the same user are open in parallel the user\*(Aqs home directory will be left unsuspended on system suspend as long as at least one of the sessions does not set this parameter to on\&. Defaults to off\&.
.sp
Note that TTY logins generally do not support re\-authentication on system resume\&. Re\-authentication on system resume is primarily a concept implementable in graphical environments, in the form of lock screens brought up automatically when the system goes to sleep\&. This means that if a user concurrently uses graphical login sessions that implement the required re\-authentication mechanism and console logins that do not, the home directory is not locked during suspend, due to the logic explained above\&. That said, it is possible to set this field for TTY logins too, ignoring the fact that TTY logins actually don\*(Aqt support the re\-authentication mechanism\&. In that case the TTY sessions will appear hung until the user logs in on another virtual terminal (regardless if via another TTY session or graphically) which will resume the home directory and unblock the original TTY session\&. (Do note that lack of screen locking on TTY sessions means even though the TTY session appears hung, keypresses can still be queued into it, and the existing screen contents be read without re\-authentication; this limitation is unrelated to the home directory management
\fBpam_systemd_home\fR
and
systemd\-homed\&.service
implement\&.)
.sp
Turning this option on by default is highly recommended for all sessions, but only if the service managing these sessions correctly implements the aforementioned re\-authentication\&. Note that the re\-authentication must take place from a component running outside of the user\*(Aqs context, so that it does not require access to the user\*(Aqs home directory for operation\&. Traditionally, most desktop environments do not implement screen locking this way, and need to be updated accordingly\&.
.sp
This setting may also be controlled via the
\fI$SYSTEMD_HOME_SUSPEND\fR
environment variable (see below), which
\fBpam_systemd_home\fR
reads during initialization and sets for sessions\&. If both the environment variable is set and the module parameter specified the latter takes precedence\&.
.sp
Added in version 245\&.
.RE
.PP
\fIdebug\fR[=]
.RS 4
Takes an optional boolean argument\&. If yes or without the argument, the module will log debugging information as it operates\&.
.sp
Added in version 245\&.
.RE
.SH "MODULE TYPES PROVIDED"
.PP
The module implements all four PAM operations:
\fBauth\fR
(to allow authentication using the encrypted data),
\fBaccount\fR
(because users with
systemd\-homed\&.service
user accounts are described in a
\m[blue]\fBJSON user record\fR\m[]\&\s-2\u[1]\d\s+2
and may be configured in more detail than in the traditional Linux user database),
\fBsession\fR
(because user sessions must be tracked in order to implement automatic release when the last session of the user is gone),
\fBpassword\fR
(to change the encryption password \(em also used for user authentication \(em through PAM)\&.
.SH "ENVIRONMENT"
.PP
The following environment variables are initialized by the module and available to the processes of the user\*(Aqs session:
.PP
\fI$SYSTEMD_HOME=1\fR
.RS 4
Indicates that the user\*(Aqs home directory is managed by
systemd\-homed\&.service\&.
.sp
Added in version 245\&.
.RE
.PP
\fI$SYSTEMD_HOME_SUSPEND=\fR
.RS 4
Indicates whether the session has been registered with the suspend mechanism enabled or disabled (see above)\&. The variable\*(Aqs value is either
"0"
or
"1"\&. Note that the module both reads the variable when initializing, and sets it for sessions\&.
.sp
Added in version 246\&.
.RE
.SH "EXAMPLE"
.PP
Here\*(Aqs an example PAM configuration fragment that permits users managed by
systemd\-homed\&.service
to log in:
.sp
.if n \{\
.RS 4
.\}
.nf
#%PAM\-1\&.0
auth      sufficient pam_unix\&.so
\fB\-auth     sufficient pam_systemd_home\&.so\fR
auth      required   pam_deny\&.so

account   required   pam_nologin\&.so
\fB\-account  sufficient pam_systemd_home\&.so\fR
account   sufficient pam_unix\&.so
account   required   pam_permit\&.so

\fB\-password sufficient pam_systemd_home\&.so\fR
password  sufficient pam_unix\&.so sha512 shadow try_first_pass
password  required   pam_deny\&.so

\-session  optional   pam_keyinit\&.so revoke
\-session  optional   pam_loginuid\&.so
\fB\-session  optional   pam_systemd_home\&.so\fR
\-session  optional   pam_systemd\&.so
session   required   pam_unix\&.so
.fi
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.PP
\fBsystemd\fR(1),
\fBsystemd-homed.service\fR(8),
\fBhomed.conf\fR(5),
\fBhomectl\fR(1),
\fBpam_systemd\fR(8),
\fBpam.conf\fR(5),
\fBpam.d\fR(5),
\fBpam\fR(8)
.SH "NOTES"
.IP " 1." 4
JSON user record
.RS 4
\%https://systemd.io/USER_RECORD/
.RE