summaryrefslogtreecommitdiffstats
path: root/man/pam_systemd_loadkey.xml
blob: afb41f318d184146d507fce5e59775cc6bd6e42b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="pam_systemd_loadkey" conditional='HAVE_PAM' xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>pam_systemd_loadkey</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>pam_systemd_loadkey</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>pam_systemd_loadkey</refname>
    <refpurpose>Read password from kernel keyring and set it as PAM authtok</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>pam_systemd_loadkey.so</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>pam_systemd_loadkey</command> reads a NUL-separated password list from the kernel keyring,
    and sets the last password in the list as the PAM authtok.</para>

    <para>The password list is supposed to be stored in the "user" keyring of the root user,
    by an earlier call to
    <citerefentry><refentrytitle>systemd-ask-password</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    with <option>--keyname=</option>.
    You can pass the keyname to <command>pam_systemd_loadkey</command> via the <option>keyname=</option> option.</para>

  </refsect1>

  <refsect1>
    <title>Options</title>

    <para>The following options are understood:</para>

    <variablelist class='pam-directives'>

      <varlistentry>
        <term><varname>keyname=</varname></term>

        <listitem><para>Takes a string argument which sets the keyname to read.
        The default is <literal>cryptsetup</literal>, which is used by
        <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        to store LUKS passphrase during boot.</para>

        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>debug</varname></term>

        <listitem><para>The module will log debugging information as it operates.</para>

        <xi:include href="version-info.xml" xpointer="v255"/></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Example</title>

    <para>This module is intended to be used when you use LUKS with a passphrase, enable autologin in the display
    manager, and want to unlock Gnome Keyring / KDE KWallet automatically. So in total, you only enter one password
    during boot.</para>

    <para>You need to set the password of your Gnome Keyring/KWallet to the same as your LUKS passphrase.
    Then add the following lines to your display manager's PAM config under <filename>/etc/pam.d/</filename> (e.g. <filename>sddm-autologin</filename>):</para>

    <programlisting>
-auth       optional    pam_systemd_loadkey.so
-session    optional    pam_gnome_keyring.so auto_start
-session    optional    pam_kwallet5.so auto_start
    </programlisting>

    <para>And add the following lines to your display manager's systemd service file, so it can access root's keyring:</para>

    <programlisting>
[Service]
KeyringMode=inherit
    </programlisting>

    <para>In this setup, early during the boot process,
    <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    will ask for the passphrase and store it in the kernel keyring with the keyname <literal>cryptsetup</literal>.
    Then when the display manager does the autologin, pam_systemd_loadkey will read the passphrase from the kernel keyring,
    set it as the PAM authtok, and then pam_gnome_keyring and pam_kwallet5 will unlock with the same passphrase.</para>
  </refsect1>

</refentry>