[thirdparty/systemd.git] / man / pam_systemd_home.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="pam_systemd_home" conditional='ENABLE_PAM_HOME'
          xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>pam_systemd_home</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>pam_systemd_home</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>pam_systemd_home</refname>
    <refpurpose>Authenticate users and mount home directories via <filename>systemd-homed.service</filename>
    </refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>pam_systemd_home.so</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>pam_systemd_home</command> ensures that home directories managed by
    <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    are automatically activated (mounted) on user login, and are deactivated (unmounted) when the last
    session of the user ends. For such users, it also provides authentication (when per-user disk encryption
    is used, the disk encryption key is derived from the authentication credential supplied at login time),
    account management (the <ulink url="https://systemd.io/USER_RECORD/">JSON user record</ulink> embedded in
    the home store contains account details), and implements the updating of the encryption password (which
    is also used for user authentication).</para>
  </refsect1>

  <refsect1>
    <title>Options</title>

    <para>The following options are understood:</para>

    <variablelist class='pam-directives'>

      <varlistentry>
        <term><varname>suspend=</varname></term>

        <listitem><para>Takes a boolean argument. If true, the home directory of the user will be suspended
        automatically during system suspend; if false it will remain active. Automatic suspending of the home
        directory improves security substantially as secret key material is automatically removed from memory
        before the system is put to sleep and must be re-acquired (through user re-authentication) when
        coming back from suspend. It is recommended to set this parameter for all PAM applications that have
        support for automatically re-authenticating via PAM on system resume. If multiple sessions of the
        same user are open in parallel the user's home directory will be left unsuspended on system suspend
        as long as at least one of the sessions does not set this parameter to on. Defaults to
        off.</para>

        <para>Note that TTY logins generally do not support re-authentication on system resume.
        Re-authentication on system resume is primarily a concept implementable in graphical environments, in
        the form of lock screens brought up automatically when the system goes to sleep. This means that if a
        user concurrently uses graphical login sessions that implement the required re-authentication
        mechanism and console logins that do not, the home directory is not locked during suspend, due to the
        logic explained above. That said, it is possible to set this field for TTY logins too, ignoring the
        fact that TTY logins actually don't support the re-authentication mechanism. In that case the TTY
        sessions will appear hung until the user logs in on another virtual terminal (regardless if via
        another TTY session or graphically) which will resume the home directory and unblock the original TTY
        session. (Do note that lack of screen locking on TTY sessions means even though the TTY session
        appears hung, keypresses can still be queued into it, and the existing screen contents be read
        without re-authentication; this limitation is unrelated to the home directory management
        <command>pam_systemd_home</command> and <filename>systemd-homed.service</filename> implement.)</para>

        <para>Turning this option on by default is highly recommended for all sessions, but only if the
        service managing these sessions correctly implements the aforementioned re-authentication. Note that
        the re-authentication must take place from a component running outside of the user's context, so that
        it does not require access to the user's home directory for operation. Traditionally, most desktop
        environments do not implement screen locking this way, and need to be updated
        accordingly.</para>

        <para>This setting may also be controlled via the <varname>$SYSTEMD_HOME_SUSPEND</varname>
        environment variable (see below), which <command>pam_systemd_home</command> reads during initialization and sets
        for sessions. If both the environment variable is set and the module parameter specified the latter
        takes precedence.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>debug</varname><optional>=</optional></term>

        <listitem><para>Takes an optional boolean argument. If yes or without the argument, the module will log
        debugging information as it operates.</para></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Module Types Provided</title>

    <para>The module implements all four PAM operations: <option>auth</option> (to allow authentication using
    the encrypted data), <option>account</option> (because users with
    <filename>systemd-homed.service</filename> user accounts are described in a <ulink
    url="https://systemd.io/USER_RECORD/">JSON user record</ulink> and may be configured in more detail than
    in the traditional Linux user database), <option>session</option> (because user sessions must be tracked
    in order to implement automatic release when the last session of the user is gone),
    <option>password</option> (to change the encryption password — also used for user authentication —
    through PAM).</para>
  </refsect1>

  <refsect1>
    <title>Environment</title>

    <para>The following environment variables are initialized by the module and available to the processes of the
    user's session:</para>

    <variablelist class='environment-variables'>
      <varlistentry>
        <term><varname>$SYSTEMD_HOME=1</varname></term>

        <listitem><para>Indicates that the user's home directory is managed by <filename>systemd-homed.service</filename>.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>$SYSTEMD_HOME_SUSPEND=</varname></term>

        <listitem><para>Indicates whether the session has been registered with the suspend mechanism enabled
        or disabled (see above). The variable's value is either <literal>0</literal> or
        <literal>1</literal>. Note that the module both reads the variable when initializing, and sets it for
        sessions.</para></listitem>
      </varlistentry>

    </variablelist>
  </refsect1>

  <refsect1>
    <title>Example</title>

    <para>Here's an example PAM configuration fragment that permits users managed by
    <filename>systemd-homed.service</filename> to log in:</para>

    <programlisting>#%PAM-1.0
auth      sufficient pam_unix.so
<command>-auth     sufficient pam_systemd_home.so</command>
auth      required   pam_deny.so

account   required   pam_nologin.so
<command>-account  sufficient pam_systemd_home.so</command>
account   sufficient pam_unix.so
account   required   pam_permit.so

<command>-password sufficient pam_systemd_home.so</command>
password  sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password  required   pam_deny.so

-session  optional   pam_keyinit.so revoke
-session  optional   pam_loginuid.so
<command>-session  optional   pam_systemd_home.so</command>
-session  optional   pam_systemd.so
session   required   pam_unix.so</programlisting>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>homed.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
28e208a7 LP	1	<?xml version='1.0'?> <!---nxml--->
	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
db9ecf05	4	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
28e208a7	5
4623eecb AK	6	<refentry id="pam_systemd_home" conditional='ENABLE_PAM_HOME'
4623eecb AK	7	xmlns:xi="http://www.w3.org/2001/XInclude">
28e208a7 LP	8
	9	<refentryinfo>
	10	<title>pam_systemd_home</title>
	11	<productname>systemd</productname>
	12	</refentryinfo>
	13
	14	<refmeta>
	15	<refentrytitle>pam_systemd_home</refentrytitle>
	16	<manvolnum>8</manvolnum>
	17	</refmeta>
	18
	19	<refnamediv>
	20	<refname>pam_systemd_home</refname>
9e6df034 ZJS	21	<refpurpose>Authenticate users and mount home directories via <filename>systemd-homed.service</filename>
9e6df034 ZJS	22	</refpurpose>
28e208a7 LP	23	</refnamediv>
	24
	25	<refsynopsisdiv>
	26	<para><filename>pam_systemd_home.so</filename></para>
	27	</refsynopsisdiv>
	28
	29	<refsect1>
	30	<title>Description</title>
	31
	32	<para><command>pam_systemd_home</command> ensures that home directories managed by
	33	<citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	34	are automatically activated (mounted) on user login, and are deactivated (unmounted) when the last
9e6df034 ZJS	35	session of the user ends. For such users, it also provides authentication (when per-user disk encryption
	36	is used, the disk encryption key is derived from the authentication credential supplied at login time),
	37	account management (the <ulink url="https://systemd.io/USER_RECORD/">JSON user record</ulink> embedded in
	38	the home store contains account details), and implements the updating of the encryption password (which
	39	is also used for user authentication).</para>
28e208a7 LP	40	</refsect1>
	41
	42	<refsect1>
	43	<title>Options</title>
	44
	45	<para>The following options are understood:</para>
	46
	47	<variablelist class='pam-directives'>
	48
	49	<varlistentry>
	50	<term><varname>suspend=</varname></term>
	51
	52	<listitem><para>Takes a boolean argument. If true, the home directory of the user will be suspended
	53	automatically during system suspend; if false it will remain active. Automatic suspending of the home
	54	directory improves security substantially as secret key material is automatically removed from memory
2a4be3c5 ZJS	55	before the system is put to sleep and must be re-acquired (through user re-authentication) when
	56	coming back from suspend. It is recommended to set this parameter for all PAM applications that have
	57	support for automatically re-authenticating via PAM on system resume. If multiple sessions of the
	58	same user are open in parallel the user's home directory will be left unsuspended on system suspend
562ffaca LP	59	as long as at least one of the sessions does not set this parameter to on. Defaults to
	60	off.</para>
	61
	62	<para>Note that TTY logins generally do not support re-authentication on system resume.
	63	Re-authentication on system resume is primarily a concept implementable in graphical environments, in
	64	the form of lock screens brought up automatically when the system goes to sleep. This means that if a
	65	user concurrently uses graphical login sessions that implement the required re-authentication
	66	mechanism and console logins that do not, the home directory is not locked during suspend, due to the
	67	logic explained above. That said, it is possible to set this field for TTY logins too, ignoring the
	68	fact that TTY logins actually don't support the re-authentication mechanism. In that case the TTY
	69	sessions will appear hung until the user logs in on another virtual terminal (regardless if via
	70	another TTY session or graphically) which will resume the home directory and unblock the original TTY
	71	session. (Do note that lack of screen locking on TTY sessions means even though the TTY session
	72	appears hung, keypresses can still be queued into it, and the existing screen contents be read
	73	without re-authentication; this limitation is unrelated to the home directory management
	74	<command>pam_systemd_home</command> and <filename>systemd-homed.service</filename> implement.)</para>
	75
	76	<para>Turning this option on by default is highly recommended for all sessions, but only if the
	77	service managing these sessions correctly implements the aforementioned re-authentication. Note that
86b52a39	78	the re-authentication must take place from a component running outside of the user's context, so that
562ffaca LP	79	it does not require access to the user's home directory for operation. Traditionally, most desktop
562ffaca LP	80	environments do not implement screen locking this way, and need to be updated
764ae4dd LP	81	accordingly.</para>
	82
	83	<para>This setting may also be controlled via the <varname>$SYSTEMD_HOME_SUSPEND</varname>
	84	environment variable (see below), which <command>pam_systemd_home</command> reads during initialization and sets
	85	for sessions. If both the environment variable is set and the module parameter specified the latter
	86	takes precedence.</para></listitem>
28e208a7 LP	87	</varlistentry>
	88
	89	<varlistentry>
	90	<term><varname>debug</varname><optional>=</optional></term>
	91
	92	<listitem><para>Takes an optional boolean argument. If yes or without the argument, the module will log
	93	debugging information as it operates.</para></listitem>
	94	</varlistentry>
	95	</variablelist>
	96	</refsect1>
	97
	98	<refsect1>
	99	<title>Module Types Provided</title>
	100
8b9f0921 ZJS	101	<para>The module implements all four PAM operations: <option>auth</option> (to allow authentication using
8b9f0921 ZJS	102	the encrypted data), <option>account</option> (because users with
9e6df034 ZJS	103	<filename>systemd-homed.service</filename> user accounts are described in a <ulink
9e6df034 ZJS	104	url="https://systemd.io/USER_RECORD/">JSON user record</ulink> and may be configured in more detail than
8b9f0921 ZJS	105	in the traditional Linux user database), <option>session</option> (because user sessions must be tracked
	106	in order to implement automatic release when the last session of the user is gone),
	107	<option>password</option> (to change the encryption password — also used for user authentication —
	108	through PAM).</para>
28e208a7 LP	109	</refsect1>
	110
	111	<refsect1>
	112	<title>Environment</title>
	113
	114	<para>The following environment variables are initialized by the module and available to the processes of the
	115	user's session:</para>
	116
	117	<variablelist class='environment-variables'>
	118	<varlistentry>
	119	<term><varname>$SYSTEMD_HOME=1</varname></term>
	120
	121	<listitem><para>Indicates that the user's home directory is managed by <filename>systemd-homed.service</filename>.</para></listitem>
	122	</varlistentry>
	123
764ae4dd LP	124	<varlistentry>
	125	<term><varname>$SYSTEMD_HOME_SUSPEND=</varname></term>
	126
	127	<listitem><para>Indicates whether the session has been registered with the suspend mechanism enabled
	128	or disabled (see above). The variable's value is either <literal>0</literal> or
	129	<literal>1</literal>. Note that the module both reads the variable when initializing, and sets it for
	130	sessions.</para></listitem>
	131	</varlistentry>
	132
28e208a7 LP	133	</variablelist>
	134	</refsect1>
	135
	136	<refsect1>
	137	<title>Example</title>
	138
	139	<para>Here's an example PAM configuration fragment that permits users managed by
	140	<filename>systemd-homed.service</filename> to log in:</para>
	141
	142	<programlisting>#%PAM-1.0
	143	auth sufficient pam_unix.so
c6472bb0	144	<command>-auth sufficient pam_systemd_home.so</command>
28e208a7 LP	145	auth required pam_deny.so
	146
	147	account required pam_nologin.so
c6472bb0	148	<command>-account sufficient pam_systemd_home.so</command>
28e208a7 LP	149	account sufficient pam_unix.so
	150	account required pam_permit.so
	151
c6472bb0	152	<command>-password sufficient pam_systemd_home.so</command>
971c07fc	153	password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
28e208a7 LP	154	password required pam_deny.so
	155
	156	-session optional pam_keyinit.so revoke
	157	-session optional pam_loginuid.so
c6472bb0	158	<command>-session optional pam_systemd_home.so</command>
28e208a7 LP	159	-session optional pam_systemd.so
	160	session required pam_unix.so</programlisting>
	161	</refsect1>
	162
	163	<refsect1>
	164	<title>See Also</title>
	165	<para>
	166	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	167	<citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	168	<citerefentry><refentrytitle>homed.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	169	<citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	170	<citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	171	<citerefentry project='man-pages'><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	172	<citerefentry project='man-pages'><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
	173	<citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	174	</para>
	175	</refsect1>
	176
	177	</refentry>