]>
Commit | Line | Data |
---|---|---|
28e208a7 LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
4 | <!-- SPDX-License-Identifier: LGPL-2.1+ --> | |
5 | ||
af06ddf5 | 6 | <refentry id="pam_systemd_home" conditional='ENABLE_PAM_HOME'> |
28e208a7 LP |
7 | |
8 | <refentryinfo> | |
9 | <title>pam_systemd_home</title> | |
10 | <productname>systemd</productname> | |
11 | </refentryinfo> | |
12 | ||
13 | <refmeta> | |
14 | <refentrytitle>pam_systemd_home</refentrytitle> | |
15 | <manvolnum>8</manvolnum> | |
16 | </refmeta> | |
17 | ||
18 | <refnamediv> | |
19 | <refname>pam_systemd_home</refname> | |
20 | <refpurpose>Automatically mount home directories managed by <filename>systemd-homed.service</filename> on | |
21 | login, and unmount them on logout</refpurpose> | |
22 | </refnamediv> | |
23 | ||
24 | <refsynopsisdiv> | |
25 | <para><filename>pam_systemd_home.so</filename></para> | |
26 | </refsynopsisdiv> | |
27 | ||
28 | <refsect1> | |
29 | <title>Description</title> | |
30 | ||
31 | <para><command>pam_systemd_home</command> ensures that home directories managed by | |
32 | <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
33 | are automatically activated (mounted) on user login, and are deactivated (unmounted) when the last | |
34 | session of the user ends.</para> | |
35 | </refsect1> | |
36 | ||
37 | <refsect1> | |
38 | <title>Options</title> | |
39 | ||
40 | <para>The following options are understood:</para> | |
41 | ||
42 | <variablelist class='pam-directives'> | |
43 | ||
44 | <varlistentry> | |
45 | <term><varname>suspend=</varname></term> | |
46 | ||
47 | <listitem><para>Takes a boolean argument. If true, the home directory of the user will be suspended | |
48 | automatically during system suspend; if false it will remain active. Automatic suspending of the home | |
49 | directory improves security substantially as secret key material is automatically removed from memory | |
2a4be3c5 ZJS |
50 | before the system is put to sleep and must be re-acquired (through user re-authentication) when |
51 | coming back from suspend. It is recommended to set this parameter for all PAM applications that have | |
52 | support for automatically re-authenticating via PAM on system resume. If multiple sessions of the | |
53 | same user are open in parallel the user's home directory will be left unsuspended on system suspend | |
562ffaca LP |
54 | as long as at least one of the sessions does not set this parameter to on. Defaults to |
55 | off.</para> | |
56 | ||
57 | <para>Note that TTY logins generally do not support re-authentication on system resume. | |
58 | Re-authentication on system resume is primarily a concept implementable in graphical environments, in | |
59 | the form of lock screens brought up automatically when the system goes to sleep. This means that if a | |
60 | user concurrently uses graphical login sessions that implement the required re-authentication | |
61 | mechanism and console logins that do not, the home directory is not locked during suspend, due to the | |
62 | logic explained above. That said, it is possible to set this field for TTY logins too, ignoring the | |
63 | fact that TTY logins actually don't support the re-authentication mechanism. In that case the TTY | |
64 | sessions will appear hung until the user logs in on another virtual terminal (regardless if via | |
65 | another TTY session or graphically) which will resume the home directory and unblock the original TTY | |
66 | session. (Do note that lack of screen locking on TTY sessions means even though the TTY session | |
67 | appears hung, keypresses can still be queued into it, and the existing screen contents be read | |
68 | without re-authentication; this limitation is unrelated to the home directory management | |
69 | <command>pam_systemd_home</command> and <filename>systemd-homed.service</filename> implement.)</para> | |
70 | ||
71 | <para>Turning this option on by default is highly recommended for all sessions, but only if the | |
72 | service managing these sessions correctly implements the aforementioned re-authentication. Note that | |
86b52a39 | 73 | the re-authentication must take place from a component running outside of the user's context, so that |
562ffaca LP |
74 | it does not require access to the user's home directory for operation. Traditionally, most desktop |
75 | environments do not implement screen locking this way, and need to be updated | |
76 | accordingly.</para></listitem> | |
28e208a7 LP |
77 | </varlistentry> |
78 | ||
79 | <varlistentry> | |
80 | <term><varname>debug</varname><optional>=</optional></term> | |
81 | ||
82 | <listitem><para>Takes an optional boolean argument. If yes or without the argument, the module will log | |
83 | debugging information as it operates.</para></listitem> | |
84 | </varlistentry> | |
85 | </variablelist> | |
86 | </refsect1> | |
87 | ||
88 | <refsect1> | |
89 | <title>Module Types Provided</title> | |
90 | ||
91 | <para>The module provides all four management operations: <option>auth</option>, <option>account</option>, | |
92 | <option>session</option>, <option>password</option>.</para> | |
93 | </refsect1> | |
94 | ||
95 | <refsect1> | |
96 | <title>Environment</title> | |
97 | ||
98 | <para>The following environment variables are initialized by the module and available to the processes of the | |
99 | user's session:</para> | |
100 | ||
101 | <variablelist class='environment-variables'> | |
102 | <varlistentry> | |
103 | <term><varname>$SYSTEMD_HOME=1</varname></term> | |
104 | ||
105 | <listitem><para>Indicates that the user's home directory is managed by <filename>systemd-homed.service</filename>.</para></listitem> | |
106 | </varlistentry> | |
107 | ||
108 | </variablelist> | |
109 | </refsect1> | |
110 | ||
111 | <refsect1> | |
112 | <title>Example</title> | |
113 | ||
114 | <para>Here's an example PAM configuration fragment that permits users managed by | |
115 | <filename>systemd-homed.service</filename> to log in:</para> | |
116 | ||
117 | <programlisting>#%PAM-1.0 | |
118 | auth sufficient pam_unix.so | |
119 | -auth sufficient pam_systemd_home.so | |
120 | auth required pam_deny.so | |
121 | ||
122 | account required pam_nologin.so | |
123 | -account sufficient pam_systemd_home.so | |
124 | account sufficient pam_unix.so | |
125 | account required pam_permit.so | |
126 | ||
127 | -password sufficient pam_systemd_home.so | |
128 | password sufficient pam_unix.so sha512 shadow try_first_pass try_authtok | |
129 | password required pam_deny.so | |
130 | ||
131 | -session optional pam_keyinit.so revoke | |
132 | -session optional pam_loginuid.so | |
133 | -session optional pam_systemd_home.so | |
134 | -session optional pam_systemd.so | |
135 | session required pam_unix.so</programlisting> | |
136 | </refsect1> | |
137 | ||
138 | <refsect1> | |
139 | <title>See Also</title> | |
140 | <para> | |
141 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
142 | <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
143 | <citerefentry><refentrytitle>homed.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
144 | <citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
145 | <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
146 | <citerefentry project='man-pages'><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
147 | <citerefentry project='man-pages'><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
148 | <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
149 | </para> | |
150 | </refsect1> | |
151 | ||
152 | </refentry> |