man/pam_systemd_home.xml

   1 <?xml version='1.0'?> <!--*-nxml-*-->
   2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   3   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
   4 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
   5
   6 <refentry id="pam_systemd_home" conditional='ENABLE_PAM_HOME'>
   7
   8   <refentryinfo>
   9     <title>pam_systemd_home</title>
  10     <productname>systemd</productname>
  11   </refentryinfo>
  12
  13   <refmeta>
  14     <refentrytitle>pam_systemd_home</refentrytitle>
  15     <manvolnum>8</manvolnum>
  16   </refmeta>
  17
  18   <refnamediv>
  19     <refname>pam_systemd_home</refname>
  20     <refpurpose>Authenticate users and mount home directories via <filename>systemd-homed.service</filename>
  21     </refpurpose>
  22   </refnamediv>
  23
  24   <refsynopsisdiv>
  25     <para><filename>pam_systemd_home.so</filename></para>
  26   </refsynopsisdiv>
  27
  28   <refsect1>
  29     <title>Description</title>
  30
  31     <para><command>pam_systemd_home</command> ensures that home directories managed by
  32     <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
  33     are automatically activated (mounted) on user login, and are deactivated (unmounted) when the last
  34     session of the user ends. For such users, it also provides authentication (when per-user disk encryption
  35     is used, the disk encryption key is derived from the authentication credential supplied at login time),
  36     account management (the <ulink url="https://systemd.io/USER_RECORD/">JSON user record</ulink> embedded in
  37     the home store contains account details), and implements the updating of the encryption password (which
  38     is also used for user authentication).</para>
  39   </refsect1>
  40
  41   <refsect1>
  42     <title>Options</title>
  43
  44     <para>The following options are understood:</para>
  45
  46     <variablelist class='pam-directives'>
  47
  48       <varlistentry>
  49         <term><varname>suspend=</varname></term>
  50
  51         <listitem><para>Takes a boolean argument. If true, the home directory of the user will be suspended
  52         automatically during system suspend; if false it will remain active. Automatic suspending of the home
  53         directory improves security substantially as secret key material is automatically removed from memory
  54         before the system is put to sleep and must be re-acquired (through user re-authentication) when
  55         coming back from suspend. It is recommended to set this parameter for all PAM applications that have
  56         support for automatically re-authenticating via PAM on system resume. If multiple sessions of the
  57         same user are open in parallel the user's home directory will be left unsuspended on system suspend
  58         as long as at least one of the sessions does not set this parameter to on. Defaults to
  59         off.</para>
  60
  61         <para>Note that TTY logins generally do not support re-authentication on system resume.
  62         Re-authentication on system resume is primarily a concept implementable in graphical environments, in
  63         the form of lock screens brought up automatically when the system goes to sleep. This means that if a
  64         user concurrently uses graphical login sessions that implement the required re-authentication
  65         mechanism and console logins that do not, the home directory is not locked during suspend, due to the
  66         logic explained above. That said, it is possible to set this field for TTY logins too, ignoring the
  67         fact that TTY logins actually don't support the re-authentication mechanism. In that case the TTY
  68         sessions will appear hung until the user logs in on another virtual terminal (regardless if via
  69         another TTY session or graphically) which will resume the home directory and unblock the original TTY
  70         session. (Do note that lack of screen locking on TTY sessions means even though the TTY session
  71         appears hung, keypresses can still be queued into it, and the existing screen contents be read
  72         without re-authentication; this limitation is unrelated to the home directory management
  73         <command>pam_systemd_home</command> and <filename>systemd-homed.service</filename> implement.)</para>
  74
  75         <para>Turning this option on by default is highly recommended for all sessions, but only if the
  76         service managing these sessions correctly implements the aforementioned re-authentication. Note that
  77         the re-authentication must take place from a component running outside of the user's context, so that
  78         it does not require access to the user's home directory for operation. Traditionally, most desktop
  79         environments do not implement screen locking this way, and need to be updated
  80         accordingly.</para>
  81
  82         <para>This setting may also be controlled via the <varname>$SYSTEMD_HOME_SUSPEND</varname>
  83         environment variable (see below), which <command>pam_systemd_home</command> reads during initialization and sets
  84         for sessions. If both the environment variable is set and the module parameter specified the latter
  85         takes precedence.</para></listitem>
  86       </varlistentry>
  87
  88       <varlistentry>
  89         <term><varname>debug</varname><optional>=</optional></term>
  90
  91         <listitem><para>Takes an optional boolean argument. If yes or without the argument, the module will log
  92         debugging information as it operates.</para></listitem>
  93       </varlistentry>
  94     </variablelist>
  95   </refsect1>
  96
  97   <refsect1>
  98     <title>Module Types Provided</title>
  99
 100     <para>The module implements all four PAM operations: <option>auth</option> (to allow authentication using
 101     the encrypted data), <option>account</option> (because users with
 102     <filename>systemd-homed.service</filename> user accounts are described in a <ulink
 103     url="https://systemd.io/USER_RECORD/">JSON user record</ulink> and may be configured in more detail than
 104     in the traditional Linux user database), <option>session</option> (because user sessions must be tracked
 105     in order to implement automatic release when the last session of the user is gone),
 106     <option>password</option> (to change the encryption password — also used for user authentication —
 107     through PAM).</para>
 108   </refsect1>
 109
 110   <refsect1>
 111     <title>Environment</title>
 112
 113     <para>The following environment variables are initialized by the module and available to the processes of the
 114     user's session:</para>
 115
 116     <variablelist class='environment-variables'>
 117       <varlistentry>
 118         <term><varname>$SYSTEMD_HOME=1</varname></term>
 119
 120         <listitem><para>Indicates that the user's home directory is managed by <filename>systemd-homed.service</filename>.</para></listitem>
 121       </varlistentry>
 122
 123       <varlistentry>
 124         <term><varname>$SYSTEMD_HOME_SUSPEND=</varname></term>
 125
 126         <listitem><para>Indicates whether the session has been registered with the suspend mechanism enabled
 127         or disabled (see above). The variable's value is either <literal>0</literal> or
 128         <literal>1</literal>. Note that the module both reads the variable when initializing, and sets it for
 129         sessions.</para></listitem>
 130       </varlistentry>
 131
 132     </variablelist>
 133   </refsect1>
 134
 135   <refsect1>
 136     <title>Example</title>
 137
 138     <para>Here's an example PAM configuration fragment that permits users managed by
 139     <filename>systemd-homed.service</filename> to log in:</para>
 140
 141     <programlisting>#%PAM-1.0
 142 auth      sufficient pam_unix.so
 143 <command>-auth     sufficient pam_systemd_home.so</command>
 144 auth      required   pam_deny.so
 145
 146 account   required   pam_nologin.so
 147 <command>-account  sufficient pam_systemd_home.so</command>
 148 account   sufficient pam_unix.so
 149 account   required   pam_permit.so
 150
 151 <command>-password sufficient pam_systemd_home.so</command>
 152 password  sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
 153 password  required   pam_deny.so
 154
 155 -session  optional   pam_keyinit.so revoke
 156 -session  optional   pam_loginuid.so
 157 <command>-session  optional   pam_systemd_home.so</command>
 158 -session  optional   pam_systemd.so
 159 session   required   pam_unix.so</programlisting>
 160   </refsect1>
 161
 162   <refsect1>
 163     <title>See Also</title>
 164     <para>
 165       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
 166       <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
 167       <citerefentry><refentrytitle>homed.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
 168       <citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
 169       <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
 170       <citerefentry project='man-pages'><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
 171       <citerefentry project='man-pages'><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
 172       <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
 173     </para>
 174   </refsect1>
 175
 176 </refentry>