]>
Commit | Line | Data |
---|---|---|
28e208a7 LP |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
db9ecf05 | 4 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
28e208a7 | 5 | |
af06ddf5 | 6 | <refentry id="pam_systemd_home" conditional='ENABLE_PAM_HOME'> |
28e208a7 LP |
7 | |
8 | <refentryinfo> | |
9 | <title>pam_systemd_home</title> | |
10 | <productname>systemd</productname> | |
11 | </refentryinfo> | |
12 | ||
13 | <refmeta> | |
14 | <refentrytitle>pam_systemd_home</refentrytitle> | |
15 | <manvolnum>8</manvolnum> | |
16 | </refmeta> | |
17 | ||
18 | <refnamediv> | |
19 | <refname>pam_systemd_home</refname> | |
9e6df034 ZJS |
20 | <refpurpose>Authenticate users and mount home directories via <filename>systemd-homed.service</filename> |
21 | </refpurpose> | |
28e208a7 LP |
22 | </refnamediv> |
23 | ||
24 | <refsynopsisdiv> | |
25 | <para><filename>pam_systemd_home.so</filename></para> | |
26 | </refsynopsisdiv> | |
27 | ||
28 | <refsect1> | |
29 | <title>Description</title> | |
30 | ||
31 | <para><command>pam_systemd_home</command> ensures that home directories managed by | |
32 | <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
33 | are automatically activated (mounted) on user login, and are deactivated (unmounted) when the last | |
9e6df034 ZJS |
34 | session of the user ends. For such users, it also provides authentication (when per-user disk encryption |
35 | is used, the disk encryption key is derived from the authentication credential supplied at login time), | |
36 | account management (the <ulink url="https://systemd.io/USER_RECORD/">JSON user record</ulink> embedded in | |
37 | the home store contains account details), and implements the updating of the encryption password (which | |
38 | is also used for user authentication).</para> | |
28e208a7 LP |
39 | </refsect1> |
40 | ||
41 | <refsect1> | |
42 | <title>Options</title> | |
43 | ||
44 | <para>The following options are understood:</para> | |
45 | ||
46 | <variablelist class='pam-directives'> | |
47 | ||
48 | <varlistentry> | |
49 | <term><varname>suspend=</varname></term> | |
50 | ||
51 | <listitem><para>Takes a boolean argument. If true, the home directory of the user will be suspended | |
52 | automatically during system suspend; if false it will remain active. Automatic suspending of the home | |
53 | directory improves security substantially as secret key material is automatically removed from memory | |
2a4be3c5 ZJS |
54 | before the system is put to sleep and must be re-acquired (through user re-authentication) when |
55 | coming back from suspend. It is recommended to set this parameter for all PAM applications that have | |
56 | support for automatically re-authenticating via PAM on system resume. If multiple sessions of the | |
57 | same user are open in parallel the user's home directory will be left unsuspended on system suspend | |
562ffaca LP |
58 | as long as at least one of the sessions does not set this parameter to on. Defaults to |
59 | off.</para> | |
60 | ||
61 | <para>Note that TTY logins generally do not support re-authentication on system resume. | |
62 | Re-authentication on system resume is primarily a concept implementable in graphical environments, in | |
63 | the form of lock screens brought up automatically when the system goes to sleep. This means that if a | |
64 | user concurrently uses graphical login sessions that implement the required re-authentication | |
65 | mechanism and console logins that do not, the home directory is not locked during suspend, due to the | |
66 | logic explained above. That said, it is possible to set this field for TTY logins too, ignoring the | |
67 | fact that TTY logins actually don't support the re-authentication mechanism. In that case the TTY | |
68 | sessions will appear hung until the user logs in on another virtual terminal (regardless if via | |
69 | another TTY session or graphically) which will resume the home directory and unblock the original TTY | |
70 | session. (Do note that lack of screen locking on TTY sessions means even though the TTY session | |
71 | appears hung, keypresses can still be queued into it, and the existing screen contents be read | |
72 | without re-authentication; this limitation is unrelated to the home directory management | |
73 | <command>pam_systemd_home</command> and <filename>systemd-homed.service</filename> implement.)</para> | |
74 | ||
75 | <para>Turning this option on by default is highly recommended for all sessions, but only if the | |
76 | service managing these sessions correctly implements the aforementioned re-authentication. Note that | |
86b52a39 | 77 | the re-authentication must take place from a component running outside of the user's context, so that |
562ffaca LP |
78 | it does not require access to the user's home directory for operation. Traditionally, most desktop |
79 | environments do not implement screen locking this way, and need to be updated | |
764ae4dd LP |
80 | accordingly.</para> |
81 | ||
82 | <para>This setting may also be controlled via the <varname>$SYSTEMD_HOME_SUSPEND</varname> | |
83 | environment variable (see below), which <command>pam_systemd_home</command> reads during initialization and sets | |
84 | for sessions. If both the environment variable is set and the module parameter specified the latter | |
85 | takes precedence.</para></listitem> | |
28e208a7 LP |
86 | </varlistentry> |
87 | ||
88 | <varlistentry> | |
89 | <term><varname>debug</varname><optional>=</optional></term> | |
90 | ||
91 | <listitem><para>Takes an optional boolean argument. If yes or without the argument, the module will log | |
92 | debugging information as it operates.</para></listitem> | |
93 | </varlistentry> | |
94 | </variablelist> | |
95 | </refsect1> | |
96 | ||
97 | <refsect1> | |
98 | <title>Module Types Provided</title> | |
99 | ||
8b9f0921 ZJS |
100 | <para>The module implements all four PAM operations: <option>auth</option> (to allow authentication using |
101 | the encrypted data), <option>account</option> (because users with | |
9e6df034 ZJS |
102 | <filename>systemd-homed.service</filename> user accounts are described in a <ulink |
103 | url="https://systemd.io/USER_RECORD/">JSON user record</ulink> and may be configured in more detail than | |
8b9f0921 ZJS |
104 | in the traditional Linux user database), <option>session</option> (because user sessions must be tracked |
105 | in order to implement automatic release when the last session of the user is gone), | |
106 | <option>password</option> (to change the encryption password — also used for user authentication — | |
107 | through PAM).</para> | |
28e208a7 LP |
108 | </refsect1> |
109 | ||
110 | <refsect1> | |
111 | <title>Environment</title> | |
112 | ||
113 | <para>The following environment variables are initialized by the module and available to the processes of the | |
114 | user's session:</para> | |
115 | ||
116 | <variablelist class='environment-variables'> | |
117 | <varlistentry> | |
118 | <term><varname>$SYSTEMD_HOME=1</varname></term> | |
119 | ||
120 | <listitem><para>Indicates that the user's home directory is managed by <filename>systemd-homed.service</filename>.</para></listitem> | |
121 | </varlistentry> | |
122 | ||
764ae4dd LP |
123 | <varlistentry> |
124 | <term><varname>$SYSTEMD_HOME_SUSPEND=</varname></term> | |
125 | ||
126 | <listitem><para>Indicates whether the session has been registered with the suspend mechanism enabled | |
127 | or disabled (see above). The variable's value is either <literal>0</literal> or | |
128 | <literal>1</literal>. Note that the module both reads the variable when initializing, and sets it for | |
129 | sessions.</para></listitem> | |
130 | </varlistentry> | |
131 | ||
28e208a7 LP |
132 | </variablelist> |
133 | </refsect1> | |
134 | ||
135 | <refsect1> | |
136 | <title>Example</title> | |
137 | ||
138 | <para>Here's an example PAM configuration fragment that permits users managed by | |
139 | <filename>systemd-homed.service</filename> to log in:</para> | |
140 | ||
141 | <programlisting>#%PAM-1.0 | |
142 | auth sufficient pam_unix.so | |
c6472bb0 | 143 | <command>-auth sufficient pam_systemd_home.so</command> |
28e208a7 LP |
144 | auth required pam_deny.so |
145 | ||
146 | account required pam_nologin.so | |
c6472bb0 | 147 | <command>-account sufficient pam_systemd_home.so</command> |
28e208a7 LP |
148 | account sufficient pam_unix.so |
149 | account required pam_permit.so | |
150 | ||
c6472bb0 | 151 | <command>-password sufficient pam_systemd_home.so</command> |
971c07fc | 152 | password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok |
28e208a7 LP |
153 | password required pam_deny.so |
154 | ||
155 | -session optional pam_keyinit.so revoke | |
156 | -session optional pam_loginuid.so | |
c6472bb0 | 157 | <command>-session optional pam_systemd_home.so</command> |
28e208a7 LP |
158 | -session optional pam_systemd.so |
159 | session required pam_unix.so</programlisting> | |
160 | </refsect1> | |
161 | ||
162 | <refsect1> | |
163 | <title>See Also</title> | |
164 | <para> | |
165 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
166 | <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
167 | <citerefentry><refentrytitle>homed.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
168 | <citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
169 | <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
170 | <citerefentry project='man-pages'><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
171 | <citerefentry project='man-pages'><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, | |
172 | <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
173 | </para> | |
174 | </refsect1> | |
175 | ||
176 | </refentry> |