]>
Commit | Line | Data |
---|---|---|
a28b7310 JL |
1 | <?xml version='1.0'?> <!--*-nxml-*--> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
eea10b26 | 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> |
a28b7310 JL |
4 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
5 | ||
6 | <refentry id="pam_systemd_loadkey" conditional='HAVE_PAM' xmlns:xi="http://www.w3.org/2001/XInclude"> | |
7 | ||
8 | <refentryinfo> | |
9 | <title>pam_systemd_loadkey</title> | |
10 | <productname>systemd</productname> | |
11 | </refentryinfo> | |
12 | ||
13 | <refmeta> | |
14 | <refentrytitle>pam_systemd_loadkey</refentrytitle> | |
15 | <manvolnum>8</manvolnum> | |
16 | </refmeta> | |
17 | ||
18 | <refnamediv> | |
19 | <refname>pam_systemd_loadkey</refname> | |
20 | <refpurpose>Read password from kernel keyring and set it as PAM authtok</refpurpose> | |
21 | </refnamediv> | |
22 | ||
23 | <refsynopsisdiv> | |
24 | <para><filename>pam_systemd_loadkey.so</filename></para> | |
25 | </refsynopsisdiv> | |
26 | ||
27 | <refsect1> | |
28 | <title>Description</title> | |
29 | ||
30 | <para><command>pam_systemd_loadkey</command> reads a NUL-separated password list from the kernel keyring, | |
31 | and sets the last password in the list as the PAM authtok.</para> | |
32 | ||
33 | <para>The password list is supposed to be stored in the "user" keyring of the root user, | |
34 | by an earlier call to | |
35 | <citerefentry><refentrytitle>systemd-ask-password</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
36 | with <option>--keyname=</option>. | |
37 | You can pass the keyname to <command>pam_systemd_loadkey</command> via the <option>keyname=</option> option.</para> | |
38 | ||
39 | </refsect1> | |
40 | ||
41 | <refsect1> | |
42 | <title>Options</title> | |
43 | ||
44 | <para>The following options are understood:</para> | |
45 | ||
46 | <variablelist class='pam-directives'> | |
47 | ||
48 | <varlistentry> | |
49 | <term><varname>keyname=</varname></term> | |
50 | ||
51 | <listitem><para>Takes a string argument which sets the keyname to read. | |
08ef6998 JC |
52 | The default is <literal>cryptsetup</literal>. |
53 | During boot, | |
a28b7310 | 54 | <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> |
08ef6998 JC |
55 | stores a passphrase or PIN in the keyring. |
56 | The LUKS2 volume key can also be used, via the <option>link-volume-key</option> option in | |
57 | <citerefentry><refentrytitle>crypttab</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para> | |
58 | ||
59 | <table> | |
60 | <title> | |
61 | Possible values for <varname>keyname</varname>. | |
62 | </title> | |
63 | ||
64 | <tgroup cols='2'> | |
65 | <colspec colname='value' /> | |
66 | <colspec colname='description' /> | |
67 | <thead> | |
68 | <row> | |
69 | <entry>Value</entry> | |
70 | <entry>Description</entry> | |
71 | </row> | |
72 | </thead> | |
73 | <tbody> | |
74 | <row> | |
75 | <entry>cryptsetup</entry> | |
76 | <entry>Passphrase or recovery key</entry> | |
77 | </row> | |
78 | <row> | |
79 | <entry>fido2-pin</entry> | |
80 | <entry>Security token PIN</entry> | |
81 | </row> | |
82 | <row> | |
83 | <entry>luks2-pin</entry> | |
84 | <entry>LUKS2 token PIN</entry> | |
85 | </row> | |
86 | <row> | |
87 | <entry>tpm2-pin</entry> | |
88 | <entry>TPM2 PIN</entry> | |
89 | </row> | |
90 | </tbody> | |
91 | </tgroup> | |
92 | </table> | |
a28b7310 JL |
93 | |
94 | <xi:include href="version-info.xml" xpointer="v255"/></listitem> | |
95 | </varlistentry> | |
96 | ||
97 | <varlistentry> | |
98 | <term><varname>debug</varname></term> | |
99 | ||
100 | <listitem><para>The module will log debugging information as it operates.</para> | |
101 | ||
102 | <xi:include href="version-info.xml" xpointer="v255"/></listitem> | |
103 | </varlistentry> | |
104 | </variablelist> | |
105 | </refsect1> | |
106 | ||
107 | <refsect1> | |
108 | <title>Example</title> | |
109 | ||
110 | <para>This module is intended to be used when you use LUKS with a passphrase, enable autologin in the display | |
111 | manager, and want to unlock Gnome Keyring / KDE KWallet automatically. So in total, you only enter one password | |
112 | during boot.</para> | |
113 | ||
114 | <para>You need to set the password of your Gnome Keyring/KWallet to the same as your LUKS passphrase. | |
115 | Then add the following lines to your display manager's PAM config under <filename>/etc/pam.d/</filename> (e.g. <filename>sddm-autologin</filename>):</para> | |
116 | ||
117 | <programlisting> | |
118 | -auth optional pam_systemd_loadkey.so | |
0bf317b6 | 119 | -auth optional pam_gnome_keyring.so |
a28b7310 JL |
120 | -session optional pam_gnome_keyring.so auto_start |
121 | -session optional pam_kwallet5.so auto_start | |
122 | </programlisting> | |
123 | ||
124 | <para>And add the following lines to your display manager's systemd service file, so it can access root's keyring:</para> | |
125 | ||
126 | <programlisting> | |
127 | [Service] | |
128 | KeyringMode=inherit | |
129 | </programlisting> | |
130 | ||
131 | <para>In this setup, early during the boot process, | |
132 | <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
133 | will ask for the passphrase and store it in the kernel keyring with the keyname <literal>cryptsetup</literal>. | |
134 | Then when the display manager does the autologin, pam_systemd_loadkey will read the passphrase from the kernel keyring, | |
135 | set it as the PAM authtok, and then pam_gnome_keyring and pam_kwallet5 will unlock with the same passphrase.</para> | |
136 | </refsect1> | |
137 | ||
138 | </refentry> |