the re-authentication must take place from a component running outside of the user's context, so that
it does not require access to the user's home directory for operation. Traditionally, most desktop
environments do not implement screen locking this way, and need to be updated
- accordingly.</para></listitem>
+ accordingly.</para>
+
+ <para>This setting may also be controlled via the <varname>$SYSTEMD_HOME_SUSPEND</varname>
+ environment variable (see below), which <command>pam_systemd_home</command> reads during initialization and sets
+ for sessions. If both the environment variable is set and the module parameter specified the latter
+ takes precedence.</para></listitem>
</varlistentry>
<varlistentry>
<listitem><para>Indicates that the user's home directory is managed by <filename>systemd-homed.service</filename>.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>$SYSTEMD_HOME_SUSPEND=</varname></term>
+
+ <listitem><para>Indicates whether the session has been registered with the suspend mechanism enabled
+ or disabled (see above). The variable's value is either <literal>0</literal> or
+ <literal>1</literal>. Note that the module both reads the variable when initializing, and sets it for
+ sessions.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
<programlisting>#%PAM-1.0
auth sufficient pam_unix.so
--auth sufficient pam_systemd_home.so
+<command>-auth sufficient pam_systemd_home.so</command>
auth required pam_deny.so
account required pam_nologin.so
--account sufficient pam_systemd_home.so
+<command>-account sufficient pam_systemd_home.so</command>
account sufficient pam_unix.so
account required pam_permit.so
--password sufficient pam_systemd_home.so
+<command>-password sufficient pam_systemd_home.so</command>
password sufficient pam_unix.so sha512 shadow try_first_pass try_authtok
password required pam_deny.so
-session optional pam_keyinit.so revoke
-session optional pam_loginuid.so
--session optional pam_systemd_home.so
+<command>-session optional pam_systemd_home.so</command>
-session optional pam_systemd.so
session required pam_unix.so</programlisting>
</refsect1>