man/pam_systemd_home.xml

   1 <?xml version='1.0'?> <!--*-nxml-*-->
   2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   3   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
   4 <!-- SPDX-License-Identifier: LGPL-2.1+ -->
   5
   6 <refentry id="pam_systemd_home" conditional='ENABLE_PAM_HOME'>
   7
   8   <refentryinfo>
   9     <title>pam_systemd_home</title>
  10     <productname>systemd</productname>
  11   </refentryinfo>
  12
  13   <refmeta>
  14     <refentrytitle>pam_systemd_home</refentrytitle>
  15     <manvolnum>8</manvolnum>
  16   </refmeta>
  17
  18   <refnamediv>
  19     <refname>pam_systemd_home</refname>
  20     <refpurpose>Automatically mount home directories managed by <filename>systemd-homed.service</filename> on
  21     login, and unmount them on logout</refpurpose>
  22   </refnamediv>
  23
  24   <refsynopsisdiv>
  25     <para><filename>pam_systemd_home.so</filename></para>
  26   </refsynopsisdiv>
  27
  28   <refsect1>
  29     <title>Description</title>
  30
  31     <para><command>pam_systemd_home</command> ensures that home directories managed by
  32     <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
  33     are automatically activated (mounted) on user login, and are deactivated (unmounted) when the last
  34     session of the user ends.</para>
  35   </refsect1>
  36
  37   <refsect1>
  38     <title>Options</title>
  39
  40     <para>The following options are understood:</para>
  41
  42     <variablelist class='pam-directives'>
  43
  44       <varlistentry>
  45         <term><varname>suspend=</varname></term>
  46
  47         <listitem><para>Takes a boolean argument. If true, the home directory of the user will be suspended
  48         automatically during system suspend; if false it will remain active. Automatic suspending of the home
  49         directory improves security substantially as secret key material is automatically removed from memory
  50         before the system is put to sleep and must be re-acquired (through user re-authentication) when
  51         coming back from suspend. It is recommended to set this parameter for all PAM applications that have
  52         support for automatically re-authenticating via PAM on system resume. If multiple sessions of the
  53         same user are open in parallel the user's home directory will be left unsuspended on system suspend
  54         as long as at least one of the sessions does not set this parameter to on. Defaults to
  55         off.</para>
  56
  57         <para>Note that TTY logins generally do not support re-authentication on system resume.
  58         Re-authentication on system resume is primarily a concept implementable in graphical environments, in
  59         the form of lock screens brought up automatically when the system goes to sleep. This means that if a
  60         user concurrently uses graphical login sessions that implement the required re-authentication
  61         mechanism and console logins that do not, the home directory is not locked during suspend, due to the
  62         logic explained above. That said, it is possible to set this field for TTY logins too, ignoring the
  63         fact that TTY logins actually don't support the re-authentication mechanism. In that case the TTY
  64         sessions will appear hung until the user logs in on another virtual terminal (regardless if via
  65         another TTY session or graphically) which will resume the home directory and unblock the original TTY
  66         session. (Do note that lack of screen locking on TTY sessions means even though the TTY session
  67         appears hung, keypresses can still be queued into it, and the existing screen contents be read
  68         without re-authentication; this limitation is unrelated to the home directory management
  69         <command>pam_systemd_home</command> and <filename>systemd-homed.service</filename> implement.)</para>
  70
  71         <para>Turning this option on by default is highly recommended for all sessions, but only if the
  72         service managing these sessions correctly implements the aforementioned re-authentication. Note that
  73         the re-authentication must take place from a component runing outside of the user's context, so that
  74         it does not require access to the user's home directory for operation. Traditionally, most desktop
  75         environments do not implement screen locking this way, and need to be updated
  76         accordingly.</para></listitem>
  77       </varlistentry>
  78
  79       <varlistentry>
  80         <term><varname>debug</varname><optional>=</optional></term>
  81
  82         <listitem><para>Takes an optional boolean argument. If yes or without the argument, the module will log
  83         debugging information as it operates.</para></listitem>
  84       </varlistentry>
  85     </variablelist>
  86   </refsect1>
  87
  88   <refsect1>
  89     <title>Module Types Provided</title>
  90
  91     <para>The module provides all four management operations: <option>auth</option>, <option>account</option>,
  92     <option>session</option>, <option>password</option>.</para>
  93   </refsect1>
  94
  95   <refsect1>
  96     <title>Environment</title>
  97
  98     <para>The following environment variables are initialized by the module and available to the processes of the
  99     user's session:</para>
 100
 101     <variablelist class='environment-variables'>
 102       <varlistentry>
 103         <term><varname>$SYSTEMD_HOME=1</varname></term>
 104
 105         <listitem><para>Indicates that the user's home directory is managed by <filename>systemd-homed.service</filename>.</para></listitem>
 106       </varlistentry>
 107
 108     </variablelist>
 109   </refsect1>
 110
 111   <refsect1>
 112     <title>Example</title>
 113
 114     <para>Here's an example PAM configuration fragment that permits users managed by
 115     <filename>systemd-homed.service</filename> to log in:</para>
 116
 117     <programlisting>#%PAM-1.0
 118 auth      sufficient pam_unix.so
 119 -auth     sufficient pam_systemd_home.so
 120 auth      required   pam_deny.so
 121
 122 account   required   pam_nologin.so
 123 -account  sufficient pam_systemd_home.so
 124 account   sufficient pam_unix.so
 125 account   required   pam_permit.so
 126
 127 -password sufficient pam_systemd_home.so
 128 password  sufficient pam_unix.so sha512 shadow try_first_pass try_authtok
 129 password  required   pam_deny.so
 130
 131 -session  optional   pam_keyinit.so revoke
 132 -session  optional   pam_loginuid.so
 133 -session  optional   pam_systemd_home.so
 134 -session  optional   pam_systemd.so
 135 session   required   pam_unix.so</programlisting>
 136   </refsect1>
 137
 138   <refsect1>
 139     <title>See Also</title>
 140     <para>
 141       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
 142       <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
 143       <citerefentry><refentrytitle>homed.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
 144       <citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
 145       <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
 146       <citerefentry project='man-pages'><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
 147       <citerefentry project='man-pages'><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
 148       <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
 149     </para>
 150   </refsect1>
 151
 152 </refentry>