Skip to content

Mounting on login using pam_mount

gnu300 edited this page Nov 14, 2019 · 6 revisions

This is tested on Fedora 24 and Fedora 31 Workstation with active SELinux.

This also works on Ubuntu 16.04 LTS after installing libpam-mount:

$ sudo apt-get install libpam-mount

Feedback on other platforms is welcome.

gocryptfs

Copy the gocryptfs binary into /usr/local/bin .

Create a gocryptfs filesystem:

$ mkdir /home/testuser/cipher /home/testuser/plain
$ gocryptfs -init /home/testuser/cipher

pam_mount config

Put the following into /etc/security/pam_mount.conf.xml, just before the closing </pam_mount> tag at the bottom:

<volume user="testuser" fstype="fuse" options="nodev,nosuid,quiet"
path="/usr/local/bin/gocryptfs#/home/%(USER)/cipher" mountpoint="/home/%(USER)/plain" />

Replace testuser with your user name.

PAM config

An example /etc/pam.d/sshd on Fedora 24 and an example /etc/pam.d/sddm on Fedora 31 Workstation is shown below. Basically, pam_mount must be called two times:

  1. As the last element in "auth" so it gets the password.
  2. As the last element in "session", where it performs the actual mount.

/etc/pam.d/sshd

#%PAM-1.0
auth	   required	pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
# vvv insert here #
auth optional pam_mount.so
# ^^^ insert here #
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
# vvv insert here #
session optional pam_mount.so
# ^^^ insert here #

/etc/pam.d/sddm

auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        substack      password-auth
-auth        optional      pam_gnome_keyring.so
-auth        optional      pam_kwallet5.so
-auth        optional      pam_kwallet.so
auth        include       postlogin

# vvv insert here #
auth       optional     pam_mount.so
# ^^^ insert here #

account     required      pam_nologin.so
account     include       password-auth

password    include       password-auth

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
-session    optional    pam_ck_connector.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     include       password-auth
-session     optional      pam_gnome_keyring.so auto_start
-session     optional      pam_kwallet5.so auto_start
-session     optional      pam_kwallet.so auto_start
session     include       postlogin

# vvv insert here #
session    optional     pam_mount.so
# ^^^ insert here #

Encrypting the whole home directory

Use this volume definition in /etc/security/pam_mount.conf.xml:

<volume user="testuser" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other"
path="/usr/local/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" />
You can’t perform that action at this time.