Skip to content

Mounting on login using pam_mount

Jump to bottom Edit New page
rfjakob edited this page May 18, 2023 · 11 revisions

From https://inai.de/projects/pam_mount/ :

pam_mount is a Pluggable Authentication Module that can mount volumes for a user session.

Man pages:

The instructions here are tested on Fedora 24 and Fedora 31 Workstation with active SELinux.

This also works on Ubuntu 16.04 LTS after installing libpam-mount:

$ sudo apt-get install libpam-mount

Feedback on other platforms is welcome.

gocryptfs

Copy the gocryptfs binary into /usr/local/bin .

Create a gocryptfs filesystem:

$ mkdir $HOME/cipher $HOME/plain
$ gocryptfs -init $HOME/cipher

pam_mount config

Put the following into /etc/security/pam_mount.conf.xml, just before the closing </pam_mount> tag at the bottom:

<volume
fstype="fuse"
mountpoint="/home/%(USER)/plain"
options="nodev,nosuid,quiet"
path="/usr/local/bin/gocryptfs#/home/%(USER)/cipher"
user="YOURUSERNAME"
/>

Replace YOURUSERNAME with your user name.

PAM config

PAM config located at /etc/pam.d/. Basically, pam_mount must be called two times:

  1. As the last element in "auth" so it gets the password.
  2. As the last element in "session", where it performs the actual mount.

Debian 12

No special config is required, since /etc/pam.d/common-auth and /etc/pam.d/common-session contains required lines.

Fedora 24 example

An example /etc/pam.d/sshd on Fedora 24 and an example /etc/pam.d/sddm on Fedora 31 Workstation is shown below.

/etc/pam.d/sshd

#%PAM-1.0
auth	   required	pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
# vvv insert here #
auth optional pam_mount.so
# ^^^ insert here #
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
# vvv insert here #
session optional pam_mount.so
# ^^^ insert here #

/etc/pam.d/sddm

auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        substack      password-auth
-auth        optional      pam_gnome_keyring.so
-auth        optional      pam_kwallet5.so
-auth        optional      pam_kwallet.so
auth        include       postlogin

# vvv insert here #
auth       optional     pam_mount.so
# ^^^ insert here #

account     required      pam_nologin.so
account     include       password-auth

password    include       password-auth

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
-session    optional    pam_ck_connector.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     include       password-auth
-session     optional      pam_gnome_keyring.so auto_start
-session     optional      pam_kwallet5.so auto_start
-session     optional      pam_kwallet.so auto_start
session     include       postlogin

# vvv insert here #
session    optional     pam_mount.so
# ^^^ insert here #

Encrypting the whole home directory

Use this volume definition in /etc/security/pam_mount.conf.xml:

<volume user="testuser" fstype="fuse" options="nodev,nosuid,quiet,nonempty,allow_other"
path="/usr/local/bin/gocryptfs#/home/%(USER).cipher" mountpoint="/home/%(USER)" />
Add a custom footer
Add a custom sidebar
Clone this wiki locally