1PAM_SYSTEMD_HOME(8) pam_systemd_home PAM_SYSTEMD_HOME(8)
2
3
4
6 pam_systemd_home - Automatically mount home directories managed by
7 systemd-homed.service on login, and unmount them on logout
8
10 pam_systemd_home.so
11
13 pam_systemd_home ensures that home directories managed by systemd-
14 homed.service(8) are automatically activated (mounted) on user login,
15 and are deactivated (unmounted) when the last session of the user ends.
16
18 The following options are understood:
19
20 suspend=
21 Takes a boolean argument. If true, the home directory of the user
22 will be suspended automatically during system suspend; if false it
23 will remain active. Automatic suspending of the home directory
24 improves security substantially as secret key material is
25 automatically removed from memory before the system is put to sleep
26 and must be re-acquired (through user re-authentication) when
27 coming back from suspend. It is recommended to set this parameter
28 for all PAM applications that have support for automatically
29 re-authenticating via PAM on system resume. If multiple sessions of
30 the same user are open in parallel the user's home directory will
31 be left unsuspended on system suspend as long as at least one of
32 the sessions does not set this parameter to on. Defaults to off.
33
34 Note that TTY logins generally do not support re-authentication on
35 system resume. Re-authentication on system resume is primarily a
36 concept implementable in graphical environments, in the form of
37 lock screens brought up automatically when the system goes to
38 sleep. This means that if a user concurrently uses graphical login
39 sessions that implement the required re-authentication mechanism
40 and console logins that do not, the home directory is not locked
41 during suspend, due to the logic explained above. That said, it is
42 possible to set this field for TTY logins too, ignoring the fact
43 that TTY logins actually don't support the re-authentication
44 mechanism. In that case the TTY sessions will appear hung until the
45 user logs in on another virtual terminal (regardless if via another
46 TTY session or graphically) which will resume the home directory
47 and unblock the original TTY session. (Do note that lack of screen
48 locking on TTY sessions means even though the TTY session appears
49 hung, keypresses can still be queued into it, and the existing
50 screen contents be read without re-authentication; this limitation
51 is unrelated to the home directory management pam_systemd_home and
52 systemd-homed.service implement.)
53
54 Turning this option on by default is highly recommended for all
55 sessions, but only if the service managing these sessions correctly
56 implements the aforementioned re-authentication. Note that the
57 re-authentication must take place from a component running outside
58 of the user's context, so that it does not require access to the
59 user's home directory for operation. Traditionally, most desktop
60 environments do not implement screen locking this way, and need to
61 be updated accordingly.
62
63 This setting may also be controlled via the $SYSTEMD_HOME_SUSPEND
64 environment variable (see below), which pam_systemd_home reads
65 during initialization and sets for sessions. If both the
66 environment variable is set and the module parameter specified the
67 latter takes precedence.
68
69 debug[=]
70 Takes an optional boolean argument. If yes or without the argument,
71 the module will log debugging information as it operates.
72
74 The module provides all four management operations: auth, account,
75 session, password.
76
78 The following environment variables are initialized by the module and
79 available to the processes of the user's session:
80
81 $SYSTEMD_HOME=1
82 Indicates that the user's home directory is managed by
83 systemd-homed.service.
84
85 $SYSTEMD_HOME_SUSPEND=
86 Indicates whether the session has been registered with the suspend
87 mechanism enabled or disabled (see above). The variable's value is
88 either "0" or "1". Note that the module both reads the variable
89 when initializing, and sets it for sessions.
90
92 Here's an example PAM configuration fragment that permits users managed
93 by systemd-homed.service to log in:
94
95 #%PAM-1.0
96 auth sufficient pam_unix.so
97 -auth sufficient pam_systemd_home.so
98 auth required pam_deny.so
99
100 account required pam_nologin.so
101 -account sufficient pam_systemd_home.so
102 account sufficient pam_unix.so
103 account required pam_permit.so
104
105 -password sufficient pam_systemd_home.so
106 password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
107 password required pam_deny.so
108
109 -session optional pam_keyinit.so revoke
110 -session optional pam_loginuid.so
111 -session optional pam_systemd_home.so
112 -session optional pam_systemd.so
113 session required pam_unix.so
114
116 systemd(1), systemd-homed.service(8), homed.conf(5), homectl(1),
117 pam_systemd(8), pam.conf(5), pam.d(5), pam(8)
118
119
120
121systemd 250 PAM_SYSTEMD_HOME(8)