1 |
On Sat, 2008-02-16 at 21:34 +0100, Naga Toro wrote: |
2 |
> On Saturday 16 February 2008 10.04.30 Florian Philipp wrote: |
3 |
> [...] |
4 |
> > By the way, I use pam_mount and cryptsetup-luks to mount my encrypted |
5 |
> > home-partition with my login password on the fly. If you want a short |
6 |
> > howto and my configuration, just ask, I can answer again in 10 hours |
7 |
> > (Sat Feb 16 19:00:00 UTC). |
8 |
> |
9 |
> Please do, atleast I'm curious. |
10 |
> |
11 |
> /BR |
12 |
> Naga |
13 |
|
14 |
Okay, |
15 |
|
16 |
I think I can skip the creation of a cryptsetup-luks partition (or |
17 |
whatever). It should be clear that you need to use your login password. |
18 |
|
19 |
The next step would be to emerge pam_mount. |
20 |
|
21 |
Then edit /etc/security/pam_mount.conf.xml |
22 |
|
23 |
The relevant part to add is: |
24 |
|
25 |
<volume |
26 |
user="dsl" |
27 |
fstype="crypt" |
28 |
path="/dev/vg/home_dsl" |
29 |
mountpoint="/home/dsl" |
30 |
options="async,noatime,exec" |
31 |
/> |
32 |
<volume |
33 |
user="dsl" |
34 |
fstype="reiserfs" |
35 |
path="/dev/mapper/_dev_mapper_vg-home_dsl" |
36 |
mountpoint="/home/dsl" |
37 |
options="defaults,async,noatime,exec" |
38 |
/> |
39 |
|
40 |
above </pam_mount> |
41 |
|
42 |
As you can see, "dsl" is my user name and /dev/vg/home_dsl my encrypted |
43 |
home volume. In case I've missed something in this file, I've attached |
44 |
it gzip-compressed. |
45 |
|
46 |
Then you need to edit /etc/pam.d/system-auth: |
47 |
|
48 |
#%PAM-1.0 |
49 |
|
50 |
auth required pam_env.so |
51 |
auth optional pam_mount.so |
52 |
auth sufficient pam_unix.so likeauth nullok use_first_pass |
53 |
auth required pam_deny.so use_first_pass |
54 |
|
55 |
account required pam_unix.so |
56 |
|
57 |
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 |
58 |
ocredit=2 retry=3 |
59 |
password sufficient pam_unix.so nullok md5 shadow use_authtok |
60 |
password required pam_deny.so |
61 |
|
62 |
session required pam_limits.so |
63 |
session required pam_unix.so |
64 |
session optional pam_mount.so |
65 |
|
66 |
(or something similar) |
67 |
|
68 |
I think the relevant parts are "use_first_pass" and "pam_mount" in |
69 |
"auth" and "session". |
70 |
|
71 |
I don't say that my setup is perfect. It was a huge trial and error |
72 |
phase to get it working. |
73 |
|
74 |
Of course, you need to use pam for it to work but that's the default |
75 |
setting on Gentoo. Please check your USE-flags for pam and your |
76 |
sshd_config for usage of pam. |
77 |
|
78 |
If it doesn't work, try it without XDM/KDM/GDM (I use XDM but all should |
79 |
work). pam should write some debug information. Then search /dev/mapper |
80 |
for something that looks like your home-partition's mapping. |