| 1 |
On Sat, 2008-02-16 at 21:34 +0100, Naga Toro wrote: |
| 2 |
> On Saturday 16 February 2008 10.04.30 Florian Philipp wrote: |
| 3 |
> [...] |
| 4 |
> > By the way, I use pam_mount and cryptsetup-luks to mount my encrypted |
| 5 |
> > home-partition with my login password on the fly. If you want a short |
| 6 |
> > howto and my configuration, just ask, I can answer again in 10 hours |
| 7 |
> > (Sat Feb 16 19:00:00 UTC). |
| 8 |
> |
| 9 |
> Please do, atleast I'm curious. |
| 10 |
> |
| 11 |
> /BR |
| 12 |
> Naga |
| 13 |
|
| 14 |
Okay, |
| 15 |
|
| 16 |
I think I can skip the creation of a cryptsetup-luks partition (or |
| 17 |
whatever). It should be clear that you need to use your login password. |
| 18 |
|
| 19 |
The next step would be to emerge pam_mount. |
| 20 |
|
| 21 |
Then edit /etc/security/pam_mount.conf.xml |
| 22 |
|
| 23 |
The relevant part to add is: |
| 24 |
|
| 25 |
<volume |
| 26 |
user="dsl" |
| 27 |
fstype="crypt" |
| 28 |
path="/dev/vg/home_dsl" |
| 29 |
mountpoint="/home/dsl" |
| 30 |
options="async,noatime,exec" |
| 31 |
/> |
| 32 |
<volume |
| 33 |
user="dsl" |
| 34 |
fstype="reiserfs" |
| 35 |
path="/dev/mapper/_dev_mapper_vg-home_dsl" |
| 36 |
mountpoint="/home/dsl" |
| 37 |
options="defaults,async,noatime,exec" |
| 38 |
/> |
| 39 |
|
| 40 |
above </pam_mount> |
| 41 |
|
| 42 |
As you can see, "dsl" is my user name and /dev/vg/home_dsl my encrypted |
| 43 |
home volume. In case I've missed something in this file, I've attached |
| 44 |
it gzip-compressed. |
| 45 |
|
| 46 |
Then you need to edit /etc/pam.d/system-auth: |
| 47 |
|
| 48 |
#%PAM-1.0 |
| 49 |
|
| 50 |
auth required pam_env.so |
| 51 |
auth optional pam_mount.so |
| 52 |
auth sufficient pam_unix.so likeauth nullok use_first_pass |
| 53 |
auth required pam_deny.so use_first_pass |
| 54 |
|
| 55 |
account required pam_unix.so |
| 56 |
|
| 57 |
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 |
| 58 |
ocredit=2 retry=3 |
| 59 |
password sufficient pam_unix.so nullok md5 shadow use_authtok |
| 60 |
password required pam_deny.so |
| 61 |
|
| 62 |
session required pam_limits.so |
| 63 |
session required pam_unix.so |
| 64 |
session optional pam_mount.so |
| 65 |
|
| 66 |
(or something similar) |
| 67 |
|
| 68 |
I think the relevant parts are "use_first_pass" and "pam_mount" in |
| 69 |
"auth" and "session". |
| 70 |
|
| 71 |
I don't say that my setup is perfect. It was a huge trial and error |
| 72 |
phase to get it working. |
| 73 |
|
| 74 |
Of course, you need to use pam for it to work but that's the default |
| 75 |
setting on Gentoo. Please check your USE-flags for pam and your |
| 76 |
sshd_config for usage of pam. |
| 77 |
|
| 78 |
If it doesn't work, try it without XDM/KDM/GDM (I use XDM but all should |
| 79 |
work). pam should write some debug information. Then search /dev/mapper |
| 80 |
for something that looks like your home-partition's mapping. |
Archives