1<?xml version='1.0'?> <!--*-nxml-*--> 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> 4<!-- SPDX-License-Identifier: LGPL-2.1-or-later --> 5 6<refentry id="pam_systemd_home" conditional='ENABLE_PAM_HOME'> 7 8 <refentryinfo> 9 <title>pam_systemd_home</title> 10 <productname>systemd</productname> 11 </refentryinfo> 12 13 <refmeta> 14 <refentrytitle>pam_systemd_home</refentrytitle> 15 <manvolnum>8</manvolnum> 16 </refmeta> 17 18 <refnamediv> 19 <refname>pam_systemd_home</refname> 20 <refpurpose>Automatically mount home directories managed by <filename>systemd-homed.service</filename> on 21 login, and unmount them on logout</refpurpose> 22 </refnamediv> 23 24 <refsynopsisdiv> 25 <para><filename>pam_systemd_home.so</filename></para> 26 </refsynopsisdiv> 27 28 <refsect1> 29 <title>Description</title> 30 31 <para><command>pam_systemd_home</command> ensures that home directories managed by 32 <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> 33 are automatically activated (mounted) on user login, and are deactivated (unmounted) when the last 34 session of the user ends.</para> 35 </refsect1> 36 37 <refsect1> 38 <title>Options</title> 39 40 <para>The following options are understood:</para> 41 42 <variablelist class='pam-directives'> 43 44 <varlistentry> 45 <term><varname>suspend=</varname></term> 46 47 <listitem><para>Takes a boolean argument. If true, the home directory of the user will be suspended 48 automatically during system suspend; if false it will remain active. Automatic suspending of the home 49 directory improves security substantially as secret key material is automatically removed from memory 50 before the system is put to sleep and must be re-acquired (through user re-authentication) when 51 coming back from suspend. It is recommended to set this parameter for all PAM applications that have 52 support for automatically re-authenticating via PAM on system resume. If multiple sessions of the 53 same user are open in parallel the user's home directory will be left unsuspended on system suspend 54 as long as at least one of the sessions does not set this parameter to on. Defaults to 55 off.</para> 56 57 <para>Note that TTY logins generally do not support re-authentication on system resume. 58 Re-authentication on system resume is primarily a concept implementable in graphical environments, in 59 the form of lock screens brought up automatically when the system goes to sleep. This means that if a 60 user concurrently uses graphical login sessions that implement the required re-authentication 61 mechanism and console logins that do not, the home directory is not locked during suspend, due to the 62 logic explained above. That said, it is possible to set this field for TTY logins too, ignoring the 63 fact that TTY logins actually don't support the re-authentication mechanism. In that case the TTY 64 sessions will appear hung until the user logs in on another virtual terminal (regardless if via 65 another TTY session or graphically) which will resume the home directory and unblock the original TTY 66 session. (Do note that lack of screen locking on TTY sessions means even though the TTY session 67 appears hung, keypresses can still be queued into it, and the existing screen contents be read 68 without re-authentication; this limitation is unrelated to the home directory management 69 <command>pam_systemd_home</command> and <filename>systemd-homed.service</filename> implement.)</para> 70 71 <para>Turning this option on by default is highly recommended for all sessions, but only if the 72 service managing these sessions correctly implements the aforementioned re-authentication. Note that 73 the re-authentication must take place from a component running outside of the user's context, so that 74 it does not require access to the user's home directory for operation. Traditionally, most desktop 75 environments do not implement screen locking this way, and need to be updated 76 accordingly.</para> 77 78 <para>This setting may also be controlled via the <varname>$SYSTEMD_HOME_SUSPEND</varname> 79 environment variable (see below), which <command>pam_systemd_home</command> reads during initialization and sets 80 for sessions. If both the environment variable is set and the module parameter specified the latter 81 takes precedence.</para></listitem> 82 </varlistentry> 83 84 <varlistentry> 85 <term><varname>debug</varname><optional>=</optional></term> 86 87 <listitem><para>Takes an optional boolean argument. If yes or without the argument, the module will log 88 debugging information as it operates.</para></listitem> 89 </varlistentry> 90 </variablelist> 91 </refsect1> 92 93 <refsect1> 94 <title>Module Types Provided</title> 95 96 <para>The module provides all four management operations: <option>auth</option>, <option>account</option>, 97 <option>session</option>, <option>password</option>.</para> 98 </refsect1> 99 100 <refsect1> 101 <title>Environment</title> 102 103 <para>The following environment variables are initialized by the module and available to the processes of the 104 user's session:</para> 105 106 <variablelist class='environment-variables'> 107 <varlistentry> 108 <term><varname>$SYSTEMD_HOME=1</varname></term> 109 110 <listitem><para>Indicates that the user's home directory is managed by <filename>systemd-homed.service</filename>.</para></listitem> 111 </varlistentry> 112 113 <varlistentry> 114 <term><varname>$SYSTEMD_HOME_SUSPEND=</varname></term> 115 116 <listitem><para>Indicates whether the session has been registered with the suspend mechanism enabled 117 or disabled (see above). The variable's value is either <literal>0</literal> or 118 <literal>1</literal>. Note that the module both reads the variable when initializing, and sets it for 119 sessions.</para></listitem> 120 </varlistentry> 121 122 </variablelist> 123 </refsect1> 124 125 <refsect1> 126 <title>Example</title> 127 128 <para>Here's an example PAM configuration fragment that permits users managed by 129 <filename>systemd-homed.service</filename> to log in:</para> 130 131 <programlisting>#%PAM-1.0 132auth sufficient pam_unix.so 133<command>-auth sufficient pam_systemd_home.so</command> 134auth required pam_deny.so 135 136account required pam_nologin.so 137<command>-account sufficient pam_systemd_home.so</command> 138account sufficient pam_unix.so 139account required pam_permit.so 140 141<command>-password sufficient pam_systemd_home.so</command> 142password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok 143password required pam_deny.so 144 145-session optional pam_keyinit.so revoke 146-session optional pam_loginuid.so 147<command>-session optional pam_systemd_home.so</command> 148-session optional pam_systemd.so 149session required pam_unix.so</programlisting> 150 </refsect1> 151 152 <refsect1> 153 <title>See Also</title> 154 <para> 155 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, 156 <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, 157 <citerefentry><refentrytitle>homed.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, 158 <citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, 159 <citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, 160 <citerefentry project='man-pages'><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, 161 <citerefentry project='man-pages'><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, 162 <citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> 163 </para> 164 </refsect1> 165 166</refentry> 167