New pam_mount ebuild, based on work of Sven Peter, Priit Laes and others in Bug 24213

svn path=/; revision=14

7 files changed, 421 insertions, 0 deletions

diff --git a/sys-auth/pam_mount/ChangeLog b/sys-auth/pam_mount/ChangeLog
new file mode 100644
index 000000000..589581fe0
--- /dev/null
+++ b/sys-auth/pam_mount/ChangeLog
@@ -0,0 +1,7 @@
+# ChangeLog for sys-auth/pam_mount
+# Copyright 1999-2006 Gentoo Foundation; Distributed under the GPL v2
+# $Header: $
+
+  08 Jun 2006; Jakub Moc <jakub@gentoo.org> +pam_mount-0.13.0.ebuild:
+  New ebuild, based on work of Sven Peter, Priit Laes and others in Bug 24213
+
diff --git a/sys-auth/pam_mount/Manifest b/sys-auth/pam_mount/Manifest
new file mode 100644
index 000000000..2b88b5098
--- /dev/null
+++ b/sys-auth/pam_mount/Manifest
@@ -0,0 +1,24 @@
+AUX pam_mount-gentoo-paths-and-examples.patch 3434 RMD160 d96c9d62e06f5f1a9d3fa66db6262c908699ba1c SHA1 3e855ec59ab97d087db2b6a7c3312bdea54d2aaa SHA256 ff49183c0899650f1d9e480b7895bd26627c2bee246715697071303751ffa96a
+MD5 18e77a5b6f8042067d0afeb7482c5eaa files/pam_mount-gentoo-paths-and-examples.patch 3434
+RMD160 d96c9d62e06f5f1a9d3fa66db6262c908699ba1c files/pam_mount-gentoo-paths-and-examples.patch 3434
+SHA256 ff49183c0899650f1d9e480b7895bd26627c2bee246715697071303751ffa96a files/pam_mount-gentoo-paths-and-examples.patch 3434
+AUX pam_mount.conf 10115 RMD160 1fd1af233ce50a6fb231341966982a15c747fedf SHA1 aa73716cfe5b697bd5a049430a6dc8824734e312 SHA256 7bf16e96d6d4a7e380913316863d06f2b405883b5c790329aeaf3c7ad90e8f12
+MD5 b8261fc18126cbabf8670a3d92806448 files/pam_mount.conf 10115
+RMD160 1fd1af233ce50a6fb231341966982a15c747fedf files/pam_mount.conf 10115
+SHA256 7bf16e96d6d4a7e380913316863d06f2b405883b5c790329aeaf3c7ad90e8f12 files/pam_mount.conf 10115
+AUX system-auth 854 RMD160 245e7ce8d62eb0287a407b50da89ab31907bbba4 SHA1 b73d60df937682b0c32b349ee15d17ed5541db1c SHA256 ed92728a3dfcc5a0c56a60fe86b9c4fd604af5187742276de272a932ac964a92
+MD5 f8ee99521dc32770ef1a077dd3c92ea2 files/system-auth 854
+RMD160 245e7ce8d62eb0287a407b50da89ab31907bbba4 files/system-auth 854
+SHA256 ed92728a3dfcc5a0c56a60fe86b9c4fd604af5187742276de272a932ac964a92 files/system-auth 854
+DIST pam_mount-0.13.0.tbz2 287706 RMD160 c389a3148e15f386d71b4372529a383e9083098c SHA1 1534fdd0691259fec8538b7a977948749e6a498d SHA256 0ef31fca4357e10ad0a8dfa89f124d75b25f4341a8b76aece4847954aeaeddb1
+EBUILD pam_mount-0.13.0.ebuild 2329 RMD160 baad8f60a3f0fa917209f0e466461ae774ba9804 SHA1 e693efdd18d4e0b58063fcaee32d39b274cbe4a3 SHA256 a8cfba9d918ee4de763f70c284d2de8c8aedee1964db3704c2b0085d8ffb635a
+MD5 97d76eb156eb4c7f02fd313b2208e3a0 pam_mount-0.13.0.ebuild 2329
+RMD160 baad8f60a3f0fa917209f0e466461ae774ba9804 pam_mount-0.13.0.ebuild 2329
+SHA256 a8cfba9d918ee4de763f70c284d2de8c8aedee1964db3704c2b0085d8ffb635a pam_mount-0.13.0.ebuild 2329
+MISC ChangeLog 268 RMD160 2bc935a4f466d8c58297afb6bf2922cce304520c SHA1 a9897a77d977863dbcdece0b16083a71c587cb47 SHA256 6b78a01ae9d2bd89bb9af78ea751858fb7d8f73042ca06f3bc1cca9351647a7a
+MD5 a52f72391bb0a79b1da550122973c322 ChangeLog 268
+RMD160 2bc935a4f466d8c58297afb6bf2922cce304520c ChangeLog 268
+SHA256 6b78a01ae9d2bd89bb9af78ea751858fb7d8f73042ca06f3bc1cca9351647a7a ChangeLog 268
+MD5 a26933e9e412a79df68fe4cb9c26d076 files/digest-pam_mount-0.13.0 244
+RMD160 2d1cb11b5bf8e7f0dbff8a452667a1448aba065b files/digest-pam_mount-0.13.0 244
+SHA256 2216dc331b0c5926a47cd8f40ea5abef4df2c3a97b8a78e006a778c97859841e files/digest-pam_mount-0.13.0 244
diff --git a/sys-auth/pam_mount/files/digest-pam_mount-0.13.0 b/sys-auth/pam_mount/files/digest-pam_mount-0.13.0
new file mode 100644
index 000000000..6bb1d1ad9
--- /dev/null
+++ b/sys-auth/pam_mount/files/digest-pam_mount-0.13.0
@@ -0,0 +1,3 @@
+MD5 a1a09d403e27b73ab848b5ba76071d19 pam_mount-0.13.0.tbz2 287706
+RMD160 c389a3148e15f386d71b4372529a383e9083098c pam_mount-0.13.0.tbz2 287706
+SHA256 0ef31fca4357e10ad0a8dfa89f124d75b25f4341a8b76aece4847954aeaeddb1 pam_mount-0.13.0.tbz2 287706
diff --git a/sys-auth/pam_mount/files/pam_mount-gentoo-paths-and-examples.patch b/sys-auth/pam_mount/files/pam_mount-gentoo-paths-and-examples.patch
new file mode 100644
index 000000000..52fa6749f
--- /dev/null
+++ b/sys-auth/pam_mount/files/pam_mount-gentoo-paths-and-examples.patch
@@ -0,0 +1,71 @@
+--- config/pam_mount.conf	2005-12-24 20:28:33.000000000 +0100
++++ pam_mount-0.11.0.pam_mount.conf	2005-12-29 20:37:32.000000000 +0100
+@@ -197,6 +197,46 @@
+ # (thanks to Mike Hommey for this example)
+ # volume test local - /tmpfs/test /home/test "size=10M,uid=test,gid=users,mode=0700 -t tmpfs" - -
+ 
++# BEGIN GENTOO EXAMPLES FOR ENCRYPTED HOME
++# user1 has an encrypted home that uses his/her system passwd as the
++# encryption key
++# To create a USB dongle secured user see user2:
++# Define a user key and group key to use a USB dongle as an encrypted
++# file system for the key to the user2 file system - so user would need
++# the USB dongle, the password for user key and the password for user
++# user2. in order to access the encrypted home of user2. Note that
++# without the first two the user can still log in and create files
++# on his home directory mount point. However the security for the
++# encrypted volume is much better since a dictionary attack would need
++# the dongle. See http://www.counterpane.com/twofish-final.html
++# for a discussion on why twofish is a good choice. This setup works
++# with mm-sources-2.6.0_beta9-r5. So to login graphically as user2
++# insert key, ctrl-alt-f1 login as key, alt-f7, login as user2,
++# ctrl-alt-f1, logout key, remove dongle. This works for KDM. Modify
++# /etc/pam.d/login and /etc/pam.d/kde per docs
++#volume key local - /dev/sda2 /key loop,encryption=twofish - -
++#volume user1 local - /home/.user1 /home/user1 loop,encryption=twofish - -
++#volume user2 local - /home/.user2 - - bf-ecb /key/sp.key
++# /etc/fstab contains
++#/home/.user2  /home/user2  reiserfs    user,loop,encryption=twofish,noauto     0 0
++#/dev/sda2     /key         ext2        user,loop,encryption=twofish,noauto     0 0
++#
++# Device-Mapper based encryption (dm-crypt)
++# Since the introduction of dm-crypt in Linux 2.6.4, cryptoloop has been
++# deprecated. To use the new dm-crypt interface, you will have to adapt
++# the preceding examples to use "crypt" instead of "local" as filesystem
++# type. Additionally the cipher algorithm is specified via the "cipher"
++# option (to distinguish from cryptoloop's "encryption"). Thus, the
++# user1 example would look like this:
++#volume user1 crypt - /home/.user1 /home/user1 loop,cipher=twofish - -
++# An entry in /etc/fstab is not needed. A detailed HOWTO can be found in
++# the forums: http://forums.gentoo.org/viewtopic.php?t=274651
++# Note that pam_mount is LUKS (http://luks.endorphin.org) aware. To
++# use luks, you need to have cryptsetup-luks (get it at 
++# http://luks.endorphin.org/dm-cryp) installed. A config line would be
++#volume user1 crypt - /dev/yourpartition /yourmountpoint - - -
++# and cryptsetup will be told to read cypher/keysize/etc. from the luks-header.
++# END GENTOO EXAMPLES
+ 
+ # Details:
+ # Local user configuration (~/.pam_mount.conf) can extend this.
+--- scripts/umount.crypt	2005-12-28 11:26:51.000000000 +0100
++++ umount.crypt	2005-12-29 20:19:01.000000000 +0100
+@@ -28,7 +28,7 @@
+ export IFS=`echo -en " \t\n"`;
+ 
+ LOSETUP=/sbin/losetup
+-CRYPTSETUP=/sbin/cryptsetup
++CRYPTSETUP=/bin/cryptsetup
+ MOUNT=/bin/mount
+ UMOUNT=/bin/umount
+ READLINK="/usr/bin/readlink";
+--- scripts/mount.crypt	2005-12-24 13:07:42.000000000 +0100
++++ mount.crypt	2005-12-29 20:18:22.000000000 +0100
+@@ -28,7 +28,7 @@
+ 
+ # Commands
+ LOSETUP=/sbin/losetup
+-CRYPTSETUP=/sbin/cryptsetup
++CRYPTSETUP=/bin/cryptsetup
+ MOUNT=/bin/mount
+ FSCK="/sbin/fsck";
+ 
diff --git a/sys-auth/pam_mount/files/pam_mount.conf b/sys-auth/pam_mount/files/pam_mount.conf
new file mode 100644
index 000000000..2e75611f1
--- /dev/null
+++ b/sys-auth/pam_mount/files/pam_mount.conf
@@ -0,0 +1,215 @@
+#-------------------------------------------------------------------
+# Below is a modified sample configuration file for pam_mount that has 
+# been  successfully used to do encrypted auto mounts on a gentoo box
+# using both the same password as login and a sperate key file 
+# and openssl. This works for cryptoloop and dm-crypt.
+#-------------------------------------------------------------------
+
+# Turn on if you want to debug why some volume cannot be mounted etc.
+# This can be overriden by user's local configuration
+# 
+# Format: debug [ 1 | 0 ]
+# Local user configuration can override this.
+
+debug 1
+mkmountpoint 1
+# Loopback device to use to run fsck on loopback filesystems.
+fsckloop /dev/loop7
+
+# Users' local configuration file (if there is none, comment out this
+# parameter). Will be read as ~/<file>
+#
+# Note: you must include either options_allow or options_deny to use
+# this directive. I recommend also including options_require.
+#
+# Individual users may define additional volumes to mount if allowed
+# by pam_mount.conf (usually ~/.pam_mount.conf).  The volume keyword is
+# the only valid keyword in these per-user configuration files.  If the
+# luserconf parameter is set in pam_mount.conf, allowing user-defined
+# volume, then users may mount and unmount any volume they own at any
+# mount point they own.  On some filesystem configurations this may be
+# a security flaw so user-defined volumes are not allowed by the example
+# pam_mount.conf distributed with pam_mount.
+#
+# Format: luserconf <file>
+# luserconf .pam_mount.conf
+
+# These directives determine which options may be specified in a user config
+# file (luserconf). You must include one of these directives if you have a
+# luserconf directive. You may not include both directives.
+#
+# If you have an options_allow directive, then the options listed in that
+# directive wil be allowed, and all others rejected. If you have an
+# options_deny directive, then the options listed will be denied, and all others
+# permitted.
+#
+# You may use the wildcard '*' to match all options.
+#
+options_allow	nosuid,nodev,loop,encryption
+# options_deny	suid,dev
+# options_allow	*
+# options_deny	*
+#
+# I recommend not permitting the suid and dev options.
+
+# The options listed in this directive are required for all volumes from a
+# user config file. That is, any volume specified in a user config file that
+# does not include these options will be ignored.
+#
+# Note: you must make sure that a required option is permitted (either by
+# including it in options_allow, or by not including it in options_deny).
+#
+# I recommend requiring at least nosuid and nodev.
+#
+# This is ignored completely if the volume is configured to get its options
+# and mount point from /etc/fstab.
+#
+options_require	nosuid,nodev
+
+# Commands to mount/unmount volumes. They can take parameters, as shown.
+#
+# If you change the -p0 argument for lclmount, you'll need to modify the
+# source in mount.c (it sends the password to the stdin file descriptor
+# of the child process -- look for STDIN_FILENO).
+
+lsof /usr/sbin/lsof %(MNTPT)
+fsck /sbin/fsck -p %(FSCKTARGET)
+losetup /sbin/losetup -p0 "%(before=\"-e \" CIPHER)" "%(before=\"-k \" KEYBITS)" %(FSCKLOOP) %(VOLUME)
+unlosetup /sbin/losetup -d %(FSCKLOOP)
+cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
+smbmount /bin/mount -t smbfs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
+ncpmount /bin/mount -t ncpfs %(SERVER)/%(USER) %(MNTPT) -o "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"
+# Linux supports lazy unmounting (-l).  May be dangerous for encrypted volumes.
+# May also break loopback mounts because loopback devices are not freed.
+# Need to unmount mount point not volume to support SMB mounts, etc.
+umount   /bin/umount %(MNTPT)
+# On OpenBSD try "/usr/local/bin/mount_ehd" (included in pam_mount package).
+lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)"
+cryptmount /bin/mount -t crypt "%(before=\"-o \" OPTIONS)" %(VOLUME) %(MNTPT)
+nfsmount /bin/mount %(SERVER):%(VOLUME) "%(MNTPT)%(before=\"-o \" OPTIONS)"
+# --bind may be a Linuxism.  FIXME: find BSD equivalent.
+mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
+mntcheck /bin/mount # For BSD's (don't have /etc/mtab)
+pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION)
+
+# Volumes that will be mounted when user triggers pam_mount module
+# (usually at login).
+#
+# Format:
+# volume <user> [smb|ncp|nfs|local] <server> <volume> <mount point> <mount options> <fs key cipher> <fs key path>
+#
+# General examples:
+# volume user smb krueger public /home/user/krueger - - -
+# volume user ncp krueger public /home/user/krueger user=user.context - -
+
+# Linux encrypted home directory examples, using dm_crypt:
+# volume user crypt - /dev/sda2 /home/user cipher=aes aes-256-ecb /home/user.key
+#
+# Linux encrypted home directory examples, using cryptoloop:
+# volume user local - /dev/hda123 /home/user loop,encryption=aes - -
+# volume user local - /home/user.img /home/user loop,user,exec,encryption=aes,keybits=256 - -
+# volume user local - /home/user.img - - - -
+# volume user local - /home/user.img - - aes-256-ecb /home/user4.key
+
+# BEGIN GENTOO EXAMPLES FOR ENCRYPTED HOME
+# user1 has an encrypted home that uses his/her system passwd as the 
+# encryption key
+# To create a USB dongle secured user see user2:
+# Define a user key and group key to use a USB dongle as an encrypted
+# file system for the key to the user2 file system - so user would need
+# the USB dongle, the password for user key and the password for user
+# user2. in order to access the encrypted home of user2. Note that 
+# without the first two the user can still log in and create files
+# on his home directory mount point. However the security for the
+# encrypted volume is much better since a dictionary attack would need 
+# the dongle. See http://www.counterpane.com/twofish-final.html
+# for a discussion on why twofish is a good choice. This setup works
+# with mm-sources-2.6.0_beta9-r5. So to login graphically as user2
+# insert key, ctrl-alt-f1 login as key, alt-f7, login as user2, 
+# ctrl-alt-f1, logout key, remove dongle. This works for KDM. Modify
+# /etc/pam.d/login and /etc/pam.d/kde per docs
+#volume key local - /dev/sda2 /key loop,encryption=twofish - -
+#volume user1 local - /home/.user1 /home/user1 loop,encryption=twofish - -
+#volume user2 local - /home/.user2 - - bf-ecb /key/sp.key
+# /etc/fstab contains
+#/home/.user2  /home/user2  reiserfs    user,loop,encryption=twofish,noauto     0 0
+#/dev/sda2     /key         ext2        user,loop,encryption=twofish,noauto     0 0
+#
+# Device-Mapper based encryption (dm-crypt)
+# Since the introduction of dm-crypt in Linux 2.6.4, cryptoloop has been
+# deprecated. To use the new dm-crypt interface, you will have to adapt
+# the preceding examples to use "crypt" instead of "local" as filesystem
+# type. Additionally the cipher algorithm is specified via the "cipher"
+# option (to distinguish from cryptoloop's "encryption"). Thus, the
+# user1 example would look like this:
+#volume user1 crypt - /home/.user1 /home/user1 loop,cipher=twofish - -
+# An entry in /etc/fstab is not needed. A detailed HOWTO can be found in
+# the forums: http://forums.gentoo.org/viewtopic.php?t=274651
+# END GENTOO EXAMPLES
+
+#
+# OpenBSD encrypted home directory example (see also lclmount above):
+# volume user local - /home/user.img /home/user svnd0 - -
+#
+# The last two examples need a line like the following in 
+# /etc/fstab:
+#
+# /home/user4.img /home/user4 xfs user,loop,encryption=aes,keybits=256,noauto 0 0
+#
+# Details:
+# Local user configuration can extend this.
+# Mount point must be owned by the user.
+#
+# If there are no servers, mount options, fs key ciphers, etc. you must 
+# supply a "-"
+#
+# If a local mount is specified in a user config file, then the user must
+# own the device or file being mounted.
+#
+# See http://www.tldp.org/HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html
+# to learn how to create a encrypted loopback filesystem.
+#
+# If the volume's password is different than the user's login password,
+# the following technique may be used (see also README):
+#
+# 1.  Create a file containing the volume's password (FS key).  If you are
+#     using pam_mount to mount an loopback encrypted volume, this password
+#     should may generated by /dev/urandom.  
+#
+#     Simple example: 
+#     echo <volume password> | openssl aes-256-ecb > /home/user.key
+#     Encrypt this file using the user's login password as the key.
+#
+#     Verbose loopback encrypted volume example:
+#     a.  dd if=/dev/urandom of=/home/user.img bs=1M count=<image size in MB>
+#     b.  dd if=/dev/urandom bs=1c count=<keysize / 8> | openssl enc \
+#         -<fs key cipher> > /home/user.key
+#         Encrypt this file using the user's login password as the key.
+#     c.  openssl enc -d -<fs key cipher> -in /home/user.key | losetup -e aes \
+#         -k <keysize> -p0 /dev/loop0 /home/user.img
+#     d.  mkfs -t ext2 /dev/loop0
+#     e.  umount /dev/loop0
+#     f.  losetup -d /dev/loop0
+#
+# 3.  In pam_mount.conf:
+#	a.  Set the fs key cipher variable to the cipher used (ie: aes-256-ecb).
+#	b.  Set the fs key path variable to the key's path (ie: /home/user.key)
+# 4.  If a user changes his login password, regenerate the efsk that 
+#     was created in step 1b.  A script named passwdehd is provided to do this.
+#
+# If fs_key_cipher is -, then the user's login password is also the volume's 
+# password.
+
+# Template (or wildcard) volumes
+#
+# If user is "*", "&" will be replaced by name of the user logging on in the
+# volume, mount point, mount options and fs key path fields.  "~/*" will be
+# replaced with "<user's homedir>/*."  In this mode, the user need not
+# own the mount point, but it must exist.
+#
+# volume * smb krueger &     /home/&         uid=&,gid=&,dmask=0750 - -
+# volume * smb krueger homes /home/&/remote  - - -
+# volume * local - /home/&.img - - aes-256-ecb /etc/ehd/&
+
+# Windows 2000, which requires a domain specified, example (thanks John Knox):
+# volume * smb viper & /home/& uid=&,gid=&,dmask=0750,workgroup=WINDOWS_DOMAIN - -
diff --git a/sys-auth/pam_mount/files/system-auth b/sys-auth/pam_mount/files/system-auth
new file mode 100644
index 000000000..83767b905
--- /dev/null
+++ b/sys-auth/pam_mount/files/system-auth
@@ -0,0 +1,23 @@
+#%PAM-1.0
+
+
+auth       required	pam_env.so
+auth       optional     /@get_libdir/security/pam_mount.so service=system-auth
+auth       sufficient	pam_unix.so likeauth nullok use_first_pass
+auth       required	pam_deny.so
+
+# Added for pam_mount support
+auth       required     /@get_libdir/security/pam_stack.so service=system-auth 
+auth       required	pam_tally.so file=/var/log/faillog onerr=succeed no_magic_root
+auth       required	pam_shells.so
+auth       required	pam_nologin.so
+
+account    required	pam_unix.so
+
+password   required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
+password   sufficient	pam_unix.so nullok md5 shadow use_authtok
+password   required	pam_deny.so
+
+session    required	pam_limits.so
+session    required	pam_unix.so
+session    optional     /@get_libdir/security/pam_mount.so use_first_pass service=system-auth
diff --git a/sys-auth/pam_mount/pam_mount-0.13.0.ebuild b/sys-auth/pam_mount/pam_mount-0.13.0.ebuild
new file mode 100644
index 000000000..25c4f8cb8
--- /dev/null
+++ b/sys-auth/pam_mount/pam_mount-0.13.0.ebuild
@@ -0,0 +1,78 @@
+# Copyright 1999-2006 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: $
+
+inherit eutils pam autotools
+
+DESCRIPTION="A PAM module that can mount volumes for a user session e.g. encrypted home directories"
+HOMEPAGE="http://pam-mount.souceforge.net"
+SRC_URI="mirror://sourceforge/pam-mount/${P}.tbz2"
+RESTRICT="mirror"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~x86 ~amd64"
+IUSE="crypt"
+
+DEPEND=">=sys-libs/pam-0.78-r3
+	>=dev-libs/openssl-0.9.7i
+	>=dev-libs/glib-2"
+RDEPEND="${DEPEND}
+	crypt? ( sys-fs/cryptsetup-luks )
+	sys-process/lsof"
+
+src_unpack() {
+	unpack ${A}
+	cd ${S}
+
+	# Gentoo installs cryptsetup in /bin, this patches the relevant 
+	# locations, in srcipts/(u)mount.crypt and adds gentoo specific
+	# comments to pam_mount.conf
+	epatch ${FILESDIR}/pam_mount-gentoo-paths-and-examples.patch || die "patch failed"
+
+	# libdir magic
+	cp ${FILESDIR}/system-auth system-auth
+	sed -ie "s:@get_libdir:$(get_libdir):" ${S}/system-auth || die "sed failed"
+}
+
+src_compile() {
+	# fixes the sanity check failure
+	_elibtoolize --copy --force
+
+	# configure and build pam_mount
+	econf \
+	    --libdir=/$(get_libdir) \
+		--with-pam-dir=$(getpam_mod_dir) || die "econf failed"
+	emake || die "emake failed"
+}
+
+src_install() {
+	emake DESTDIR="${D}" install || die "install failed"
+
+	insinto /etc/security
+	insopts -m0644
+	doins ${S}/config/pam_mount.conf
+	dopamd ${S}/system-auth
+
+	dodir /sbin
+	dosym /usr/bin/mount.crypt /sbin/mount.crypt
+
+	dodoc README TODO AUTHORS ChangeLog FAQ NEWS
+}
+
+pkg_postinst() {
+	einfo "In order to use pam_mount you will need to configure it."
+	einfo "After the modifications in /etc/security/pam_mount.conf you "
+	einfo "can create the encrypted directory using the mkehd command."
+	einfo "Please use mkhed -h for more informations."
+	einfo
+	einfo "If you want to encrypt the home directories you will need a "
+	einfo "kernel with device-mapper and crypto (AES or any other chipher)"
+	einfo "support."
+	einfo
+	einfo "This ebuild only modifies the /etc/pam.d/system-auth file to"
+	einfo "support pam_mount. If you have any programs that use pam with "
+	einfo "a configuration file that does NOT include system-auth you will "
+	einfo "need to modify this file too. Look at /etc/pam.d/system-auth or "
+	einfo "the /usr/share/doc/${P}/README file for more informations."
+}