summaryrefslogtreecommitdiff
blob: 2e75611f19715ae1feb5b924f331a96dc097f0da (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
#-------------------------------------------------------------------
# Below is a modified sample configuration file for pam_mount that has 
# been  successfully used to do encrypted auto mounts on a gentoo box
# using both the same password as login and a sperate key file 
# and openssl. This works for cryptoloop and dm-crypt.
#-------------------------------------------------------------------

# Turn on if you want to debug why some volume cannot be mounted etc.
# This can be overriden by user's local configuration
# 
# Format: debug [ 1 | 0 ]
# Local user configuration can override this.

debug 1
mkmountpoint 1
# Loopback device to use to run fsck on loopback filesystems.
fsckloop /dev/loop7

# Users' local configuration file (if there is none, comment out this
# parameter). Will be read as ~/<file>
#
# Note: you must include either options_allow or options_deny to use
# this directive. I recommend also including options_require.
#
# Individual users may define additional volumes to mount if allowed
# by pam_mount.conf (usually ~/.pam_mount.conf).  The volume keyword is
# the only valid keyword in these per-user configuration files.  If the
# luserconf parameter is set in pam_mount.conf, allowing user-defined
# volume, then users may mount and unmount any volume they own at any
# mount point they own.  On some filesystem configurations this may be
# a security flaw so user-defined volumes are not allowed by the example
# pam_mount.conf distributed with pam_mount.
#
# Format: luserconf <file>
# luserconf .pam_mount.conf

# These directives determine which options may be specified in a user config
# file (luserconf). You must include one of these directives if you have a
# luserconf directive. You may not include both directives.
#
# If you have an options_allow directive, then the options listed in that
# directive wil be allowed, and all others rejected. If you have an
# options_deny directive, then the options listed will be denied, and all others
# permitted.
#
# You may use the wildcard '*' to match all options.
#
options_allow	nosuid,nodev,loop,encryption
# options_deny	suid,dev
# options_allow	*
# options_deny	*
#
# I recommend not permitting the suid and dev options.

# The options listed in this directive are required for all volumes from a
# user config file. That is, any volume specified in a user config file that
# does not include these options will be ignored.
#
# Note: you must make sure that a required option is permitted (either by
# including it in options_allow, or by not including it in options_deny).
#
# I recommend requiring at least nosuid and nodev.
#
# This is ignored completely if the volume is configured to get its options
# and mount point from /etc/fstab.
#
options_require	nosuid,nodev

# Commands to mount/unmount volumes. They can take parameters, as shown.
#
# If you change the -p0 argument for lclmount, you'll need to modify the
# source in mount.c (it sends the password to the stdin file descriptor
# of the child process -- look for STDIN_FILENO).

lsof /usr/sbin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKTARGET)
losetup /sbin/losetup -p0 "%(before=\"-e \" CIPHER)" "%(before=\"-k \" KEYBITS)" %(FSCKLOOP) %(VOLUME)
unlosetup /sbin/losetup -d %(FSCKLOOP)
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
smbmount /bin/mount -t smbfs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
ncpmount /bin/mount -t ncpfs %(SERVER)/%(USER) %(MNTPT) -o "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"
# Linux supports lazy unmounting (-l).  May be dangerous for encrypted volumes.
# May also break loopback mounts because loopback devices are not freed.
# Need to unmount mount point not volume to support SMB mounts, etc.
umount   /bin/umount %(MNTPT)
# On OpenBSD try "/usr/local/bin/mount_ehd" (included in pam_mount package).
lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)"
cryptmount /bin/mount -t crypt "%(before=\"-o \" OPTIONS)" %(VOLUME) %(MNTPT)
nfsmount /bin/mount %(SERVER):%(VOLUME) "%(MNTPT)%(before=\"-o \" OPTIONS)"
# --bind may be a Linuxism.  FIXME: find BSD equivalent.
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
mntcheck /bin/mount # For BSD's (don't have /etc/mtab)
pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION)

# Volumes that will be mounted when user triggers pam_mount module
# (usually at login).
#
# Format:
# volume <user> [smb|ncp|nfs|local] <server> <volume> <mount point> <mount options> <fs key cipher> <fs key path>
#
# General examples:
# volume user smb krueger public /home/user/krueger - - -
# volume user ncp krueger public /home/user/krueger user=user.context - -

# Linux encrypted home directory examples, using dm_crypt:
# volume user crypt - /dev/sda2 /home/user cipher=aes aes-256-ecb /home/user.key
#
# Linux encrypted home directory examples, using cryptoloop:
# volume user local - /dev/hda123 /home/user loop,encryption=aes - -
# volume user local - /home/user.img /home/user loop,user,exec,encryption=aes,keybits=256 - -
# volume user local - /home/user.img - - - -
# volume user local - /home/user.img - - aes-256-ecb /home/user4.key

# BEGIN GENTOO EXAMPLES FOR ENCRYPTED HOME
# user1 has an encrypted home that uses his/her system passwd as the 
# encryption key
# To create a USB dongle secured user see user2:
# Define a user key and group key to use a USB dongle as an encrypted
# file system for the key to the user2 file system - so user would need
# the USB dongle, the password for user key and the password for user
# user2. in order to access the encrypted home of user2. Note that 
# without the first two the user can still log in and create files
# on his home directory mount point. However the security for the
# encrypted volume is much better since a dictionary attack would need 
# the dongle. See http://www.counterpane.com/twofish-final.html
# for a discussion on why twofish is a good choice. This setup works
# with mm-sources-2.6.0_beta9-r5. So to login graphically as user2
# insert key, ctrl-alt-f1 login as key, alt-f7, login as user2, 
# ctrl-alt-f1, logout key, remove dongle. This works for KDM. Modify
# /etc/pam.d/login and /etc/pam.d/kde per docs
#volume key local - /dev/sda2 /key loop,encryption=twofish - -
#volume user1 local - /home/.user1 /home/user1 loop,encryption=twofish - -
#volume user2 local - /home/.user2 - - bf-ecb /key/sp.key
# /etc/fstab contains
#/home/.user2  /home/user2  reiserfs    user,loop,encryption=twofish,noauto     0 0
#/dev/sda2     /key         ext2        user,loop,encryption=twofish,noauto     0 0
#
# Device-Mapper based encryption (dm-crypt)
# Since the introduction of dm-crypt in Linux 2.6.4, cryptoloop has been
# deprecated. To use the new dm-crypt interface, you will have to adapt
# the preceding examples to use "crypt" instead of "local" as filesystem
# type. Additionally the cipher algorithm is specified via the "cipher"
# option (to distinguish from cryptoloop's "encryption"). Thus, the
# user1 example would look like this:
#volume user1 crypt - /home/.user1 /home/user1 loop,cipher=twofish - -
# An entry in /etc/fstab is not needed. A detailed HOWTO can be found in
# the forums: http://forums.gentoo.org/viewtopic.php?t=274651
# END GENTOO EXAMPLES

#
# OpenBSD encrypted home directory example (see also lclmount above):
# volume user local - /home/user.img /home/user svnd0 - -
#
# The last two examples need a line like the following in 
# /etc/fstab:
#
# /home/user4.img /home/user4 xfs user,loop,encryption=aes,keybits=256,noauto 0 0
#
# Details:
# Local user configuration can extend this.
# Mount point must be owned by the user.
#
# If there are no servers, mount options, fs key ciphers, etc. you must 
# supply a "-"
#
# If a local mount is specified in a user config file, then the user must
# own the device or file being mounted.
#
# See http://www.tldp.org/HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html
# to learn how to create a encrypted loopback filesystem.
#
# If the volume's password is different than the user's login password,
# the following technique may be used (see also README):
#
# 1.  Create a file containing the volume's password (FS key).  If you are
#     using pam_mount to mount an loopback encrypted volume, this password
#     should may generated by /dev/urandom.  
#
#     Simple example: 
#     echo <volume password> | openssl aes-256-ecb > /home/user.key
#     Encrypt this file using the user's login password as the key.
#
#     Verbose loopback encrypted volume example:
#     a.  dd if=/dev/urandom of=/home/user.img bs=1M count=<image size in MB>
#     b.  dd if=/dev/urandom bs=1c count=<keysize / 8> | openssl enc \
#         -<fs key cipher> > /home/user.key
#         Encrypt this file using the user's login password as the key.
#     c.  openssl enc -d -<fs key cipher> -in /home/user.key | losetup -e aes \
#         -k <keysize> -p0 /dev/loop0 /home/user.img
#     d.  mkfs -t ext2 /dev/loop0
#     e.  umount /dev/loop0
#     f.  losetup -d /dev/loop0
#
# 3.  In pam_mount.conf:
#	a.  Set the fs key cipher variable to the cipher used (ie: aes-256-ecb).
#	b.  Set the fs key path variable to the key's path (ie: /home/user.key)
# 4.  If a user changes his login password, regenerate the efsk that 
#     was created in step 1b.  A script named passwdehd is provided to do this.
#
# If fs_key_cipher is -, then the user's login password is also the volume's 
# password.

# Template (or wildcard) volumes
#
# If user is "*", "&" will be replaced by name of the user logging on in the
# volume, mount point, mount options and fs key path fields.  "~/*" will be
# replaced with "<user's homedir>/*."  In this mode, the user need not
# own the mount point, but it must exist.
#
# volume * smb krueger &     /home/&         uid=&,gid=&,dmask=0750 - -
# volume * smb krueger homes /home/&/remote  - - -
# volume * local - /home/&.img - - aes-256-ecb /etc/ehd/&

# Windows 2000, which requires a domain specified, example (thanks John Knox):
# volume * smb viper & /home/& uid=&,gid=&,dmask=0750,workgroup=WINDOWS_DOMAIN - -