#------------------------------------------------------------------- # Below is a modified sample configuration file for pam_mount that has # been successfully used to do encrypted auto mounts on a gentoo box # using both the same password as login and a sperate key file # and openssl. This works for cryptoloop and dm-crypt. #------------------------------------------------------------------- # Turn on if you want to debug why some volume cannot be mounted etc. # This can be overriden by user's local configuration # # Format: debug [ 1 | 0 ] # Local user configuration can override this. debug 1 mkmountpoint 1 # Loopback device to use to run fsck on loopback filesystems. fsckloop /dev/loop7 # Users' local configuration file (if there is none, comment out this # parameter). Will be read as ~/ # # Note: you must include either options_allow or options_deny to use # this directive. I recommend also including options_require. # # Individual users may define additional volumes to mount if allowed # by pam_mount.conf (usually ~/.pam_mount.conf). The volume keyword is # the only valid keyword in these per-user configuration files. If the # luserconf parameter is set in pam_mount.conf, allowing user-defined # volume, then users may mount and unmount any volume they own at any # mount point they own. On some filesystem configurations this may be # a security flaw so user-defined volumes are not allowed by the example # pam_mount.conf distributed with pam_mount. # # Format: luserconf # luserconf .pam_mount.conf # These directives determine which options may be specified in a user config # file (luserconf). You must include one of these directives if you have a # luserconf directive. You may not include both directives. # # If you have an options_allow directive, then the options listed in that # directive wil be allowed, and all others rejected. If you have an # options_deny directive, then the options listed will be denied, and all others # permitted. # # You may use the wildcard '*' to match all options. # # options_allow nosuid,nodev # options_deny suid,dev # options_allow * # options_deny * # # I recommend not permitting the suid and dev options. # The options listed in this directive are required for all volumes from a # user config file. That is, any volume specified in a user config file that # does not include these options will be ignored. # # Note: you must make sure that a required option is permitted (either by # including it in options_allow, or by not including it in options_deny). # # I recommend requiring at least nosuid and nodev. # # This is ignored completely if the volume is configured to get its options # and mount point from /etc/fstab. # options_require nosuid,nodev # Commands to mount/unmount volumes. They can take parameters, as shown. # # If you change the -p0 argument for lclmount, you'll need to modify the # source in mount.c (it sends the password to the stdin file descriptor # of the child process -- look for STDIN_FILENO). lsof /usr/sbin/lsof # Added the -p option to fsck prevent reiserfs from asking questions fsck /sbin/fsck -p losetup /sbin/losetup unlosetup /sbin/losetup -d smbmount /bin/mount -t smbfs ncpmount /bin/mount -t ncpfs # Linux supports lazy unmounting (-l). May be dangerous for encrypted volumes. # May also break loopback mounts because loopback devices are not freed. # This was disabled, if you know what you're doing, add -l to the next line umount /bin/umount # On OpenBSD try "/usr/local/bin/mount_ehd" (included in pam_mount package). lclmount /bin/mount -p0 nfsmount /bin/mount # --bind may be a Linuxism. FIXME: find BSD equivalent. mntagain /bin/mount --bind mntcheck /bin/mount # For BSD's (don't have /etc/mtab) # Volumes that will be mounted when user triggers pam_mount module # (usually at login). # # Format: # volume [smb|ncp|nfs|local] # # General examples: # volume user smb krueger public /home/user/krueger - - - # volume user ncp krueger public /home/user/krueger - - - # Linux encrypted home directory examples: # volume user local - /dev/hda123 /home/user loop,encryption=aes - - # volume user local - /home/user.img /home/user loop,user,exec,encryption=aes,keybits=256 - - # volume user local - /home/user.img - - - - # volume user local - /home/user.img - - aes-256-ecb /home/user4.key # BEGIN GENTOO EXAMPLES FOR ENCRYPTED HOME # user1 has an encrypted home that uses his/her system passwd as the # encryption key # To create a USB dongle secured user see user2: # Define a user key and group key to use a USB dongle as an encrypted # file system for the key to the user2 file system - so user would need # the USB dongle, the password for user key and the password for user # user2. in order to access the encrypted home of user2. Note that # without the first two the user can still log in and create files # on his home directory mount point. However the security for the # encrypted volume is much better since a dictionary attack would need # the dongle. See http://www.counterpane.com/twofish-final.html # for a discussion on why twofish is a good choice. This setup works # with mm-sources-2.6.0_beta9-r5. So to login graphically as user2 # insert key, ctrl-alt-f1 login as key, alt-f7, login as user2, # ctrl-alt-f1, logout key, remove dongle. This works for KDM. Modify # /etc/pam.d/login and /etc/pam.d/kde per docs #volume key local - /dev/sda2 /key loop,encryption=twofish - - #volume user1 local - /home/.user1 /home/user1 loop,encryption=twofish - - #volume user2 local - /home/.user2 - - bf-ecb /key/sp.key # /etc/fstab contains #/home/.user2 /home/user2 reiserfs user,loop,encryption=twofish,noauto 0 0 #/dev/sda2 /key ext2 user,loop,encryption=twofish,noauto 0 0 # # Device-Mapper based encryption (dm-crypt) # Since the introduction of dm-crypt in Linux 2.6.4, cryptoloop has been # deprecated. To use the new dm-crypt interface, you will have to adapt # the preceding examples to use "crypt" instead of "local" as filesystem # type. Additionally the cipher algorithm is specified via the "cipher" # option (to distinguish from cryptoloop's "encryption"). Thus, the # user1 example would look like this: #volume user1 crypt - /home/.user1 /home/user1 loop,cipher=twofish - - # An entry in /etc/fstab is not needed. A detailed HOWTO can be found in # the forums: http://forums.gentoo.org/viewtopic.php?t=274651 # END GENTOO EXAMPLES # # OpenBSD encrypted home directory example (see also lclmount above): # volume user local - /home/user.img /home/user svnd0 - - # # The last two examples need a line like the following in # /etc/fstab: # # /home/user4.img /home/user4 xfs user,loop,encryption=aes,keybits=256,noauto 0 0 # # Details: # Local user configuration can extend this. # Mount point must be owned by the user. # # If there are no servers, mount options, fs key ciphers, etc. you must # supply a "-" # # If a local mount is specified in a user config file, then the user must # own the device or file being mounted. # # See http://www.tldp.org/HOWTO/Loopback-Encrypted-Filesystem-HOWTO.html # to learn how to create a encrypted loopback filesystem. # # If the volume's password is different than the user's login password, # the following technique may be used (see also README): # # 1. Create a file containing the volume's password (FS key). If you are # using pam_mount to mount an loopback encrypted volume, this password # should may generated by /dev/urandom. # # Simple example: # echo | openssl aes-256-ecb > /home/user.key # Encrypt this file using the user's login password as the key. # # Verbose loopback encrypted volume example: # a. dd if=/dev/urandom of=/home/user.img bs=1M count= # b. dd if=/dev/urandom bs=1c count= | openssl enc \ # - > /home/user.key # Encrypt this file using the user's login password as the key. # c. openssl enc -d - -in /home/user.key | losetup -e aes \ # -k -p0 /dev/loop0 /home/user.img # d. mkfs -t ext2 /dev/loop0 # e. umount /dev/loop0 # f. losetup -d /dev/loop0 # # 3. In pam_mount.conf: # a. Set the fs key cipher variable to the cipher used (ie: aes-256-ecb). # b. Set the fs key path variable to the key's path (ie: /home/user.key) # 4. If a user changes his login password, regenerate the efsk that # was created in step 1b. A script named passwdehd is provided to do this. # # If fs_key_cipher is -, then the user's login password is also the volume's # password. # Template (or wildcard) volumes # # If user is "*", "&" will be replaced by name of the user logging on in the # volume, mount point, mount options and fs key path fields. "~/*" will be # replaced with "/*." In this mode, the user need not # own the mount point, but it must exist. # # volume * smb krueger & /home/& uid=&,gid=&,dmask=0750 - - # volume * smb krueger homes /home/&/remote - - - # volume * local - /home/&.img - - aes-256-ecb /etc/ehd/& # Windows 2000, which requires a domain specified, example (thanks John Knox): # volume * smb viper & /home/& uid=&,gid=&,dmask=0750,workgroup=WINDOWS_DOMAIN - -