x-itec/pam-encfs
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
pam_encfs by Anders Aagaard <aagaande@gmail.com> *Documentation is written quick and dirty, if something is wrong/you can't get it working, PLEASE mail me :)* Put pam_encfs.conf in /etc/security and modify your pam to load (for example): auth required pam_encfs.so and if you want to auto umount on logout: session required pam_encfs.so (note that setting "encfs_default --idle=1", means it'll auto umount after 1 minute idletime, so you can ignore this if you want to) If you want gdm working you'll have to do this: (to allow use of --public / allow_root / allow_other) #echo "user_allow_other" >> /etc/fuse.conf #adduser testuser (put him in the fuse group if you have one) #mkdir -p /mnt/storage/enc/testuser Setup your /etc/pam_encfs.conf (default should work) #chown testuser:testuser /mnt/storage/enc/testuser #su testuser #encfs /mnt/storage/enc/testuser /home/testuser *use same password as your login atm* #fusermount -u /home/testuser when you login, the directory should be mounted. example to enable encryption for existing user: *logout of any important things, turn off your apps, preferably do this in terminal login/as root* sudo mkdir -p /mnt/storage/enc/anders /mnt/storage/enc/tmp *use your main password on next part* encfs /mnt/storage/enc/anders /mnt/storage/enc/tmp -- -o allow_root cd /home/anders find . -print -xdev | cpio -pamd /mnt/storage/enc/tmp fusermount -u /mnt/storage/enc/tmp cd / sudo mv /home/anders /home/anders.BAK sudo mkdir /home/anders sudo chown anders:anders /home/anders sudo rmdir /mnt/storage/enc/tmp *logout* on next login (in theory) your homedir should be mounted ;) FAQ : Q: Is there an example configuration file? A: Yes, both in svn (link at http://pam-encfs.googlecode.com/svn/trunk/pam_encfs.conf ), and in the downloaded archive from my release. Some distributions have chosen an extreamly simple example configuration file, mine is a bit more explained. Q: What command will pam_encfs run to mount a directory? A: It depends on your options, but something like: encfs -S --idle=1 -v /mnt/storage/enc/test /home/test -- -o allow_other,allow_root,nonempty Q : My KDE doesn't work. A : Login through KDE sometimes fails because KDE tries to store files to the home directory before mounting, and expect them to be there afterwards. To work around this you'll need to set 3 things in /etc/kde3/kdm/kdmrc, "DmrcDir=/tmp" (in the general section). And "UserAuthDir,ClientLogFile", both can be set to /tmp, these are in the [X-*-Core] section. There might be security related issues with this solution, I haven't looked into that. If your paranoid about it you could make a temp directory /tmp/user that only you have access to. Q: Can I mount multiple under one login directories with pam_encfs? A: No, there is however an unofficial patch here : http://bugs.gentoo.org/show_bug.cgi?id=102112 ( https://joshua.haninge.kth.se/~sachankara/pam_encfs-0.1.3-multiple-mount-points.patch ). This has not been applied to the main tree, as it segfaults when I test it with a very basic encfs configuration file (but might work with more advanced ones). Q: pam_encfs does not find my encfs executable A: pam_encfs uses execvp, that means that in some systems it wont find it if it's in /usr/local/bin, make a symlink to /usr/bin. Q: It works on normal login, but not in gdm. A: Problem1, you have your encfs settings too paranoid, gdm requires some things (hard links?) that the paranoid encfs settings do not support. A: Problem2, /etc/pam.d/gdm has a different system than /etc/pam.d/login, fix it ;). A: Problem3, You dont have the fuse option user_allow_root(or other) set, Make sure /etc/fuse.conf has user_allow_other (or user_allow_root). Make sure /etc/pam_encfs.conf has fuse_default allow_root, or the fuse option allow_root set. Q: It asks me for my password twice. A: Try adding use_first_pass after pam_unix (or any other module that supports it). Q: I've tried to use pam_encfs as my main authentication scheme, it doesn't work! A: I return PAM_IGNORE on errors, this can't work reliably as a main system, because of for example logging in twice (in which case the directory would already be mounted, and we therefor can't check password ok). Q: I can't login to X because the filesystem doesn't support locks. A: This could be a problem if your not using drop_permission, use it. And if you REALLY want to mount as root, put: export XAUTHORITY=/tmp/.Xauthority-$USER export ICEAUTHORITY=/tmp/.ICEauthority-$USER in your ~/.bashrc My system-auth file on gentoo: auth required pam_env.so auth sufficient /lib/security/pam_encfs.so auth sufficient /lib/security/pam_sha512.so pwdfile /etc/security/pam.sha auth sufficient pam_unix.so likeauth nullok auth required pam_deny.so account required pam_unix.so password required pam_cracklib.so retry=3 password sufficient pam_unix.so nullok md5 shadow use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so Here it'll ask for the password twice, my modules (pam_encfs/pam_sha512) will try to use any previous password if it finds one. So if you move pam_unix.so in auth to under pam_env.so, it'll ask for the password once. Note that if pam_unix gets a password it finds ok, pam_encfs/pam_sha512 wont be used at all.
About
Automatically exported from code.google.com/p/pam-encfs
Resources
Stars
Watchers
Forks
Packages 0
No packages published