11.9.33 PAM-Einbindedienst

Das Modul (gnu services pam-mount) stellt einen Dienst zur Verfügung, mit dem Benutzer Datenträger beim Anmelden einbinden können. Damit sollte es möglich sein, jedes vom System unterstützte Datenträgerformat einzubinden.

Variable: pam-mount-service-type

Diensttyp für PAM-Einbindeunterstützung.

Datentyp: pam-mount-configuration

Datentyp, der die Konfiguration für PAM-Einbindungen („PAM Mount“) repräsentiert.

Sie hat folgende Parameter:

rules

Die Konfigurationsregeln, um /etc/security/pam_mount.conf.xml zu erzeugen.

Die Konfigurationsregeln sind SXML-Elemente (siehe SXML in Referenzhandbuch zu GNU Guile) und nach Vorgabe wird für niemanden etwas beim Anmelden eingebunden:

`((debug (@ (enable "0")))
  (mntoptions (@ (allow ,(string-join
                          '("nosuid" "nodev" "loop"
                            "encryption" "fsck" "nonempty"
                            "allow_root" "allow_other")
                          ","))))
  (mntoptions (@ (require "nosuid,nodev")))
  (logout (@ (wait "0")
             (hup "0")
             (term "no")
             (kill "no")))
  (mkmountpoint (@ (enable "1")
                   (remove "true"))))

Es müssen volume-Elemente eingefügt werden, um Datenträger automatisch bei der Anmeldung einzubinden. Hier ist ein Beispiel, mit dem die Benutzerin alice ihr verschlüsseltes HOME-Verzeichnis einbinden kann, und der Benutzer bob die Partition einbinden kann, wo er seine Daten abspeichert.

(define pam-mount-rules
`((debug (@ (enable "0")))
            (volume (@ (user "alice")
                       (fstype "crypt")
                       (path "/dev/sda2")
                       (mountpoint "/home/alice")))
            (volume (@ (user "bob")
                       (fstype "auto")
                       (path "/dev/sdb3")
                       (mountpoint "/home/bob/data")
                       (options "defaults,autodefrag,compress")))
            (mntoptions (@ (allow ,(string-join
                                    '("nosuid" "nodev" "loop"
                                      "encryption" "fsck" "nonempty"
                                      "allow_root" "allow_other")
                                    ","))))
            (mntoptions (@ (require "nosuid,nodev")))
            (logout (@ (wait "0")
                       (hup "0")
                       (term "no")
                       (kill "no")))
            (mkmountpoint (@ (enable "1")
                             (remove "true")))))

(service pam-mount-service-type
         (pam-mount-configuration
           (rules pam-mount-rules)))

Die vollständige Liste möglicher Optionen finden Sie in der Handbuchseite („man page“) für pam_mount.conf.

PAM Mount Volume Service

PAM mount volumes are automatically mounted at login by the PAM login service according to a set of per-volume rules. Because they are mounted by PAM the password entered during login may be used directly to mount authenticated volumes, such as cifs, using the same credentials.

These volumes will be added in addition to any volumes directly specified in pam-mount-rules.

Here is an example of a rule which will mount a remote CIFS share from //remote-server/share into a sub-directory of /shares named after the user logging in:

(simple-service 'pam-mount-remote-share pam-mount-volume-service-type
                (list (pam-mount-volume
                       (secondary-group "users")
                       (file-system-type "cifs")
                       (server "remote-server")
                       (file-name "share")
                       (mount-point "/shares/%(USER)")
                       (options "nosuid,nodev,seal,cifsacl"))))

Data Type: pam-mount-volume-service-type

Configuration for a single volume to be mounted. Any fields not specified will be omitted from the run-time PAM configuration. See the man page for the default values when unspecified.

user-name (type: maybe-string)

Mount the volume for the given user.

user-id (type: maybe-integer-or-range)

Mount the volume for the user with this ID. This field may also be specified as a pair of (start . end) indicating a range of user IDs for whom to mount the volume.

primary-group (type: maybe-string)

Mount the volume for users with this primary group name.

group-id (type: maybe-integer-or-range)

Mount the volume for the users with this primary group ID. This field may also be specified as a cons cell of (start . end) indicating a range of group ids for whom to mount the volume.

secondary-group (type: maybe-string)

Mount the volume for users who are members of this group as either a primary or secondary group.

file-system-type (type: maybe-string)

The file system type for the volume being mounted (e.g., cifs)

no-mount-as-root? (type: maybe-boolean)

Whether or not to mount the volume with root privileges. This is normally disabled, but may be enabled for mounts of type fuse, or other user-level mounts.

server (type: maybe-string)

The name of the remote server to mount the volume from, when necessary.

file-name (type: maybe-string)

The location of the volume, either local or remote, depending on the file-system-type.

mount-point (type: maybe-string)

Where to mount the volume in the local file-system. This may be set to ~ to indicate the home directory of the user logging in. If this field is omitted then /etc/fstab is consulted for the mount destination.

options (type: maybe-string)

The options to be passed as-is to the underlying mount program.

ssh? (type: maybe-boolean)

Enable this option to pass the login password to SSH for use with mounts involving SSH (e.g., sshfs).

cipher (type: maybe-string)

Cryptsetup cipher name for the volume. To be used with the crypt file-system-type.

file-system-key-cipher (type: maybe-string)

Cipher name used by the target volume.

file-system-key-hash (type: maybe-string)

SSL hash name used by the target volume.

file-system-key-file-name (type: maybe-string)

File name of the file system key for the target volume.