Pluggable Authentication Modules
Published by Tim Allen on 2nd April 2019
Pluggable Authentication Modules are used in many Linux distributions for authentication tasks. Here are some useful modules and instructions for setting them up under Debian.
This module improves privacy by setting user private user directories
in /tmp under /tmp/user,
and setting TMP and TMPDIR to point to this.
apt-get install libpam-tmpdir
is all that’s needed.
Note that a more sophisticated solution is to use pam_namespace
which results in each login user appearing to have their own separate /tmp,
but this has a number of potential side-effects
(e.g. on su and sudo),
which although manageable add to the complexity of setup.
pam_namespace does not rely on applications honouring TMP and TMPDIR.
This module provides a unified way of setting umask for users on login.
apt-get install libpam-umask
Then edit /etc/login.defs:
umask 027
for 750 directories, 640 files.
Allows for ssh agent unlocking on login, without the need to run ssh-add.
apt-get install libpam-ssh
This will mount filesystems on logging in and unmount them on logging out.
apt-get install libpam-mount cifs-utils
Enable per-user setup in /etc/security/pam_mount.conf.xml:
<luserconf name=".pam_mount.conf.xml" />
and allow gid option:
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialise it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,gid" />
In ~/.pam_mount.conf.xml:
<pam_mount>
<volume fstype="cifs" server="helix" path="Admin" mountpoint="/home/%(USER)/mnt/Admin" options="nosuid,nodev,gid=admin" />
<volume fstype="cifs" server="helix" path="Data" mountpoint="/home/%(USER)/mnt/Data" options="nosuid,nodev,gid=devel" />
<volume fstype="cifs" server="helix" path="%(USER)" mountpoint="/home/%(USER)/mnt/%(USER)" options="nosuid,nodev" />
</pam_mount>
Create your mount point ~/mnt, and on next login your mounts should appear.
Categories: Linux