Pluggable Authentication Modules
Published by Tim Allen on 2nd April 2019

Pluggable Authentication Modules are used in many Linux distributions for authentication tasks. Here are some useful modules and instructions for setting them up under Debian.


This module improves privacy by setting user private user directories in /tmp under /tmp/user, and setting TMP and TMPDIR to point to this.

apt-get install libpam-tmpdir

is all that’s needed.

Note that a more sophisticated solution is to use pam_namespace which results in each login user appearing to have their own separate /tmp, but this has a number of potential side-effects (e.g. on su and sudo), which although manageable add to the complexity of setup. pam_namespace does not rely on applications honouring TMP and TMPDIR.


This module provides a unified way of setting umask for users on login.

apt-get install libpam-umask

Then edit /etc/login.defs:

umask 027

for 750 directories, 640 files.


Allows for ssh agent unlocking on login, without the need to run ssh-add.

apt-get install libpam-ssh


This will mount filesystems on logging in and unmount them on logging out.

apt-get install libpam-mount cifs-utils

Enable per-user setup in /etc/security/pam_mount.conf.xml:

<luserconf name=".pam_mount.conf.xml" />

and allow gid option:

<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialise it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,gid" />

In ~/.pam_mount.conf.xml:

<volume fstype="cifs" server="helix" path="Admin"   mountpoint="/home/%(USER)/mnt/Admin"   options="nosuid,nodev,gid=admin" />
<volume fstype="cifs" server="helix" path="Data"    mountpoint="/home/%(USER)/mnt/Data"    options="nosuid,nodev,gid=devel" />
<volume fstype="cifs" server="helix" path="%(USER)" mountpoint="/home/%(USER)/mnt/%(USER)" options="nosuid,nodev" />

Create your mount point ~/mnt, and on next login your mounts should appear.

Categories: Linux