Pluggable Authentication Modules are used in many Linux distributions for authentication tasks. Here are some useful modules and instructions for setting them up under Debian.


This module improves privacy by setting user private user directories in /tmp under /tmp/user, and setting TMP and TMPDIR to point to this.

apt-get install libpam-tmpdir

is all that’s needed.

Note that a more sophisticated solution is to use pam_namespace which results in each login user appearing to have their own separate /tmp, but this has a number of potential side-effects (e.g. on su and sudo), which although manageable add to the complexity of setup. pam_namespace does not rely on applications honouring TMP and TMPDIR.


This module provides a unified way of setting umask for users on login.

apt-get install libpam-umask

Then edit /etc/login.defs:


for 750 directories, 640 files.


Allows for ssh agent unlocking on login, without the need to run ssh-add.

apt-get install libpam-ssh


This will mount filesystems on logging in and unmount them on logging out.

apt-get install libpam-mount cifs-utils

Enable per-user setup in /etc/security/pam_mount.conf.xml:

<luserconf name=".pam_mount.conf.xml" />

and allow gid option:

<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,gid" />

In ~/.pam_mount.conf.xml:

<volume fstype="cifs" server="helix" path="Admin"      mountpoint="/home/%(USER)/mnt/Admin"      options="nosuid,nodev,gid=admin" />
<volume fstype="cifs" server="helix" path="Data"       mountpoint="/home/%(USER)/mnt/Data"       options="nosuid,nodev,gid=devel" />
<volume fstype="cifs" server="helix" path="%(USER)"    mountpoint="/home/%(USER)/mnt/%(USER)"    options="nosuid,nodev" />

Create your mountpoint ~/mnt, and on next login your mounts should appear.

Categories: Linux