2023-10-31 07:48:24 +03:00
<?xml version='1.0'?> <!-- * - nxml - * -->
< !DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
2023-12-25 17:48:33 +03:00
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
2023-10-31 07:48:24 +03:00
<!-- SPDX - License - Identifier: LGPL - 2.1 - or - later -->
<refentry id= "pam_systemd_loadkey" conditional= 'HAVE_PAM' xmlns:xi= "http://www.w3.org/2001/XInclude" >
<refentryinfo >
<title > pam_systemd_loadkey</title>
<productname > systemd</productname>
</refentryinfo>
<refmeta >
<refentrytitle > pam_systemd_loadkey</refentrytitle>
<manvolnum > 8</manvolnum>
</refmeta>
<refnamediv >
<refname > pam_systemd_loadkey</refname>
<refpurpose > Read password from kernel keyring and set it as PAM authtok</refpurpose>
</refnamediv>
<refsynopsisdiv >
<para > <filename > pam_systemd_loadkey.so</filename> </para>
</refsynopsisdiv>
<refsect1 >
<title > Description</title>
<para > <command > pam_systemd_loadkey</command> reads a NUL-separated password list from the kernel keyring,
2024-11-26 16:29:36 +03:00
and sets the last password in the list as the PAM authtok, which can be used by e.g.
<citerefentry project= 'man-pages' > <refentrytitle > pam_get_authtok</refentrytitle> <manvolnum > 3</manvolnum> </citerefentry> .
</para>
2023-10-31 07:48:24 +03:00
<para > The password list is supposed to be stored in the "user" keyring of the root user,
by an earlier call to
<citerefentry > <refentrytitle > systemd-ask-password</refentrytitle> <manvolnum > 1</manvolnum> </citerefentry>
with <option > --keyname=</option> .
You can pass the keyname to <command > pam_systemd_loadkey</command> via the <option > keyname=</option> option.</para>
</refsect1>
<refsect1 >
<title > Options</title>
<para > The following options are understood:</para>
<variablelist class= 'pam-directives' >
<varlistentry >
<term > <varname > keyname=</varname> </term>
<listitem > <para > Takes a string argument which sets the keyname to read.
2024-04-17 23:01:27 +03:00
The default is <literal > cryptsetup</literal> .
During boot,
2023-10-31 07:48:24 +03:00
<citerefentry > <refentrytitle > systemd-cryptsetup@.service</refentrytitle> <manvolnum > 8</manvolnum> </citerefentry>
2024-04-17 23:01:27 +03:00
stores a passphrase or PIN in the keyring.
The LUKS2 volume key can also be used, via the <option > link-volume-key</option> option in
<citerefentry > <refentrytitle > crypttab</refentrytitle> <manvolnum > 5</manvolnum> </citerefentry> .</para>
<table >
<title >
Possible values for <varname > keyname</varname> .
</title>
<tgroup cols= '2' >
<colspec colname= 'value' />
<colspec colname= 'description' />
<thead >
<row >
<entry > Value</entry>
<entry > Description</entry>
</row>
</thead>
<tbody >
<row >
<entry > cryptsetup</entry>
<entry > Passphrase or recovery key</entry>
</row>
<row >
<entry > fido2-pin</entry>
<entry > Security token PIN</entry>
</row>
<row >
<entry > luks2-pin</entry>
<entry > LUKS2 token PIN</entry>
</row>
<row >
<entry > tpm2-pin</entry>
<entry > TPM2 PIN</entry>
</row>
</tbody>
</tgroup>
</table>
2023-10-31 07:48:24 +03:00
<xi:include href= "version-info.xml" xpointer= "v255" /> </listitem>
</varlistentry>
<varlistentry >
<term > <varname > debug</varname> </term>
<listitem > <para > The module will log debugging information as it operates.</para>
<xi:include href= "version-info.xml" xpointer= "v255" /> </listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 >
<title > Example</title>
<para > This module is intended to be used when you use LUKS with a passphrase, enable autologin in the display
manager, and want to unlock Gnome Keyring / KDE KWallet automatically. So in total, you only enter one password
during boot.</para>
<para > You need to set the password of your Gnome Keyring/KWallet to the same as your LUKS passphrase.
2024-11-23 16:07:56 +03:00
Then add the following lines to your display manager's PAM config under <filename > /etc/pam.d/</filename> (e.g.
<filename > sddm-autologin</filename> ):</para>
2023-10-31 07:48:24 +03:00
<programlisting >
-auth optional pam_systemd_loadkey.so
2024-04-17 22:56:52 +03:00
-auth optional pam_gnome_keyring.so
2023-10-31 07:48:24 +03:00
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet5.so auto_start
2024-11-07 18:47:48 +03:00
</programlisting>
2023-10-31 07:48:24 +03:00
<para > And add the following lines to your display manager's systemd service file, so it can access root's keyring:</para>
<programlisting >
[Service]
KeyringMode=inherit
2024-11-07 18:47:48 +03:00
</programlisting>
2023-10-31 07:48:24 +03:00
<para > In this setup, early during the boot process,
<citerefentry > <refentrytitle > systemd-cryptsetup@.service</refentrytitle> <manvolnum > 8</manvolnum> </citerefentry>
will ask for the passphrase and store it in the kernel keyring with the keyname <literal > cryptsetup</literal> .
2024-11-23 16:07:56 +03:00
Then when the display manager does the autologin, <command > pam_systemd_loadkey</command> will read the passphrase
from the kernel keyring, set it as the PAM authtok, and then <command > pam_gnome_keyring</command> and
<command > pam_kwallet5</command> will unlock with the same passphrase.</para>
2023-10-31 07:48:24 +03:00
</refsect1>
</refentry>