systemd pam_systemd_home 8 pam_systemd_home Automatically mount home directories managed by systemd-homed.service on login, and unmount them on logout pam_systemd_home.so pam_systemd_home ensures that home directories managed by systemd-homed.service8 are automatically activated (mounted) on user login, and are deactivated (unmounted) when the last session of the user ends. The following options are understood: suspend= Takes a boolean argument. If true, the home directory of the user will be suspended automatically during system suspend; if false it will remain active. Automatic suspending of the home directory improves security substantially as secret key material is automatically removed from memory before the system is put to sleep and must be re-acquired (through user re-authentication) when coming back from suspend. It is recommended to set this parameter for all PAM applications that have support for automatically re-authenticating via PAM on system resume. If multiple sessions of the same user are open in parallel the user's home directory will be left unsuspended on system suspend as long as at least one of the sessions does not set this parameter. Defaults to off. debug= Takes an optional boolean argument. If yes or without the argument, the module will log debugging information as it operates. The module provides all four management operations: auth, account, session, password. The following environment variables are initialized by the module and available to the processes of the user's session: $SYSTEMD_HOME=1 Indicates that the user's home directory is managed by systemd-homed.service. Here's an example PAM configuration fragment that permits users managed by systemd-homed.service to log in: #%PAM-1.0 auth sufficient pam_unix.so -auth sufficient pam_systemd_home.so auth required pam_deny.so account required pam_nologin.so -account sufficient pam_systemd_home.so account sufficient pam_unix.so account required pam_permit.so -password sufficient pam_systemd_home.so password sufficient pam_unix.so sha512 shadow try_first_pass try_authtok password required pam_deny.so -session optional pam_keyinit.so revoke -session optional pam_loginuid.so -session optional pam_systemd_home.so -session optional pam_systemd.so session required pam_unix.so systemd1, systemd-homed.service8, homed.conf5, homectl1, pam_systemd8, pam.conf5, pam.d5, pam8