Page MenuHomeFreeBSD

openzfs: attach pam_zfs_key to build
ClosedPublic

Authored by greg_unrelenting.technology on Jan 7 2021, 11:20 AM.

Details

Summary

This PAM module allows unlocking encrypted user home datasets when logging in (and changing passphrase when changing the account password), see https://github.com/openzfs/zfs/pull/9903

Also supposed to unload the key when the last session for the user is done, but there are EBUSY issues: https://github.com/openzfs/zfs/issues/11222#issuecomment-731897858

Test Plan

/etc/pam.d/login:

auth		optional		pam_zfs_key.so homes=your-pool-name/home
session		optional		pam_zfs_key.so homes=your-pool-name/home

/etc/pam.d/passwd:

password	optional	pam_zfs_key.so homes=your-pool-name/home
zfs create -o encryption=on -o keyformat=passphrase your-pool-name/home/ztest
pw user add -n ztest -m
passwd ztest # set same as the passphrase given to zfs create
zfs unmount your-pool-name/home/ztest && zfs unload-key your-pool-name/home/ztest
login # login as ztest, type password
mount # check that the home dir is mounted now

Diff Detail

Repository
R10 FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.