D47996.diff
No OneTemporary
Actions

Size

3 KB

Referenced Files

None

Subscribers

None

D47996.diff
View Options

	diff --git a/lib/libpam/pam.d/login b/lib/libpam/pam.d/login
	--- a/lib/libpam/pam.d/login
	+++ b/lib/libpam/pam.d/login
	@@ -4,6 +4,7 @@
	#

	# auth
	+#auth optional pam_zfs_key.so homes=zroot/home
	auth sufficient pam_self.so no_warn
	auth include system

	@@ -13,6 +14,7 @@
	account include system

	# session
	+#session optional pam_zfs_key.so homes=zroot/home
	session include system

	# password
	diff --git a/lib/libpam/pam.d/passwd b/lib/libpam/pam.d/passwd
	--- a/lib/libpam/pam.d/passwd
	+++ b/lib/libpam/pam.d/passwd
	@@ -7,4 +7,5 @@

	# password
	#password requisite pam_passwdqc.so enforce=users
	+#password optional pam_zfs_key.so homes=zroot/home
	password required pam_unix.so no_warn try_first_pass nullok
	diff --git a/usr.sbin/adduser/adduser.8 b/usr.sbin/adduser/adduser.8
	--- a/usr.sbin/adduser/adduser.8
	+++ b/usr.sbin/adduser/adduser.8
	@@ -27,7 +27,7 @@
	.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	.\" SUCH DAMAGE.
	.\"
	-.Dd December 1, 2024
	+.Dd December 6, 2024
	.Dt ADDUSER 8
	.Os
	.Sh NAME
	@@ -144,6 +144,28 @@
	I have been using this model for almost 10 years and found that it works
	for most situations, and has never gotten in the way.
	(Rod Grimes)
	+.Sh ZFS ENCRYPTION
	+If ZFS encryption is enabled on a home dataset,
	+.Xr zfs-load-key 8
	+must be run before mounting \-\- either
	+at login, with the pam_zfs_key.so
	+.Xr openpam 3
	+module, or manually after login.
	+.sp
	+To configure
	+.Xr zfs-load-key 8
	+to run at login,
	+uncomment lines that mention pam_zfs_key.so in the /etc/pam.d/login and
	+/etc/pam.d/passwd files.
	+Note that changing the user password with
	+.Xr passwd 1
	+does not update the ZFS encryption key.
	+Use
	+.Xr zfs-change-key 8
	+to change the key.
	+For auto-mount with pam_zfs_key.so,
	+the encryption key must match the user password.
	+Login via SSH can not auto-mount a ZFS-encrypted home dataset.
	.Sh CONFIGURATION
	The
	.Nm
	diff --git a/usr.sbin/adduser/adduser.sh b/usr.sbin/adduser/adduser.sh
	--- a/usr.sbin/adduser/adduser.sh
	+++ b/usr.sbin/adduser/adduser.sh
	@@ -257,7 +257,8 @@
	# create ZFS dataset before home directory is created with pw
	if [ "${Zcreate}" = "yes" ]; then
	if [ "${Zencrypt}" = "yes" ]; then
	- echo "Enter encryption keyphrase for ZFS dataset (${zhome}):"
	+ echo "Enter ZFS encryption keyphrase"
	+ echo "(if auto-mount is required, then this key must match the password for the user) (${zhome}):"
	fi
	if [ -n "$BSDINSTALL_CHROOT" ]; then
	create_zfs_chrooted_dataset
	@@ -635,7 +636,7 @@
	#
	get_zfs_encryption() {
	local _input= _prompt=
	- _prompt="Enable ZFS encryption? (yes/no) [${Zencrypt}]: "
	+ _prompt="Enable ZFS encryption? (To auto-mount at login, see adduser(8).) (yes/no) [${Zencrypt}]: "
	while : ; do
	echo -n "$_prompt"
	read _input
	@@ -699,7 +700,7 @@
	# Give new user ownership of newly created zfs dataset.
	#
	set_zfs_perms() {
	- if ! ${ZFSCMD} allow "${username}" create,destroy,mount,snapshot "${zhome}"; then
	+ if ! ${ZFSCMD} allow "${username}" create,destroy,mount,snapshot,load-key,change-key "${zhome}"; then
	err "There was an error setting permissions on ZFS dataset (${zhome})."
	return 1
	fi

File Metadata

Mime Type: text/plain
Expires: Mon, Apr 6, 9:37 AM (11 h, 32 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 30879261
Default Alt Text: D47996.diff (3 KB)

D47996.diffNo OneTemporaryActions

D47996.diffView Options

File Metadata

Event Timeline

D47996.diff
No OneTemporary
Actions

D47996.diff
View Options