PAM 更新用于在登录时挂载加密用户主目录(GNOME 40.4.0)

tag-icon tag-icon linux centos gnome redhat-enterprise-linux pam
PAM 更新用于在登录时挂载加密用户主目录(GNOME 40.4.0)

我想/home在 Rocky Linux 9.1 上登录时解密我的 LUKS 加密目录。我一直在尝试改编这个 Arch Linux 指南 (https://wiki.archlinux.org/title/Dm-crypt/Mounting_at_login; https://wiki.archlinux.org/title/Talk:Dm-crypt/Mounting_at_login)和此 GitHub 存储库(https://github.com/fumiyas/linux-crypthome) 适用于 Rocky 9.1。/etc/pam.d/system-login对于 Rocky 不存在,因此我已更新/etc/postlogin/etc/system-auth调用pam_exec.so自定义脚本 ( /usr/local/sbin/pam_cryptsetup.sh),该脚本将解密并挂载我的加密目录。我对和/home所做的更新允许我进入我的机器,但从 GNOME 登录屏幕登录失败。如果我已经从登录,然后从 GNOME 登录屏幕登录,这将有效。有谁知道如何更新脚本以启用 GNOME 屏幕登录或有什么好主意吗?/etc/pam.d/postloginsystem-authsshssh/etc/pam.d/

# cat /usr/local/sbin/pam_cryptsetup.sh
#!/bin/sh

CRYPT_USER="user"
PARTITION="/dev/vg_alnair/crypthome.$CRYPT_USER"
NAME="decrypthome.$CRYPT_USER"
# PW=$(cat /dev/stdin)
# echo $PW > /tmp/pw.$PAM_USER

if [ "$PAM_USER" = "$CRYPT_USER" ] && [ ! -e "/dev/mapper/$NAME" ]; then
    logger "$(basename $0): $PAM_USER: decrypting /dev/mapper/$NAME"
    /usr/sbin/cryptsetup open "$PARTITION" "$NAME"
    status=$?
    if [ $status -eq 0 ]; then
    logger "$(basename $0): cryptsetup success for $PAM_USER!: $status"
    else
    logger "$(basename $0): cryptsetup failed for $PAM_USER!: $status"
    fi
else
    logger "$(basename $0): $PAM_USER: not decrypting anything!"
fi

以下是从 GNOME 登录屏幕登录失败后 journalctl 的一些输出:

# journalctl -r -t gdm-password]
Mar 20 17:46:59 alnair gdm-password][1851]: pam_unix(gdm-password:session): session closed for user user
Mar 20 17:46:56 alnair gdm-password][1851]: pam_exec(gdm-password:session): /usr/local/sbin/pam_cryptsetup.sh failed: exit code 13
Mar 20 17:46:56 alnair gdm-password][1894]: pam_exec(gdm-password:session): execve(/usr/local/sbin/pam_cryptsetup.sh,...) failed: Permission denied
Mar 20 17:46:56 alnair gdm-password][1851]: gkr-pam: gnome-keyring-daemon started properly
Mar 20 17:46:56 alnair gdm-password][1851]: gkr-pam: unable to locate daemon control file
Mar 20 17:46:56 alnair gdm-password][1851]: pam_unix(gdm-password:session): session opened for user user(uid=1000) by (uid=0)
Mar 20 17:46:56 alnair gdm-password][1851]: pam_systemd(gdm-password:session): Failed to create session: Job 2126 for unit 'session-4.scope' failed with 'dependency'
Mar 20 17:45:26 alnair gdm-password][1860]: pam_exec(gdm-password:auth): Calling /usr/local/sbin/pam_cryptsetup.sh ...
Mar 20 17:45:26 alnair gdm-password][1851]: pam_exec(gdm-password:auth): send password to child

相关内容