This shows you the differences between two versions of the page.
docs:ecryptfs [2011-02-06 01:45] arekm |
docs:ecryptfs [2011-02-06 01:59] arekm |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | /* pragma: section-numbers 2 */ | ||
- | |||
- | |||
- | ====== eCryptfs ====== | ||
- | eCryptfs is a POSIX-compliant enterprise-class stacked (on top of other filesystem) cryptographic filesystem for Linux. | ||
- | |||
- | |||
- | |||
- | ===== Resources ===== | ||
- | |||
- | * [[https://launchpad.net/ecryptfs/|Project homepage]] | ||
- | |||
- | |||
- | ===== Contents ===== | ||
- | /* UndefinedMacro: TableOfContents(None) */ | ||
- | |||
- | |||
- | |||
- | ===== Utils ===== | ||
- | Install ecryptfs-utils-85-4 and pam-pam_ecryptfs-85-4 or newer. | ||
- | |||
- | |||
- | |||
- | ===== PAM ===== | ||
- | Three new lines. Note need to be places after pam_unix.so! | ||
- | |||
- | |||
- | |||
- | <file>[root@host ~]# cat /etc/pam.d/system-auth | ||
- | #%PAM-1.0 | ||
- | auth required pam_listfile.so item=user sense=deny file=/etc/security/blacklist onerr=succeed | ||
- | auth required pam_env.so | ||
- | auth required pam_tally.so deny=0 file=/var/log/faillog onerr=succeed | ||
- | auth required pam_unix.so try_first_pass | ||
- | |||
- | # ECRYPTFS SUPPORT - has to be AFTER pam_unix | ||
- | auth optional pam_ecryptfs.so unwrap | ||
- | |||
- | account required pam_tally.so file=/var/log/faillog onerr=succeed | ||
- | account required pam_time.so | ||
- | account required pam_unix.so | ||
- | |||
- | # password [success=1 ignore=reset abort=die default=bad] pam_pwgen.so upper=1 digit=1 | ||
- | password required pam_cracklib.so try_first_pass difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 | ||
- | password required pam_unix.so try_first_pass sha512 shadow use_authtok | ||
- | |||
- | # ECRYPTFS SUPPORT - has to be AFTER pam_unix | ||
- | password required pam_ecryptfs.so | ||
- | |||
- | password required pam_exec.so failok seteuid /usr/bin/make -C /var/db | ||
- | # password required pam_exec.so failok seteuid /usr/bin/make -C /var/yp | ||
- | |||
- | session optional pam_keyinit.so revoke debug | ||
- | session required pam_limits.so change_uid | ||
- | session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid | ||
- | session required pam_unix.so | ||
- | |||
- | # ECRYPTFS SUPPORT - has to be AFTER pam_unix | ||
- | session optional pam_ecryptfs.so unwrap | ||
- | </file> | ||
- | |||
- | |||
- | ===== Account migration ===== | ||
- | End all USER session, logout from machine and run from root: | ||
- | |||
- | ''ecryptfs-migrate-home -u USER'' | ||
- | |||
- | Follow instruction on the screen. | ||
- | |||