From 0bf317b62035156ada7fbcd228a51c93d86dd295 Mon Sep 17 00:00:00 2001 From: Jonathan Conder Date: Thu, 18 Apr 2024 07:56:52 +1200 Subject: [PATCH 1/2] man: add pam_gnome_keyring to auth section after pam_systemd_loadkey This is required because pam_sm_open_session [1] only looks at gkr_system_authtok, which is copied from the kernel keyring in pam_sm_authenticate. [1] https://gitlab.gnome.org/GNOME/gnome-keyring/-/blob/46.1/pam/gkr-pam-module.c?ref_type=tags --- man/pam_systemd_loadkey.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/man/pam_systemd_loadkey.xml b/man/pam_systemd_loadkey.xml index becb32adcd0..ab99b1e7523 100644 --- a/man/pam_systemd_loadkey.xml +++ b/man/pam_systemd_loadkey.xml @@ -78,6 +78,7 @@ -auth optional pam_systemd_loadkey.so +-auth optional pam_gnome_keyring.so -session optional pam_gnome_keyring.so auto_start -session optional pam_kwallet5.so auto_start From 08ef6998e3381b7b9d093f12c3928b2d3d95eca8 Mon Sep 17 00:00:00 2001 From: Jonathan Conder Date: Thu, 18 Apr 2024 08:01:27 +1200 Subject: [PATCH 2/2] man: document other keyname options for pam_systemd_loadkey --- man/pam_systemd_loadkey.xml | 42 +++++++++++++++++++++++++++++++++++-- 1 file changed, 40 insertions(+), 2 deletions(-) diff --git a/man/pam_systemd_loadkey.xml b/man/pam_systemd_loadkey.xml index ab99b1e7523..13d1686bd1e 100644 --- a/man/pam_systemd_loadkey.xml +++ b/man/pam_systemd_loadkey.xml @@ -49,9 +49,47 @@ keyname= Takes a string argument which sets the keyname to read. - The default is cryptsetup, which is used by + The default is cryptsetup. + During boot, systemd-cryptsetup@.service8 - to store LUKS passphrase during boot. + stores a passphrase or PIN in the keyring. + The LUKS2 volume key can also be used, via the option in + crypttab5. + + + + Possible values for <varname>keyname</varname>. + + + + + + + + Value + Description + + + + + cryptsetup + Passphrase or recovery key + + + fido2-pin + Security token PIN + + + luks2-pin + LUKS2 token PIN + + + tpm2-pin + TPM2 PIN + + + +