systemd/man/pam_systemd_home.xml
Zbigniew Jędrzejewski-Szmek 8b9f092112 man: fix issues reported by the manpage-l10n project
Fixes #25780.

> Man page: crypttab.5
> Issue 1:  Missing fullstop
> Issue 2:  I<cipher=>, I<hash=>, I<size=> → B<cipher=>, B<hash=>, B<size=>
>
> "Force LUKS mode\\&. When this mode is used, the following options are "
> "ignored since they are provided by the LUKS header on the device: "
> "I<cipher=>, I<hash=>, I<size=>"

Seems OK to me. The full stop is there and has been for at least a few years. And we use <option> for the markup, which is appropriate here.

> Man page: crypttab.5
> Issue 1:  Missing fullstop
> Issue 2:  I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-size=>, I<size=> → B<cipher=>, B<hash=>, B<keyfile-offset=>, B<keyfile-size=>, B<size=>
>
> "Use TrueCrypt encryption mode\\&. When this mode is used, the following "
> "options are ignored since they are provided by the TrueCrypt header on the "
> "device or do not apply: I<cipher=>, I<hash=>, I<keyfile-offset=>, I<keyfile-"
> "size=>, I<size=>"

Same.

> Man page: journalctl.1
> Issue 1:  make be → may be

Fixed.

> Issue 2:  below\\&. → below:

Fixed.

> Man page: journalctl.1
> Issue:    Colon at the end?
>
> "The following commands are understood\\&. If none is specified the default "
> "is to display journal records\\&."
> msgstr ""
> "Die folgenden Befehle werden verstanden\\&. Falls keiner festgelegt ist, ist "
> "die Anzeige von Journal-Datensätzen die Vorgabe\\&."

This is a bit awkward, but I'm not sure how to fix it.

> Man page: kernel-install.8
> Issue:    methods a fallback → methods fallback

It was correct, but I added a comma to make the sense clearer.

> Man page: loader.conf.5
> Issue 1:  secure boot variables → Secure Boot variables
> Issue 2:  one → one for (multiple times)
>
> "Supported secure boot variables are one database for authorized images, one "
> "key exchange key (KEK) and one platform key (PK)\\&. For more information, "
> "refer to the \\m[blue]B<UEFI specification>\\m[]\\&\\s-2\\u[2]\\d\\s+2, "
> "under Secure Boot and Driver Signing\\&. Another resource that describe the "
> "interplay of the different variables is the \\m[blue]B<EDK2 "
> "documentation>\\m[]\\&\\s-2\\u[3]\\d\\s+2\\&."

"one of" would sound strange. "One this and one that" is OK.

> Man page: loader.conf.5
> Issue:    systemd-boot → B<systemd-boot>(7)

Fixed.

> Man page: logind.conf.5
> Issue:    systemd-logind → B<systemd-logind>(8)

We use <filename>systemd-logind</> on subsequent references… I think that's good enough.

> Man page: nss-myhostname.8
> Issue:    B<getent> → B<getent>(1)

Fixed.

> Man page: nss-resolve.8
> Issue:    B<systemd-resolved> → B<systemd-resolved>(8)

The first reference does this, subsequent are shorter.

> Man page: os-release.5
> Issue:    Portable Services → Portable Services Documentation?

Updated.

> Man page: pam_systemd_home.8
> Issue:    auth and account use "reason", while session and password do not?

Reworded.

> Man page: portablectl.1
> Issue:    In systemd-portabled.service(8): Portable Services Documentation

Updated.

> Man page: repart.d.5
> Issue:    The partition → the partition

Fixed.

> Man page: repart.d.5
> Issue:    B<systemd-repart> → B<systemd-repart>(8)

The first reference does this. I also change this one, because it's pretty far down in the text.

> Man page: systemd.1
> Issue:    kernel command line twice?
>
> "Takes a boolean argument\\&. If false disables importing credentials from "
> "the kernel command line, qemu_fw_cfg subsystem or the kernel command line\\&."

Apparently this was fixed already.

> Man page: systemd-boot.7
> Issue:    enrollement → enrollment

Fixed.

> Man page: systemd-cryptenroll.1
> Issue:    multiple cases: any specified → the specified

Reworded.

> Man page: systemd-cryptenroll.1
> Issue:    If this this → If this

Fixed tree-wide.

> Man page: systemd-cryptsetup-generator.8
> Issue:    and the initrd → and in the initrd

"Is honoured by the initrd" is OK, because we often speak about the initrd as a single unit. But in the same paragraph we also used "in the initrd", which makes the other use look sloppy. I changed it to "in the initrd" everywhere in that file.

> Man page: systemd.directives.7
> Issue:    Why are these two quoted (but not others)?
>
> "B<\\*(Aqh\\*(Aq>"
>
> B<\\*(Aqs\\*(Aq>"
>
> "B<\\*(Aqy\\*(Aq>"

This is autogenerated from files… We use slightly different markup in different files, and it's just too hard to make it consistent. We gave up on this.

> Man page: systemd.exec.5
> Issue 1:  B<at>(1p) → B<at>(1)
> Issue 2:  B<crontab>(1p) → B<crontab>(1)

Fixed.

> Man page: systemd.exec.5
> Issue:    B<select()> → B<select>(2)

Fixed.

> Man page: systemd.exec.5
> Issue:   qemu → B<qemu>(1)

The man page doesn't seem to be in any of the canonical places on the web.
I added a link to online docs.

> Man page: systemd.exec.5
> Issue:    variable → variables

Seems to be fixed already.

> Man page: systemd-integritysetup-generator.8
> Issue:    systemd-integritysetup-generator → B<systemd-integritysetup-generator>

I changed <filename> to <command>.

> Man page: systemd-integritysetup-generator.8
> Issue:    superfluous comma at the end

Already fixed.

> Man page: systemd-measure.1
> Issue:    (see B<--pcr-bank=>) below → (see B<--pcr-bank=> below)

Reworded.

> Man page: systemd-measure.1
> Issue:    =PATH> → =>I<PATH>

Fixed.

> Man page: systemd-measure.1.po
> Issue:    B<--bank=DIGEST> → B<--bank=>I<DIGEST>

Fixed.

> Man page: systemd.netdev.5
> Issue:    os the → on the

Appears to have been fixed already.

> Man page: systemd.netdev.5
> Issue:    Onboard → On-board (as in previous string)

Updated.

> Man page: systemd.network.5
> Issue:    B<systemd-networkd> -> B<systemd-networkd>(8)

First reference does this, subsequent do not.

> Man page: systemd.network.5
> Issue:    B<netlabelctl> → B<netlabelctl>(8)

First reference does this, subsequent do not.

> Man page: systemd.network.5
> Issue:    Missing verb (aquired? configured?) in the half sentence starting with "or by a "

I dropped the comma.

> Man page: systemd-nspawn.1
> Issue:    All host users outside of that range → All other host users

Reworded.

> # FIXME no effect → no effect\\&.
> #. type: Plain text
> #: archlinux debian-unstable fedora-rawhide mageia-cauldron opensuse-tumbleweed
> msgid ""
> "Whichever ID mapping option is used, the same mapping will be used for users "
> "and groups IDs\\&. If B<rootidmap> is used, the group owning the bind "
> "mounted directory will have no effect"

A period is added. Not sure if there's some other issue.

> Man page: systemd-oomd.service.8
> Issue:    B<systemd> → B<systemd>(1)

Done.

> Man page: systemd.path.5
> Issue 1:  B<systemd.exec>(1) → B<systemd.exec>(5)
> Issue 2:  This section does not (yet?) exist

Fixed.

> Man page: systemd-pcrphase.service.8
> Issue 1:  indicate phases into TPM2 PCR 11 ??
> Issue 2: Colon at the end of the paragraph?

Fixed.

> Man page: systemd-pcrphase.service.8
> Issue:    final boot phase → final shutdown phase?

Updated.

> Man page: systemd-pcrphase.service.8
> Issue:    for the the → for the

Fixed tree-wide.

> Man page: systemd-portabled.service.8
> Issue:    In systemd-portabled.service(8): Portable Services Documentation

Updated.

> Man page: systemd-pstore.service.8
> Issue:    Here and the following paragraphs: . → \\&. // Upstream: What does this comment mean? // You normally write \\&. for a full dot (full stop etc.); here you write only "." (i.e. a plain dot).
>
> "and we look up \"localhost\", nss-dns will send the following queries to "
> "systemd-resolved listening on 127.0.0.53:53: first \"localhost.foobar.com\", "
> "then \"localhost.barbar.com\", and finally \"localhost\". If (hopefully) the "
> "first two queries fail, systemd-resolved will synthesize an answer for the "
> "third query."

Looks all OK to me.

> Man page: systemd.resource-control.5
> Issue:    Missing closing bracket after link to Control Groups version 1

Fixed.

> Man page: systemd-sysext.8
> Issue:    In systemd-portabled.service(8): Portable Services Documentation

Updated.

> Man page: systemd.timer.5
> Issue 1:  B<systemd.exec>(1) → B<systemd.exec>(5)
> Issue 2:  This section does not (yet?) exist

Fixed.

> Man page: systemd.unit.5
> Issue:    that is → that are

Fixed.

> Man page: systemd-veritysetup-generator.8
> Issue:    systemd-veritysetup-generator → B<systemd-veritysetup-generator>
>
 > "systemd-veritysetup-generator implements B<systemd.generator>(7)\\&."
>
> "systemd-veritysetup-generator understands the following kernel command line "
> "parameters:"

Updated.

> Man page: systemd-volatile-root.service.8
> Issue:    initrdyes → Initrd

Fixed.

> Man page: sysupdate.d.5
> Issue:    : → \\&. (As above in TRANSFER)

Updated.

> Man page: sysupdate.d.5
> Issue:    some → certain

Updated.

> Man page: sysupdate.d.5
> Issue 1:  i\\&.e\\& → I\\&.e\\&

Fixed.

> Issue 2:  the image → the system

"image" seems correct.

> Man page: tmpfiles.d.5
> Issue:    systemd-tmpfiles → B<systemd-tmpfiles>(8)

Updated.
2023-01-11 17:12:54 +01:00

177 lines
8.8 KiB
XML

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
<refentry id="pam_systemd_home" conditional='ENABLE_PAM_HOME'>
<refentryinfo>
<title>pam_systemd_home</title>
<productname>systemd</productname>
</refentryinfo>
<refmeta>
<refentrytitle>pam_systemd_home</refentrytitle>
<manvolnum>8</manvolnum>
</refmeta>
<refnamediv>
<refname>pam_systemd_home</refname>
<refpurpose>Authenticate users and mount home directories via <filename>systemd-homed.service</filename>
</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para><filename>pam_systemd_home.so</filename></para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para><command>pam_systemd_home</command> ensures that home directories managed by
<citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
are automatically activated (mounted) on user login, and are deactivated (unmounted) when the last
session of the user ends. For such users, it also provides authentication (when per-user disk encryption
is used, the disk encryption key is derived from the authentication credential supplied at login time),
account management (the <ulink url="https://systemd.io/USER_RECORD/">JSON user record</ulink> embedded in
the home store contains account details), and implements the updating of the encryption password (which
is also used for user authentication).</para>
</refsect1>
<refsect1>
<title>Options</title>
<para>The following options are understood:</para>
<variablelist class='pam-directives'>
<varlistentry>
<term><varname>suspend=</varname></term>
<listitem><para>Takes a boolean argument. If true, the home directory of the user will be suspended
automatically during system suspend; if false it will remain active. Automatic suspending of the home
directory improves security substantially as secret key material is automatically removed from memory
before the system is put to sleep and must be re-acquired (through user re-authentication) when
coming back from suspend. It is recommended to set this parameter for all PAM applications that have
support for automatically re-authenticating via PAM on system resume. If multiple sessions of the
same user are open in parallel the user's home directory will be left unsuspended on system suspend
as long as at least one of the sessions does not set this parameter to on. Defaults to
off.</para>
<para>Note that TTY logins generally do not support re-authentication on system resume.
Re-authentication on system resume is primarily a concept implementable in graphical environments, in
the form of lock screens brought up automatically when the system goes to sleep. This means that if a
user concurrently uses graphical login sessions that implement the required re-authentication
mechanism and console logins that do not, the home directory is not locked during suspend, due to the
logic explained above. That said, it is possible to set this field for TTY logins too, ignoring the
fact that TTY logins actually don't support the re-authentication mechanism. In that case the TTY
sessions will appear hung until the user logs in on another virtual terminal (regardless if via
another TTY session or graphically) which will resume the home directory and unblock the original TTY
session. (Do note that lack of screen locking on TTY sessions means even though the TTY session
appears hung, keypresses can still be queued into it, and the existing screen contents be read
without re-authentication; this limitation is unrelated to the home directory management
<command>pam_systemd_home</command> and <filename>systemd-homed.service</filename> implement.)</para>
<para>Turning this option on by default is highly recommended for all sessions, but only if the
service managing these sessions correctly implements the aforementioned re-authentication. Note that
the re-authentication must take place from a component running outside of the user's context, so that
it does not require access to the user's home directory for operation. Traditionally, most desktop
environments do not implement screen locking this way, and need to be updated
accordingly.</para>
<para>This setting may also be controlled via the <varname>$SYSTEMD_HOME_SUSPEND</varname>
environment variable (see below), which <command>pam_systemd_home</command> reads during initialization and sets
for sessions. If both the environment variable is set and the module parameter specified the latter
takes precedence.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>debug</varname><optional>=</optional></term>
<listitem><para>Takes an optional boolean argument. If yes or without the argument, the module will log
debugging information as it operates.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Module Types Provided</title>
<para>The module implements all four PAM operations: <option>auth</option> (to allow authentication using
the encrypted data), <option>account</option> (because users with
<filename>systemd-homed.service</filename> user accounts are described in a <ulink
url="https://systemd.io/USER_RECORD/">JSON user record</ulink> and may be configured in more detail than
in the traditional Linux user database), <option>session</option> (because user sessions must be tracked
in order to implement automatic release when the last session of the user is gone),
<option>password</option> (to change the encryption password — also used for user authentication —
through PAM).</para>
</refsect1>
<refsect1>
<title>Environment</title>
<para>The following environment variables are initialized by the module and available to the processes of the
user's session:</para>
<variablelist class='environment-variables'>
<varlistentry>
<term><varname>$SYSTEMD_HOME=1</varname></term>
<listitem><para>Indicates that the user's home directory is managed by <filename>systemd-homed.service</filename>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>$SYSTEMD_HOME_SUSPEND=</varname></term>
<listitem><para>Indicates whether the session has been registered with the suspend mechanism enabled
or disabled (see above). The variable's value is either <literal>0</literal> or
<literal>1</literal>. Note that the module both reads the variable when initializing, and sets it for
sessions.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Example</title>
<para>Here's an example PAM configuration fragment that permits users managed by
<filename>systemd-homed.service</filename> to log in:</para>
<programlisting>#%PAM-1.0
auth sufficient pam_unix.so
<command>-auth sufficient pam_systemd_home.so</command>
auth required pam_deny.so
account required pam_nologin.so
<command>-account sufficient pam_systemd_home.so</command>
account sufficient pam_unix.so
account required pam_permit.so
<command>-password sufficient pam_systemd_home.so</command>
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password required pam_deny.so
-session optional pam_keyinit.so revoke
-session optional pam_loginuid.so
<command>-session optional pam_systemd_home.so</command>
-session optional pam_systemd.so
session required pam_unix.so</programlisting>
</refsect1>
<refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>homed.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>pam_systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>