pam: implement a zfs_key pam module

currently the pam module does: * load a zfs key and mounts the dataset when a session opens * unmounts the dataset and unloads the key when the session closes * when the user is logged on and changes the password, the modules changes the encryption key. Signed-off-by: Felix Dörre <felix@dogcraft.de> Closes openzfs#9886
felixdoerre · May 27, 2020 · efae46e · efae46e
1 parent fb82226
commit efae46e
Show file tree

Hide file tree

Showing 13 changed files with 945 additions and 2 deletions.
diff --git a/config/user-pam.m4 b/config/user-pam.m4
@@ -0,0 +1,36 @@
+AC_DEFUN([ZFS_AC_CONFIG_USER_PAM], [
+	AC_ARG_ENABLE([pam],
+		AS_HELP_STRING([--enable-pam],
+		[install pam_zfs_key module [[default: check]]]),
+		[enable_pam=$enableval],
+		[enable_pam=check])
+
+	AC_ARG_WITH(pammoduledir,
+		AS_HELP_STRING([--with-pammoduledir=DIR],
+		[install pam module in dir [[/lib/security]]]),
+		[pammoduledir="$withval"],[pammoduledir=/lib/security])
+
+	AC_ARG_WITH(pamconfigsdir,
+		AS_HELP_STRING([--with-pamconfigsdir=DIR],
+		[install pam-config files in dir [[/usr/share/pamconfigs]]]),
+		[pamconfigsdir="$withval"],[pamconfigsdir=/usr/share/pam-configs])
+
+	AS_IF([test "x$enable_pam" != "xno"], [
+		AC_CHECK_HEADERS([security/pam_modules.h], [
+			enable_pam=yes
+		], [
+			AS_IF([test "x$enable_pam" == "xyes"], [
+				AC_MSG_FAILURE([
+	*** security/pam_modules.h missing, libpam0g-dev package required
+				])
+			])
+		])
+	])
+	AS_IF([test "x$enable_pam" == "xyes"], [
+		DEFINE_PAM='--define "_pam 1" --define "_pammoduledir $(pammoduledir)" --define "_pamconfigsdir $(pamconfigsdir)"'
+	])
+	AC_SUBST(DEFINE_PAM)
+	AM_CONDITIONAL([PAM_ZFS_ENABLED], [test "x$enable_pam" = xyes])
+	AC_SUBST(pammoduledir)
+	AC_SUBST(pamconfigsdir)
+])
diff --git a/config/user.m4 b/config/user.m4
@@ -17,6 +17,7 @@ AC_DEFUN([ZFS_AC_CONFIG_USER], [
 	ZFS_AC_CONFIG_USER_LIBUDEV
 	ZFS_AC_CONFIG_USER_LIBSSL
 	ZFS_AC_CONFIG_USER_LIBAIO
+	ZFS_AC_CONFIG_USER_PAM
 	ZFS_AC_CONFIG_USER_RUNSTATEDIR
 	ZFS_AC_CONFIG_USER_MAKEDEV_IN_SYSMACROS
 	ZFS_AC_CONFIG_USER_MAKEDEV_IN_MKDEV

diff --git a/config/zfs-build.m4 b/config/zfs-build.m4
@@ -284,6 +284,7 @@ AC_DEFUN([ZFS_AC_RPM], [
 	RPM_DEFINE_UTIL+=' $(DEFINE_INITRAMFS)'
 	RPM_DEFINE_UTIL+=' $(DEFINE_SYSTEMD)'
 	RPM_DEFINE_UTIL+=' $(DEFINE_PYZFS)'
+	RPM_DEFINE_UTIL+=' $(DEFINE_PAM)'
 	RPM_DEFINE_UTIL+=' $(DEFINE_PYTHON_VERSION)'
 	RPM_DEFINE_UTIL+=' $(DEFINE_PYTHON_PKG_VERSION)'
 

diff --git a/configure.ac b/configure.ac
@@ -98,6 +98,7 @@ AC_CONFIG_FILES([
 	contrib/initramfs/hooks/Makefile
 	contrib/initramfs/scripts/Makefile
 	contrib/initramfs/scripts/local-top/Makefile
+	contrib/pam_zfs_key/Makefile
 	contrib/pyzfs/Makefile
 	contrib/pyzfs/setup.py
 	contrib/zcp/Makefile

diff --git a/contrib/Makefile.am b/contrib/Makefile.am
@@ -1,5 +1,5 @@
 SUBDIRS = bash_completion.d pyzfs zcp
 if BUILD_LINUX
-SUBDIRS += bpftrace dracut initramfs
+SUBDIRS += bpftrace dracut initramfs pam_zfs_key
 endif
-DIST_SUBDIRS = bash_completion.d bpftrace dracut initramfs pyzfs zcp
+DIST_SUBDIRS = bash_completion.d bpftrace dracut initramfs pam_zfs_key pyzfs zcp
diff --git a/contrib/pam_zfs_key/Makefile.am b/contrib/pam_zfs_key/Makefile.am
@@ -0,0 +1,26 @@
+include $(top_srcdir)/config/Rules.am
+
+VPATH = \
+	$(top_srcdir)/module/icp \
+	$(top_srcdir)/module/zcommon \
+	$(top_srcdir)/lib/libzfs
+
+if PAM_ZFS_ENABLED
+
+pammodule_LTLIBRARIES=pam_zfs_key.la
+
+pam_zfs_key_la_SOURCES = pam_zfs_key.c
+
+pam_zfs_key_la_LIBADD = \
+	$(top_builddir)/lib/libnvpair/libnvpair.la \
+	$(top_builddir)/lib/libuutil/libuutil.la \
+	$(top_builddir)/lib/libzfs/libzfs.la \
+	$(top_builddir)/lib/libzfs_core/libzfs_core.la
+
+pam_zfs_key_la_LDFLAGS = -version-info 1:0:0 -avoid-version -module -shared
+
+pam_zfs_key_la_LIBADD += -lpam $(LIBSSL)
+
+pamconfigs_DATA = zfs_key
+EXTRA_DIST = $(pamconfigs_DATA)
+endif