← Back to branch summary

~ecryptfs/ecryptfs/trunk

« back to all changes in this revision

Viewing changes to src/utils/ecryptfs-setup-pam.sh

  • Committer: mhalcrow@us.ibm.com
  • Date: 2007-11-06 22:56:01 UTC
  • Revision ID: git-v1:f8357de9d554b274497b5cce9db4347254b7e7eb
Initial import of eCryptfs filesystem userspace utilities (mount helper, daemon component,
etc.)

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/utils/ecryptfs-setup-pam.sh
 
1
#!/bin/sh
 
2
 
 
3
echo
 
4
echo "You must run this script as root. Do not use sudo; either log in"
 
5
echo "as root or use 'su -'"
 
6
echo
 
7
echo "This script applies to Open Client systems only with the IBM-security-compliance RPM installed"
 
8
echo
 
9
 
 
10
whoami | grep "^root$" &> /dev/null
 
11
if test $? == 1; then
 
12
  echo "Please run this script as root"
 
13
  echo
 
14
  exit
 
15
fi
 
16
 
 
17
echo "USAGE:"
 
18
echo " # ecryptfs-setup-pam.sh [username] [passphrase] <noninteractive>"
 
19
echo
 
20
 
 
21
if test "x$1" == "x"; then
 
22
    echo "Must provide a username"
 
23
    echo
 
24
    exit
 
25
fi
 
26
 
 
27
if test "x$2" == "x"; then
 
28
    echo "Must provide a login passphrase"
 
29
    echo
 
30
    exit
 
31
fi
 
32
 
 
33
if test "x$3" == "xnoninteractive"; then
 
34
    echo "Running in non-interactive mode"
 
35
    INTERACTIVE=0
 
36
else
 
37
    echo "Running in interactive mode"
 
38
    INTERACTIVE=1
 
39
fi
 
40
 
 
41
 
 
42
echo $2 | grep "[;\"\\]"
 
43
if test $? == 0; then
 
44
    echo "Warning: Using backslashes, quotes, or semicolons in your passphrase"
 
45
    echo "may cause problems."
 
46
    echo
 
47
    if test $INTERACTIVE == 1; then
 
48
        echo "Hit ENTER to continue, CTRL-C to abort..."
 
49
        read
 
50
    fi
 
51
fi
 
52
 
 
53
echo "Using username [$1]"
 
54
echo "Using login passphrase [$2]"
 
55
echo
 
56
echo "This script will attempt to set up your system to mount eCryptfs"
 
57
echo "automatically on login, using your login passphrase."
 
58
echo
 
59
if test $INTERACTIVE == 1; then
 
60
    echo "Hit ENTER to continue, CTRL-C to abort..."
 
61
    read
 
62
fi
 
63
echo
 
64
echo "This script will now attempt to take the following steps:"
 
65
echo " * Insert the ecryptfs kernel module"
 
66
echo "  # modprobe ecryptfs"
 
67
echo " * Create a Confidential directory in the user's home directory"
 
68
echo "  # mkdir /home/$1/Confidential"
 
69
echo "  # chown $1:$1 /home/$1/Confidential"
 
70
echo "  # chmod 700 /home/$1/Confidential"
 
71
echo " * Perform an eCryptfs mount"
 
72
echo "  # mount -t ecryptfs /home/$1/Confidential /home/$1/Confidential -o key=passphrase:passwd=\"$2\",cipher=aes,ecryptfs_key_bytes=16,passthrough=n,no_sig_cache"
 
73
echo " * Add an entry to /etc/fstab with the the mount parameters" 
 
74
echo "  # grep ecryptfs_sig /etc/mtab | sed 's/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16,user,noauto,/' >> /etc/fstab"
 
75
echo " * Unmount eCryptfs"
 
76
echo "  # umount ecryptfs"
 
77
echo " * Add pam_ecryptfs to PAM stack"
 
78
echo "  # cat /etc/pam.d/system-auth | sed 's/auth\s*required\s*pam_unix\.so likeauth nullok/auth       required     pam_unix.so likeauth nullok\nauth       required     pam_ecryptfs.so/' > /tmp/system-auth"
 
79
echo "  # cp -f /etc/pam.d/system-auth /etc/pam.d/.system-auth-before-pam_ecryptfs"
 
80
echo "  # mv -f /tmp/system-auth /etc/pam.d/system-auth"
 
81
echo " * Add eCryptfs mount commands to /home/$1/.bash_profile"
 
82
echo "  # cp -f /home/$1/.bash_profile /home/$1/.bash_profile-before-pam_ecryptfs"
 
83
echo "  # echo \"if test -e \$HOME/.ecryptfs/auto-mount; then\" >> /home/$1/.bash_profile"
 
84
echo "  # echo \"  mount | grep \\\"\$HOME/Confidential type ecryptfs\\\"\" >> /home/$1/.bash_profile"
 
85
echo "  # echo \"  if test \$? != 0; then\" >> /home/$1/.bash_profile"
 
86
echo "  # echo \"    mount -i \$HOME/Confidential\" >> /home/$1/.bash_profile"
 
87
echo "  # echo \"  fi\" >> /home/$1/.bash_profile"
 
88
echo "  # echo \"fi\" >> /home/$1/.bash_profile"
 
89
echo " * Turn on automount for the user"
 
90
echo "  # mkdir -p /home/$1/.ecryptfs"
 
91
echo "  # chown $1:$1 /home/$1/.ecryptfs"
 
92
echo "  # touch /home/$1/.ecryptfs/auto-mount"
 
93
echo "  # chown $1:$1 /home/$1/.ecryptfs/auto-mount"
 
94
echo
 
95
echo "If something goes wrong, or if you notice that an operation "
 
96
echo "listed above will not work on your system, than you will need "
 
97
echo "to take these steps manually."
 
98
echo
 
99
if test $INTERACTIVE == 1; then
 
100
    echo "Hit ENTER to continue, CTRL-C to abort..."
 
101
    read
 
102
fi
 
103
modprobe ecryptfs
 
104
mkdir /home/$1/Confidential
 
105
chown $1:$1 /home/$1/Confidential
 
106
chmod 700 /home/$1/Confidential
 
107
mount -t ecryptfs /home/$1/Confidential /home/$1/Confidential -o key=passphrase:passwd="$2",cipher=aes,ecryptfs_key_bytes=16,passthrough=n,no_sig_cache
 
108
grep ecryptfs_sig /etc/mtab | sed 's/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16/ecryptfs_cipher\=aes,ecryptfs_key_bytes\=16,user,noauto,/' >> /etc/fstab
 
109
umount /home/$1/Confidential
 
110
cat /etc/pam.d/system-auth | sed 's/auth\s*required\s*pam_unix\.so likeauth nullok/auth       required     pam_unix.so likeauth nullok\nauth       required     pam_ecryptfs.so/' > /tmp/system-auth
 
111
cp -f /etc/pam.d/system-auth /etc/pam.d/.system-auth-before-pam_ecryptfs
 
112
mv -f /tmp/system-auth /etc/pam.d/system-auth
 
113
cp -f /home/$1/.bash_profile /home/$1/.bash_profile-before-pam_ecryptfs
 
114
echo "if test -e \$HOME/.ecryptfs/auto-mount; then" >> /home/$1/.bash_profile
 
115
echo "  mount | grep \"\$HOME/Confidential type ecryptfs\"" >> /home/$1/.bash_profile
 
116
echo "  if test \$? != 0; then" >> /home/$1/.bash_profile
 
117
echo "    mount -i \$HOME/Confidential" >> /home/$1/.bash_profile
 
118
echo "  fi" >> /home/$1/.bash_profile
 
119
echo "fi" >> /home/$1/.bash_profile
 
120
mkdir -p /home/$1/.ecryptfs
 
121
chown $1:$1 /home/$1/.ecryptfs
 
122
touch /home/$1/.ecryptfs/auto-mount
 
123
chown $1:$1 /home/$1/.ecryptfs/auto-mount