From b7e898f01bcae17174fcd928599d0d933655db9b Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Mon, 8 Mar 2021 15:20:08 -0800 Subject: pam_fscrypt: make "lock_policies" the default behavior All pam_fscrypt configuration guides that I'm aware of say to use the "lock_policies" option for the pam_fscrypt.so session hook. The Debian/Ubuntu pam-config-framework config file has it too. Make locking the default behavior, since this is what everyone wants. Existing configuration files that contain the "lock_policies" option will continue to work, but that option won't do anything anymore. (We could add an option "unlock_only" to restore the old default behavior, but it's not clear that it would be useful. So for simplicity, leave it out for now.) --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 4a59535..97caed2 100644 --- a/README.md +++ b/README.md @@ -415,12 +415,12 @@ auth optional pam_fscrypt.so after `pam_unix.so` in `/etc/pam.d/common-auth` or similar, and to add the line: ``` -session optional pam_fscrypt.so lock_policies +session optional pam_fscrypt.so ``` -after `pam_unix.so` in `/etc/pam.d/common-session` or similar. The -`lock_policies` option locks the directories protected with the user's login -passphrase when the last session ends. All the types also support the `debug` -option which prints additional debug information to the syslog. +after `pam_unix.so` in `/etc/pam.d/common-session` or similar. + +To make `pam_fscrypt.so` print debugging messages to the system log, add the +`debug` option. All hook types accept this option. ### Allowing `fscrypt` to check your login passphrase -- cgit v1.2.3