Categories
System Administration

Create home directory on first login

Creating home directories for new users can be a difficult task and especially in an LDAP-based environment, but most PAM installations have the option to create a new home directory before the user login is completed. Debian also ships the module mpam_mkhomedir, but without a manifest to set it up correctly. Bug 640918 covers this issue, but for now, creating the file /usr/share/pam-configs/mkhomedir with the content below resolves the problem.

Name: Create home directory on first login
Default: no
Priority: 0
Session-Type: Additional
Session-Final:
 required pam_mkhomedir.so umask=0027

After creating the file, the command below updates the PAM-config to create the home directory when a user’s home directory doesn’t exist. In the example configuration above the default umask is 0027 so only the user and group will have access to the home directory.

$ sudo pam-auth-update --package mkhomedir

By default, the configuration in /etc/skel is being used to create a new home directory. This is a point of attention when the user needs files and/or directories when the user logs in and an example of this may be a Maildir for receiving mail.

Categories
Internet, Unix en security

Using PAM to allow access

Over the years PAM (Pluggable Authentication Modules) has become the standard on Solaris and Linux, and others like AIX and the known BSD’s are following. But by default, all services that use PAM are allowing all users to use it unless the service itself takes action. So why not bring the authorization part to PAM and make the decision to allow access directly in PAM?

In this example, we want to allow only access to Dovecot for users who are members of POSIX-group ac_mail. For this, we use a module called pam_succeed_if which can verify if a user is in a certain group or not. Based on the standard PAM-file for a service, we create a new file for Dovecot and added the required line to do the authentication.

#%PAM-1.0

@include common-auth
auth required pam_succeed_if.so quiet user ingroup ac_mail
@include common-account
@include common-session

Also changing the Dovecot configuration to tell it to use the dovecot PAM-file.

passdb pam {
  args = session=yes dovecot
}

Now only users who are member of the ac_mail group can logon. This allows a system administrator to use LDAP for example so all machines have the same group information and all machines with the modified PAM configuration to use it. This way of allowing users to logon can also be used for other services that depend on PAM like Proftpd, OpenSSH, or PostgreSQL for example.