0
Users' home directories are on a server. They shall be mounted via sshfs on a client when a user logs in, using the password the user provided as credentials. The pam_mount
system is provided for this. How should it be configured?
0
Users' home directories are on a server. They shall be mounted via sshfs on a client when a user logs in, using the password the user provided as credentials. The pam_mount
system is provided for this. How should it be configured?
0
These instructions have been tested on Debian 10. Add the following to /etc/security/pam_mount.conf.xml
on the client:
<volume fstype="fuse"
path="sshfs#%(USER)@XXX:/home/%(USER)"
mountpoint="/home/%(USER)"
options="nosuid,nodev,noatime,reconnect,nonempty,allow_other,default_permissions,password_stdin"
ssh="0" noroot="0" />
Replace XXX
with the hostname of the server.
ssh="0"
works in conjunction with the option password_stdin
. Otherwise, a wrapper fd0ssh
is used, but it does not work.
noroot="0"
effects that the mount is carried out as root, not the user. The options allow_other,default_permissions
make the mounted filesystem blend in with the other filesystems on the client. If the mount is carried out as the user instead, we may run into file permission problems that can make the login fail (Xorg log cannot be written).
nonempty
makes the mount happen even if the mountpoint is not an empty directory. This option may not be needed for your setup.
reconnect
looks like a reasonable thing to choose in this situation.
nosuid,nodev,noatime
are for security and performance; adjust to your needs.
To work around a bug in the sddm login manager (used mainly for KDE), add an option to exclude the user sddm
, for example uid="10000-60000
; see also.
At the time of writing, there is another bug making life hard for sshfs users. It was reported over 5 years ago. My workaround is to completely disable GNOME keyring by:
dpkg-divert --divert /usr/bin/gnome-keyring-daemon.bak --rename /usr/bin/gnome-keyring-daemon