SDDM pam_mount Home Dir Encryption Attack

TL;DR

An attacker gaining access to your /etc/shadow file can potentially decrypt your home directory if you’re using SDDM with the pam_mount module. This guide explains how to mitigate this risk by disabling password-based mounting and switching to keyfile-based authentication.

Solution

1. Understand the Risk: The pam_mount module, commonly used with SDDM for automatically mounting home directories on login, can be exploited if an attacker obtains a copy of your /etc/shadow file. This file contains password hashes which could allow them to decrypt your home directory even without knowing your actual password.
   This is because the default configuration often uses the user’s password from /etc/shadow for decryption.
2. Check Your pam_mount Configuration: Examine your pam_mount configuration file, typically located at /etc/pam.d/common-auth or a similar location depending on your distribution. Look for lines that specify the use of passwords.

   grep -r "password" /etc/pam.d/*

3. Disable Password-Based Mounting: The most effective solution is to disable password-based mounting altogether and switch to keyfile authentication.
   Edit your pam_mount configuration file (e.g., /etc/pam.d/common-auth) and comment out or remove any lines that use the user’s password for decryption. Specifically, look for options like password=yes or similar.

   #password=yes

4. Configure Keyfile Authentication: You will need to generate a keyfile for each user whose home directory is encrypted.
   As the root user, run the following command for each user:

   sudo cryptsetup luksAddKey /dev/sdXN /home/.keyfile

   Replace /dev/sdXN with the actual device name of your encrypted partition. You will be prompted to enter the user’s password twice for verification.
   Important: Store these keyfiles securely! Losing them means losing access to the home directory. Consider storing them on a separate, secure storage medium (e.g., USB drive).

5. Update pam_mount Configuration for Keyfile Use: Modify your pam_mount configuration file to use the keyfile instead of the password.

   keyfile=/home/.keyfile

   Add this line within the relevant section of the configuration.

6. Test the Configuration: Log out and log back in as a test user.
   Verify that your home directory mounts correctly without prompting for a password. Check system logs (e.g., /var/log/auth.log or journalctl -xe) for any errors related to pam_mount.
7. Secure Keyfiles: Restrict access to the keyfiles.
   Change the permissions of the keyfile so that only the user has read access:

   chmod 600 /home/.keyfile

8. Consider Alternatives: If possible, explore alternative solutions for home directory encryption that don’t rely on pam_mount or password-based decryption. For example, using a dedicated key management system can improve security.
   Also consider full disk encryption if you are not already using it.