diff options
| author | Lennart Poettering <lennart@poettering.net> | 2020-04-09 11:11:02 +0200 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2020-04-10 16:15:23 +0200 |
| commit | 562ffaca26f17ae051a5b14033b777b51c4937bd (patch) | |
| tree | 31afb482191e7ebd7132c76981226e11f15aab36 /man/pam_systemd_home.xml | |
| parent | 5a3033321a8f72e217653f5361373bf5ded0779f (diff) | |
| download | systemd-562ffaca26f17ae051a5b14033b777b51c4937bd.tar.gz | |
man: extend documentation of the suspend= switch of pam_systemd_home
As suggested on #15343.
Fixes: #15343
Diffstat (limited to 'man/pam_systemd_home.xml')
| -rw-r--r-- | man/pam_systemd_home.xml | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/man/pam_systemd_home.xml b/man/pam_systemd_home.xml index 6dc1a830b6..5e3641c903 100644 --- a/man/pam_systemd_home.xml +++ b/man/pam_systemd_home.xml @@ -51,8 +51,29 @@ coming back from suspend. It is recommended to set this parameter for all PAM applications that have support for automatically re-authenticating via PAM on system resume. If multiple sessions of the same user are open in parallel the user's home directory will be left unsuspended on system suspend - as long as at least one of the sessions does not set this parameter. Defaults to - off.</para></listitem> + as long as at least one of the sessions does not set this parameter to on. Defaults to + off.</para> + + <para>Note that TTY logins generally do not support re-authentication on system resume. + Re-authentication on system resume is primarily a concept implementable in graphical environments, in + the form of lock screens brought up automatically when the system goes to sleep. This means that if a + user concurrently uses graphical login sessions that implement the required re-authentication + mechanism and console logins that do not, the home directory is not locked during suspend, due to the + logic explained above. That said, it is possible to set this field for TTY logins too, ignoring the + fact that TTY logins actually don't support the re-authentication mechanism. In that case the TTY + sessions will appear hung until the user logs in on another virtual terminal (regardless if via + another TTY session or graphically) which will resume the home directory and unblock the original TTY + session. (Do note that lack of screen locking on TTY sessions means even though the TTY session + appears hung, keypresses can still be queued into it, and the existing screen contents be read + without re-authentication; this limitation is unrelated to the home directory management + <command>pam_systemd_home</command> and <filename>systemd-homed.service</filename> implement.)</para> + + <para>Turning this option on by default is highly recommended for all sessions, but only if the + service managing these sessions correctly implements the aforementioned re-authentication. Note that + the re-authentication must take place from a component runing outside of the user's context, so that + it does not require access to the user's home directory for operation. Traditionally, most desktop + environments do not implement screen locking this way, and need to be updated + accordingly.</para></listitem> </varlistentry> <varlistentry> |