pam: implement a zfs_key pam module

Implements a pam module for automatically loading zfs encryption keys 
for home datasets. The pam module:

  - loads a zfs key and mounts the dataset when a session opens.
  - unmounts the dataset and unloads the key when the session closes.
  - when the user is logged on and changes the password, the module
    changes the encryption key.

Reviewed-by: Richard Laager <[email protected]>
Reviewed-by: @jengelh <[email protected]>
Reviewed-by: Ryan Moeller <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Felix Dörre <[email protected]>
Closes #9886
Closes #9903 

1 files changed, 13 insertions, 1 deletions

diff --git a/rpm/generic/zfs.spec.in b/rpm/generic/zfs.spec.in
index 704afd781..e972a10ee 100644
--- a/rpm/generic/zfs.spec.in
+++ b/rpm/generic/zfs.spec.in
@@ -52,6 +52,7 @@
 %bcond_with    debuginfo
 %bcond_with    asan
 %bcond_with    systemd
+%bcond_with    pam
 
 # Generic enable switch for systemd
 %if %{with systemd}
@@ -329,6 +330,12 @@ image which is ZFS aware.
     %define pyzfs --disable-pyzfs
 %endif
 
+%if %{with pam}
+    %define pam --enable-pam
+%else
+    %define pam --disable-pam
+%endif
+
 %setup -q
 
 %build
@@ -342,7 +349,8 @@ image which is ZFS aware.
     %{debug} \
     %{debuginfo} \
     %{asan} \
-    %{systemd}\
+    %{systemd} \
+    --with-pammoduledir=%{_libdir}/security %{pam} \
     %{pyzfs}
 make %{?_smp_mflags}
 
@@ -457,6 +465,10 @@ systemctl --system daemon-reload >/dev/null || true
 %config(noreplace) %{_sysconfdir}/%{name}/zpool.d/*
 %config(noreplace) %{_sysconfdir}/%{name}/vdev_id.conf.*.example
 %attr(440, root, root) %config(noreplace) %{_sysconfdir}/sudoers.d/*
+%if %{with pam}
+%{_libdir}/security/*
+%{_pamconfigsdir}/*
+%endif
 
 %files -n libzpool2
 %{_libdir}/libzpool.so.*