diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml
index 470c1a4c42..694371c2c4 100644
--- a/man/pam_systemd.xml
+++ b/man/pam_systemd.xml
@@ -32,6 +32,10 @@
systemd-logind.service8,
and hence the systemd control group hierarchy.
+ The module also applies various resource management and runtime parameters to the new session, as
+ configured in the JSON User Record of the user, when
+ one is defined.
+
On login, this module — in conjunction with systemd-logind.service — ensures the
following:
@@ -48,7 +52,12 @@
A new systemd scope unit is created for the session. If this is the first concurrent session of
the user, an implicit per-user slice unit below user.slice is automatically created and the
scope placed into it. An instance of the system service user@.service, which runs the
- systemd user manager instance, is started.
+ systemd user manager instance, is started.
+
+ The $TZ, $EMAIL and $LANG
+ environment variables are configured for the user, based on the respective data from the user's JSON
+ record (if it is defined). Moreover, any environment variables explicitly configured in the user record
+ are imported, and the umask, nice level, and resource limits initialized.
On logout, this module ensures the following:
@@ -172,6 +181,15 @@
is not set if the current user is not the original user of the session.
+
+ $TZ
+ $EMAIL
+ $LANG
+
+ If a JSON user record is known for the user logging in these variables are
+ initialized from the respective data in the record.
+
+
The following environment variables are read by the module and may be used by the PAM service to pass
@@ -286,14 +304,23 @@ pam_set_data(handle, "systemd.runtime_max_sec", (void *)"3600", cleanup);
Example
+ Here's an example PAM configuration fragment that allows users sessions to be managed by
+ systemd-logind.service:
+
#%PAM-1.0
-auth required pam_unix.so
-auth required pam_nologin.so
-account required pam_unix.so
-password required pam_unix.so
-session required pam_unix.so
-session required pam_loginuid.so
-session required pam_systemd.so
+auth sufficient pam_unix.so
+auth required pam_deny.so
+
+account required pam_nologin.so
+account sufficient pam_unix.so
+account required pam_permit.so
+
+password sufficient pam_unix.so sha512 shadow try_first_pass try_authtok
+password required pam_deny.so
+
+-session optional pam_loginuid.so
+-session optional pam_systemd.so
+session required pam_unix.so
@@ -303,6 +330,7 @@ session required pam_systemd.so
systemd-logind.service8,
logind.conf5,
loginctl1,
+ pam_systemd_home8,
pam.conf5,
pam.d5,
pam8,