The pam_mktemp module securely creates a temporary file or directory (and sets an environment variable to point to it) in pam_open_session, and unlinks the file in pam_close_session.

This is useful for applications like setting XAUTHORITY to a secure temporary file in an environment where home directories are in a network filesystem. You would do this by adding:

session    optional var=XAUTHORITY prefix=/tmp/xauth

to /etc/pam.d/common-session.

You must specify the var option; the prefix option defaults to /tmp/tempfile if not specified. The argument passed to mkstemp() when creating this file will be /tmp/xauth-UID-XXXXXX, where UID is the user id for the session being opened.

pam_mktemp supports two additional options: debug (enabling debugging output) and dir (which causes pam_mktemp to create a temporary directory, rather than a temporary file). So, the pam_mktemp line session line to create a login session temporary directory might look like:

session    optional debug dir prefix=/var/tmp var=SESSION_TEMPDIR

pam_mktemp is part of the Debian-Athena distribution. You can also browse and download the source. The current release, pam_mktemp 0.1, was released on January 26, 2008. pam_mktemp is a generalization of the earlier pam_xauthority module.