Search:  
Gentoo Wiki

Pam_usb


Please format this article according to the guidelines and Wikification suggestions, then remove this notice {{Wikify}} from the article


Contents

Introduction

pam_usb provides hardware authentication for Linux using ordinary USB Flash Drives, and can be used to simplify logins (by not requiring a password) and easing the use of the system when using 'su'. It can also be used to provide another level of authentication during the login process, by requiring the the pre-authorized usb drive in addition to the account password.

Installation

This guide uses the latest unstable version of pam_usb, 0.4.2. The 0.4.* versions of pam_usb are masked by ~* keyword, so you should unmask it, before emerging the package.

# echo "sys-auth/pam_usb" >> /etc/portage/package.keywords
# emerge -av "sys-auth/pam_usb"

Configuration

Warning: Using pam_usb is known to break kdesu. You should unplug any pam_usb enabled devices when you want to use kdesu.

Adding USB Devices

Connect your USB stick to PC and type

# pamusb-conf --add-device=MyDevice
Please select the device you wish to add.
* Using " USB Flash Memory (0930_USB_Flash_Memory_07652723938-0:0)" (only option)

Which volume would you like to use for storing data ?
* Using "/dev/sdc1 (UUID: e5ff07ac-a517-4dae-9468-d9d0b309ee62)" (only option)

Name            : MyDevice
Vendor          : Unknown
Model           : USB Flash Memory
Serial          : 0930_USB_Flash_Memory_07652723938-0:0
UUID            : e5ff07ac-a517-4dae-9468-d9d0b309ee62

Save to /etc/pamusb.conf ?
[Y/n]y
Done.

You need to perform this step for every device you want to use for authentication.

Adding Users

After adding devices you should add user information. The users should also be added to the plugdev group to allow the usb device to be mounted. If you have added more than one device, you can select the individual device to be used here. Be sure to only associate one device per user, although multiple users can use the same device.

 # pamusb-conf --add-user michael_d      
 Which device would you like to use for authentication ?
 * Using "MyDevice" (only option)
 User            : michael_d
 Device          : MyDevice
 Save to /etc/pamusb.conf ?
 [Y/n] y
 Done.

If you associate a user with two devices, neither of them will work. If this happens, you will need to edit the /etc/pamusb.conf file and remove all except one of the identical user sections. You should bear in mind that if a usb device associated with the root account becomes lost, the finder could use it to gain access to the system before it gets disabled.

PAM configuration

Now you can use pam_usb for authentication through PAM. Here is an example for su.

# cat /etc/pam.d/su|grep -v "#"

auth       sufficient           pam_rootok.so
auth       sufficient           pam_usb.so
auth       required             pam_wheel.so use_uid

auth       include              system-auth

account    include              system-auth

password   include              system-auth

session    include              system-auth
session    required             pam_env.so
session    optional             pam_xauth.so

Now the user can switch to the root account without a password if the appropriate device is connected.

To enable paswordless system logins add the following line to /etc/pam.d/system-auth instead.

auth       sufficient           pam_usb.so

Most programs that request the account password and use PAM for authentication, for example 'su' or a login via the console or GDM/KDM, will allow access using only the usb device, usually by pressing return once or twice. As kdesu will break when the usb device is plugged in, you should remove it before entering a password in the kdesu dialog.

Additional Security

If you want to use pam_usb to make system logins more secure, by requiring a correct usb device and the account password:

  1. Add the required devices as above
  2. Add the user information as above
  3. Add the following line to /etc/pam.d/system-auth
auth       required     pam_usb.so

The system will now require the usb device associated with the users account to be present when a password is required.

Note: This will break kdesu. An alternative is to open a terminal emulator like konsole, use 'su' to change to the desired user, then start the program from the terminal.

Success

If all goes well, using pam_usb to 'su' to another user should be fairly easy

guest@maxdata ~ $ su - jonathan
* pam_usb v0.4.2
* Authentication request for user "jonathan" (su)
* Device "512MbPendrive" is connected (good).
* Performing one time pad verification...
* Access granted.
jonathan@maxdata ~ $

If the usb device is missing, you will be prompted for the account password instead.

guest@maxdata ~ $ su - jonathan
* pam_usb v0.4.2
* Authentication request for user "jonathan" (su)
* Device "512MbPendrive" is not connected.
* Access denied.
Password:
jonathan@maxdata ~ $

Links

This howto is loosely based on official pam_usb quickstart guide

Retrieved from "http://www.gentoo-wiki.info/Pam_usb"

Last modified: Mon, 08 Sep 2008 19:36:00 +0000 Hits: 3,212