Fincer
/
pam_usb
mirror of https://github.com/Fincer/pam_usb
1
0
Fork 0
Code Issues 0 Releases 4 Wiki Activity
Hardware authentication for Linux using ordinary USB Flash Drives.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
67 Commits
1 Branch
6.0 MiB
Tree: 169ff1d102
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '169ff1d102'
${ noResults }
pam_usb/doc/INSTALLATION

203 lines
6.3 KiB
Raw Normal View History

Added the documentation to the SVN
18 years ago
Documentation update
18 years ago
Added the documentation to the SVN
18 years ago
Documentation update
18 years ago
Added the documentation to the SVN
18 years ago
 
  1. ====== Installation ======
  2. 

  3. Before going ahead, be sure to follow the upgrading instructions if you're using
  4. an older version of pamusb.
  5. 

  6. ===== Requirements =====
  7. * Requirements for pam_usb and pusb_check:
  8.   * libpam
  9.   * libhal-storage
  10.   * libxml2
  11. 

  12. * Requirements for pusb_hotplug and pusb_adm:
  13.   * python2.4
  14.   * python-celementtree
  15.   * python-dbus
  16.   * python-gobject
  17. 

  18. ===== Installing from sources =====
  19. * Step 1: Download the latest release
  20. * Step 2: Unpack the distribution tarball
  21. 

  22. $ tar -zxvf pam_usb-<version>.tar.gz
  23. $ cd pam_usb-<version>
  24. 

  25. * Step 3: Compile and install
  26. 

  27. $ make
  28. # make install
  29. 

  30. ====== Configuring ======
  31. 

  32. ===== Devices and Users =====
  33. 

  34. * Copy the default configuration file to /etc/pusb/pusb.conf:
  35. 

  36. cp /etc/pusb/pusb.conf-dist /etc/pusb/pusb.conf
  37. 

  38. * Once you've connected your USB device to the computer, use pusb_adm to add it
  39. to the configuration file:
  40. 

  41. # pusb_adm --add-device MyDevice
  42. Name            : MyDevice
  43. Vendor          : SanDisk Corp.
  44. Model           : Cruzer Titanium
  45. Serial          : SNDKXXXXXXXXXXXXXXXX
  46. Volume UUID     : 6F6B-42FC (/dev/sda1)
  47. Save device to /etc/pusb/pusb.conf ?
  48. [y/n] y
  49. Done.
  50. 

  51. Note that MyDevice can be any arbitrary name you'd like.
  52. If more devices are connected, pusb_adm will ask you which device you want to
  53. use.
  54. 

  55. * Edit your /etc/pusb/pusb.conf config file to add the users:
  56. <users>
  57.   <user id="root">
  58.     <device>MyDevice</device>
  59.   </user>
  60. 

  61.   <user id="scox">
  62.     <device>MyDevice</device>
  63.   </user>
  64. </users>
  65. 

  66. * In order to test if everything went fine, we're gonna use the pusb_check tool
  67. which will simulate an authentication event.
  68. 

  69. # pusb_check -a -u root -s su
  70. * Authentication request for user "root" (su)
  71. * Device "MyDevice" is connected (good).
  72. * Performing one time pad verification...
  73. * Verification match, updating one time pads...
  74. * Access granted.
  75. 

  76. ===== PAM Module =====
  77. 

  78. The PAM module pam_usb.so is used to let applications authenticate you using
  79. your USB device instead of asking your password. The default password-based
  80. authentication will be used as fallback if the device authentication goes wrong.
  81. 

  82. You don't need to setup the hotplugging feature as pam_usb.so and pusb_hotplug
  83. are independent of each other.
  84. 

  85. * Depending on the operating system you're using, you have to tell PAM to use
  86. pam_usb.so as default authentication method.  There should be a file named
  87. either common-auth (Gentoo) under /etc/pam.d/. If you do NOT have neither of
  88. those files, you'll have to edit each pam.d service file you want to use (e.g.
  89. /etc/pam.d/su, /etc/pam.d/gdm and so on).
  90. 

  91. * Locate the following line on /etc/pam.d/common-auth or /etc/pam.d/system-auth:
  92. 

  93. auth    required        pam_unix.so nullok_secure
  94. 

  95. * And change it to look something like that:
  96. 

  97. auth    sufficient      pam_usb.so
  98. auth    required        pam_unix.so nullok_secure
  99. 

  100. * You should now be able to authenticate the users configured in pusb.conf using
  101. your USB device:
  102. 

  103. scox $ su
  104. * pam_usb v.SVN
  105. * Authentication request for user "root" (su)
  106. * Device "MyDevice" is connected (good).
  107. * Performing one time pad verification...
  108. * Verification match, updating one time pads...
  109. * Access granted.
  110. 

  111. * Try to authenticate to a different application. pam_usb.so should work with
  112. any application using xscreensaver and many more).
  113. 

  114. ===== Hotplug =====
  115. 

  116. Hotplugging is a feature provided by pusb_hotplug that allows you to
  117. automatically execute commands upon locking and unlocking events. Those events
  118. are generated when you insert or remove your authentication device.
  119. 

  120. For instance, you could automatically start your screensaver as soon as you
  121. remove the device, and deactivate it when you plug the device back:
  122. 

  123. <user id="scox">
  124.   <device>MyDevice</device>
  125.   <hotplug event="lock">gnome-screensaver-command --lock</hotplug>
  126.   <hotplug event="unlock">gnome-screensaver-command --deactivate</hotplug>
  127. </user>
  128. 

  129. Replace gnome-screensaver-command --lock and gnome-screensaver-command --unlock
  130. with any command you want to execute. You can also execute more commands by
  131. adding extra <hotplug> entries.
  132. 

  133. 

  134. $ pusb_hotplug
  135. pusb_hotplug[18329]: pusb_hotplug up and running.
  136. pusb_hotplug[18329]: Watching device "MyDevice" for user "scox"
  137. pusb_hotplug[18329]: Device "MyDevice" has been removed, locking down user
  138. "scox"...
  139. pusb_hotplug[18329]: Running "gnome-screensaver-command --lock"
  140. pusb_hotplug[18329]: Locked.
  141. pusb_hotplug[18329]: Device "MyDevice" has been inserted. Performing
  142. verification...
  143. pusb_hotplug[18329]: Executing "/usr/bin/pusb_check -q -c /etc/pusb/pusb.conf -u
  144. scox -s pusb_hotplug -a"
  145. pusb_hotplug[18329]: Authentication succeeded. Unlocking user "scox"...
  146. pusb_hotplug[18329]: Running "gnome-screensaver-command --deactivate"
  147. pusb_hotplug[18329]: Unlocked.
  148. 

  149. Depending on your desktop environment, you have to add pusb_hotplug to the list
  150. of autostarted applications so it will be started automatically.
  151. For instance, with GNOME:
  152. 

  153. - Open System -> Preferences -> Sessions
  154. - Select Startup Programs and press Add
  155. - Enter pusb_hotplug and press OK
  156. - Press Close
  157. 

  158. ====== Troubleshooting ======
  159. 

  160. ===== Log Analysis =====
  161. 

  162. Both pam_usb.so and pusb_hotplug use the syslog facility to log authentication
  163. attempts.
  164. This can be useful for GUI-driven applications (for instance GDM) where you
  165. don't get to see console output.
  166. Messages are logged with the AUTH facility, they are usually written to
  167. /var/log/auth.log but may vary
  168. depending on the operating system you're using.
  169. 

  170. # tail -f /var/log/auth.log
  171. pusb_hotplug[25429]: Device "sandisk" has been inserted. Performing
  172. verification...
  173. pusb_hotplug[25429]: Executing "/usr/bin/pusb_check -q -c /etc/pusb/pusb.conf -u
  174. scox -s pusb_hotplug -a"
  175. pam_usb[25485]: Authentication request for user "scox" (pusb_hotplug)
  176. pam_usb[25485]: Device "sandisk" is connected (good).
  177. pam_usb[25485]: Access granted.
  178. pusb_hotplug[25429]: Authentication succeeded. Unlocking user "scox"...
  179. pusb_hotplug[25429]: Unlocked.
  180. 

  181. ===== Enabling debug =====
  182. 

  183. Enabling debug messages may help you find out what's wrong.
  184. 

  185. To enable them, edit /etc/pusb/pusb.conf and set the following option:
  186. <defaults>
  187.   <option name="debug">true</option>
  188. </defaults>
  189. 

  190. If you wish, you could enable debug messages only for a specific user, device or
  191. service.
  192. For instance, if you want to enable debug messages only for the sudo service,
  193. you could do the following:
  194. 

  195. <services>
  196.   <service id="sudo">
  197.     <option name="debug">true</option>
  198.   </service>
  199. </services>
  200. 

  201. ====== It works - What next ? ======
  202. 

  203. * Have a look at the configuration documentation