Fincer
/
pam_usb
mirror of https://github.com/Fincer/pam_usb
1
0
Fork 0
Code Issues 0 Releases 4 Wiki Activity
Hardware authentication for Linux using ordinary USB Flash Drives.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
204 Commits
1 Branch
910 KiB
Tree: 4387431339
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4387431339'
${ noResults }
pam_usb/README.md

247 lines
8.2 KiB
Raw Normal View History

Update README.md
12 years ago
Fix markdown escaping
13 years ago
Added README file
13 years ago
Update README.md
12 years ago
Added README file
13 years ago
Merged QUICKSTART into README
12 years ago
Update README.md
12 years ago
Merged QUICKSTART into README
12 years ago
Update README.md
12 years ago
Merged QUICKSTART into README
12 years ago
README: Link to the configuration reference
12 years ago
Merged QUICKSTART into README
12 years ago
Update README.md
12 years ago
Merged QUICKSTART into README
12 years ago
Update README.md
12 years ago
 
  1. pam\_usb
  2. ========
  3. 

  4. pam\_usb provides hardware authentication for Linux using ordinary USB Flash Drives.
  5. 

  6. It works with any application supporting PAM, such as _su_ and login managers (_GDM_, _KDM_).
  7. 

  8. Features
  9. --------
  10. 

  11. * `Password-less authentication.` Use your USB stick for authentication, don't type passwords anymore.
  12. * `Device auto probing.` You don't need to mount the device, or even to configure the device location (_sda1_, _sdb1_, etc). pam\_usb.so will automatically locate the device using _HAL_ and access its data by itself.
  13. * `Two-factor authentication.` Achieve greater security by requiring both the USB stick and the password to authenticate the user.
  14. * `Non-intrusive.` pam\_usb doesn't require any modifications of the USB storage device to work (no additional partitions required).
  15. * USB Serial number, model and vendor verification.
  16. * Support for **One Time Pads** authentication.
  17. * You can use the same device accross multiple machines.
  18. * Support for all kind of removable devices (SD, MMC, etc).
  19. 

  20. Tools
  21. -----
  22. * `pamusb-agent`: trigger actions (such as locking the screen) upon device authentication and removal.
  23. * `pamusb-conf`: configuration helper.
  24. * `pamusb-check`: integrate pam\_usb's authentication engine within your scripts or applications.
  25. 

  26. Installing
  27. ==========
  28. 

  29. pam_usb is included in most Linux distributions out there.
  30. 

  31. If you happen to run Ubuntu or Debian, run:
  32. 

  33.     # apt-get install libpam-usb pamusb-tools
  34. 

  35. Compiling from source
  36. ---------------------
  37. 

  38. Before proceeding, make sure all dependencies are installed: libxml2, pam, udisks and pmount are installed
  39. 

  40.     $ make
  41.     # make install
  42. 

  43. Configuring
  44. ===========
  45. 

  46. By default, pam_usb will read its configuration from `/etc/pamusb.conf`
  47. 

  48. For most operations, you can use ``pamusb-conf`` which will take care of generating the configuration for you.
  49. 

  50. Setting up Devices and Users
  51. ----------------------------
  52. 

  53. Once you've connected your USB device to the computer, use pamusb-conf to add it to the configuration file:
  54. 

  55.     # pamusb-conf --add-device MyDevice
  56.     Please select the device you wish to add.
  57.     * Using "SanDisk Corp. Cruzer Titanium (SNDKXXXXXXXXXXXXXXXX)" (only option)
  58.     Which volume would you like to use for storing data ?
  59.     * Using "/dev/sda1 (UUID: <6F6B-42FC>)" (only option)
  60.     Name            : MyDevice
  61.     Vendor          : SanDisk Corp.
  62.     Model           : Cruzer Titanium
  63.     Serial          : SNDKXXXXXXXXXXXXXXXX
  64.     Volume UUID     : 6F6B-42FC (/dev/sda1)
  65.     Save to /etc/pamusb.conf ?
  66.     [Y/n] y
  67.     Done.
  68. 

  69. Note that `MyDevice` can be any arbitrary name you'd like. Also, you can add as many devices as you want.
  70. 

  71. Next, configure users you want to be able to authenticate with pam_usb:
  72. 

  73.     # pamusb-conf --add-user root      
  74.     Which device would you like to use for authentication ?
  75.     * Using "MyDevice" (only option)
  76.     User            : root
  77.     Device          : MyDevice
  78.     Save to /etc/pamusb.conf ?
  79.     [Y/n] y
  80.     Done.
  81. 

  82. Check the configuration
  83. -----------------------
  84. 

  85. You can run `pamusb-check` anytime to check if everything is correctly worked.
  86. This tool will simulate an authentication request (requires your device to be connected, otherwise it will fail).
  87. 

  88.     # pamusb-check root
  89.     * Authentication request for user "root" (pamusb-check)
  90.     * Device "MyDevice" is connected (good).
  91.     * Performing one time pad verification...
  92.     * Verification match, updating one time pads...
  93.     * Access granted.
  94. 

  95. 

  96. Setting up the PAM module
  97. -------------------------
  98. 

  99. To add pam_usb into the system authentication process, we need to edit `/etc/pam.d/common-auth`
  100.     
  101.     NOTE: If you are using RedHat or Fedora this file can be known as /etc/pam/system-auth.
  102. 

  103. Your default PAM common-auth configuration should include the following line:
  104. 

  105.     auth    required        pam_unix.so nullok_secure
  106. 

  107. This is a current standard which uses passwords to authenticate a user.
  108. 

  109. Alter your /etc/pam.d/common-auth configuration to:
  110. 

  111.     auth    sufficient      pam_usb.so
  112.     auth    required        pam_unix.so nullok_secure
  113. 

  114. The `suffient` keyword means that if pam_usb allows the authentication, then no password will be asked.
  115. If the authentication fails, then the default password-based authentication will be used as fallback.
  116. 

  117. If you change it to `required`, it means that *both* the USB flash drive and the password will be required to grant
  118. access to the system.
  119. 

  120. At this point, you should be able to authenticate with the relevant USB device plugged-in.
  121. 

  122.     scox $ su
  123.     * pam_usb v.SVN
  124.     * Authentication request for user "root" (su)
  125.     * Device "MyDevice" is connected (good).
  126.     * Performing one time pad verification...
  127.     * Verification match, updating one time pads...
  128.     * Access granted.
  129. 

  130. Agent
  131. -----
  132. 

  133. The pam_usb agent (pamusb-agent) allows you to automatically execute commands
  134. upon locking and unlocking events. Those events are generated when you insert or
  135. remove your authentication device.
  136. To configure the commands, you have to edit pam_usb's configuration file
  137. (/etc/pamusb.conf) and add agent entries into your user section.
  138. 

  139. For instance, you could automatically start your screensaver as soon as you
  140. remove the device, and deactivate it when you plug the device back.
  141. 

  142. GNOME (gnome-screensaver):
  143. 

  144. ```xml
  145. <user id="scox">
  146.   <device>MyDevice</device>
  147.   <agent event="lock">gnome-screensaver-command --lock</agent>
  148.   <agent event="unlock">gnome-screensaver-command --deactivate</agent>
  149. </user>
  150. ```
  151. 

  152. KDE (kscreensaver):
  153. 

  154. ```xml
  155. <user id="scox">
  156.   <device>MyDevice</device>
  157.   <agent event="lock">dcop kdesktop KScreensaverIface lock</agent>
  158.   <agent event="unlock">dcop kdesktop KScreensaverIface quit</agent>
  159. </user>
  160. ```
  161. 

  162. You can execute more commands by adding extra `<agent>` entries.
  163. 

  164.     $ pamusb-agent
  165.     pamusb-agent[18329]: pamusb-agent up and running.
  166.     pamusb-agent[18329]: Watching device "MyDevice" for user "scox"
  167.     pamusb-agent[18329]: Device "MyDevice" has been removed, locking down user
  168.     "scox"...
  169.     pamusb-agent[18329]: Running "gnome-screensaver-command --lock"
  170.     pamusb-agent[18329]: Locked.
  171.     pamusb-agent[18329]: Device "MyDevice" has been inserted. Performing
  172.     verification...
  173.     pamusb-agent[18329]: Executing "/usr/bin/pamusb-check --quiet
  174.     --config=/etc/pamusb.conf --service=pamusb-agent scox"
  175.     pamusb-agent[18329]: Authentication succeeded. Unlocking user "scox"...
  176.     pamusb-agent[18329]: Running "gnome-screensaver-command --deactivate"
  177.     pamusb-agent[18329]: Unlocked.
  178. 

  179. Depending on your desktop environment, you have to add pamusb-agent to the list
  180. of autostarted applications so it will be started automatically.
  181. 

  182. GNOME:
  183. 

  184. - Open System -> Preferences -> Sessions
  185. - Select Startup Programs and press Add
  186. - Enter pamusb-agent and press OK
  187. - Press Close
  188. 

  189. KDE:
  190. 

  191.     cd ~/.kde/Autostart
  192.     ln -s /usr/bin/pamusb-agent pamusb-agent
  193. 

  194. Configuration Reference
  195. -----------------------
  196. 

  197. There are many more options available to fine tune pam_usb.
  198. 

  199. Check out the [configuration reference](doc/CONFIGURATION.md).
  200. 

  201. Troubleshooting
  202. ===============
  203. 

  204. Log Analysis
  205. ------------
  206. 

  207. Both pam_usb.so and pamusb-agent use the syslog facility to log authentication
  208. attempts.
  209. This can be useful for GUI-driven applications (for instance GDM) where you
  210. don't get to see console output.
  211. Messages are logged with the AUTH facility, they are usually written to
  212. `/var/log/auth.log` but may vary
  213. depending on the operating system you're using.
  214. 

  215.     # tail -f /var/log/auth.log
  216.     pamusb-agent[25429]: Device "sandisk" has been inserted. Performing
  217.     verification...
  218.     pamusb-agent[25429]: Executing "/usr/bin/pamusb-check --quiet
  219.     --config=/etc/pamusb.conf --service=pamusb-agent scox"
  220.     pam_usb[25485]: Authentication request for user "scox" (pamusb-agent)
  221.     pam_usb[25485]: Device "sandisk" is connected (good).
  222.     pam_usb[25485]: Access granted.
  223.     pamusb-agent[25429]: Authentication succeeded. Unlocking user "scox"...
  224.     pamusb-agent[25429]: Unlocked.
  225. 

  226. 

  227. Enabling debug
  228. --------------
  229. 

  230. Enabling debug messages may help you find out what's wrong.
  231. 

  232. To enable them, edit `/etc/pamusb.conf` and set the following option:
  233. 

  234. ```xml
  235. <defaults>
  236.   <option name="debug">true</option>
  237. </defaults>
  238. ```
  239. You can enable debug messages only for a specific user, device or service.
  240. 

  241. ```xml
  242. <services>
  243.   <service id="sudo">
  244.     <option name="debug">true</option>
  245.   </service>
  246. </services>
  247. ```