Hardware authentication for Linux using ordinary USB Flash Drives.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

331 lines
7.0 KiB

  1. Configuration file reference
  2. ============================
  3. The configuration file is formatted in XML and subdivided in 4 sections:
  4. * Default options, shared among every device, user and service
  5. * Devices declaration and settings
  6. * Users declaration and settings
  7. * Services declaration and settings
  8. The syntax is the following:
  9. ```xml
  10. <configuration>
  11. <defaults>
  12. <!-- default options -->
  13. </defaults>
  14. <devices>
  15. <!-- devices definitions -->
  16. </devices>
  17. <users>
  18. <!-- users definitions -->
  19. </users>
  20. <services>
  21. <!-- services definitions -->
  22. </services>
  23. </configuration>
  24. ```
  25. Options
  26. -------
  27. <table>
  28. <tr>
  29. <th>Name</th>
  30. <th>Type</th>
  31. <th>Default</th>
  32. <th>Description</th>
  33. </tr>
  34. <tr>
  35. <td>enable</td>
  36. <td>Boolean</td>
  37. <td>true</td>
  38. <td>Enable pam_usb</td>
  39. </tr>
  40. <tr>
  41. <td>debug</td>
  42. <td>Boolean</td>
  43. <td>false</td>
  44. <td>Enable debug messages</td>
  45. </tr>
  46. <tr>
  47. <td>quiet</td>
  48. <td>Boolean</td>
  49. <td>false</td>
  50. <td>Quiet mode</td>
  51. </tr>
  52. <tr>
  53. <td>color_log</td>
  54. <td>Boolean</td>
  55. <td>true</td>
  56. <td>Enable colored output</td>
  57. </tr>
  58. <tr>
  59. <td>one_time_pad</td>
  60. <td>Boolean</td>
  61. <td>true</td>
  62. <td>Enable the use of one time pads</td>
  63. </tr>
  64. <tr>
  65. <td>deny_remote</td>
  66. <td>Boolean</td>
  67. <td>true</td>
  68. <td>Deny access from remote host (ssh)</td>
  69. </tr>
  70. <tr>
  71. <td>probe_timeout</td>
  72. <td>Time</td>
  73. <td>10s</td>
  74. <td>Time to wait for the volume to be detected</td>
  75. </tr>
  76. <tr>
  77. <td>pad_expiration</td>
  78. <td>Time</td>
  79. <td>1h</td>
  80. <td>Time between pads regeneration</td>
  81. </tr>
  82. <tr>
  83. <td>hostname</td>
  84. <td>String</td>
  85. <td>Computer's hostname</td>
  86. <td>Must be unique accross computers using the same device</td>
  87. </tr>
  88. <tr>
  89. <td>system_pad_directory</td>
  90. <td>String</td>
  91. <td>.pamusb</td>
  92. <td>Relative path to the user's home used to store one time pads</td
  93. </tr>
  94. <tr>
  95. <td>device_pad_directory</td>
  96. <td>String</td>
  97. <td>.pamusb</td>
  98. <td>Relative path to the device used to store one time pads</td>
  99. </tr>
  100. </table>
  101. Example:
  102. ```xml
  103. <configuration>
  104. <defaults>
  105. <!-- Disable colored output by default -->
  106. <option name="color_log">false</option>
  107. <!-- Enable debug output -->
  108. <option name="debug">true</option>
  109. </defaults>
  110. <users>
  111. <user id="root">
  112. <!-- Enable colored output for user "root" -->
  113. <option name="color_log">true</option>
  114. </user>
  115. <user id="scox">
  116. <!-- Disable debug output for user "scox" -->
  117. <option name="debug">false</option>
  118. </user>
  119. </users>
  120. <devices>
  121. <device id="mydevice">
  122. <!-- Wait 15 seconds instead of the default 10 seconds for "mydevice" to be detected -->
  123. <option name="probe_timeout">15</option>
  124. </device>
  125. </devices>
  126. <services>
  127. <service id="su">
  128. <!-- Disable pam_usb for "su" ("su" will ask for a password as usual) -->
  129. <option name="enable">false<option>
  130. </service>
  131. </services>
  132. </configuration>
  133. ```
  134. Devices
  135. -------
  136. <table>
  137. <tr>
  138. <th>Name</th>
  139. <th>Type</th>
  140. <th>Description</th>
  141. <th>Example</th>
  142. </tr>
  143. <tr>
  144. <td>id</td>
  145. <td>Attribute</td>
  146. <td>Arbitrary device name</td>
  147. <td>MyDevice</td>
  148. </tr>
  149. <tr>
  150. <td>vendor</td>
  151. <td>Element</td>
  152. <td>device's vendor name</td>
  153. <td>SanDisk Corp.</td>
  154. </tr>
  155. <tr>
  156. <td>model</td>
  157. <td>Element</td>
  158. <td>device's model name</td>
  159. <td>Cruzer Titanium</td>
  160. </tr>
  161. <tr>
  162. <td>serial</td>
  163. <td>Element</td>
  164. <td>serial number of the device</td>
  165. <td>SNDKXXXXXXXXXXXXXXXX</td>
  166. </tr>
  167. <tr>
  168. <td>volume_uuid</td>
  169. <td>Element</td>
  170. <td>UUID of the device's volume used to store pads</td>
  171. <td>6F6B-42FC</td>
  172. </tr>
  173. </table>
  174. Example:
  175. ```xml
  176. <device id="MyDevice">
  177. <vendor>SanDisk Corp.</vendor>
  178. <model>Cruzer Titanium</model>
  179. <serial>SNDKXXXXXXXXXXXXXXXX</serial>
  180. <volume_uuid>6F6B-42FC</volume_uuid>
  181. </device>
  182. ```
  183. Users
  184. -----
  185. <table>
  186. <tr>
  187. <th>Name</th>
  188. <th>Type</th>
  189. <th>Description</th>
  190. <th>Example</th>
  191. </tr>
  192. <tr>
  193. <td>id</td>
  194. <td>Attribute</td>
  195. <td>Login of the user</td>
  196. <td>root</td>
  197. </tr>
  198. <tr>
  199. <td>device</td>
  200. <td>Element</td>
  201. <td>id of the device associated to the user</td>
  202. <td>MyDevice</td>
  203. </tr>
  204. <tr>
  205. <td>agent</td>
  206. <td>env</td>
  207. <td>Element</td>
  208. <td>An environment variable for the command. For multiple variables use multiple env tags</td>
  209. <td>cmd</td>
  210. <td>Element</td>
  211. <td>Agent command, associated with env tags in the same agent element</td>
  212. <td>Element</td>
  213. <td>Agent commands, for use with pamusb-agent</td>
  214. </tr>
  215. </table>
  216. Example:
  217. ```xml
  218. <user id="scox">
  219. <device>MyDevice</device>
  220. <!-- When the user "scox" removes the usb device, lock the screen and pause
  221. beep-media-player -->
  222. <agent event="lock">
  223. <env>DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus</env>
  224. <env>HOME=/home/scox</env>
  225. <cmd>gnome-screensaver-command --lock</cmd>
  226. </agent>
  227. <agent event="lock">
  228. <cmd>beep-media-player --pause</cmd>
  229. </agent>
  230. <!-- Resume operations when the usb device is plugged back and authenticated -->
  231. <agent event="unlock">
  232. <env>DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus</env>
  233. <env>HOME=/home/scox</env>
  234. <cmd>gnome-screensaver-command --deactivate</cmd>
  235. </agent>
  236. <agent event="unlock">
  237. <cmd>beep-media-player --play</cmd>
  238. </agent>
  239. </user>
  240. ```
  241. Services
  242. --------
  243. <table>
  244. <tr>
  245. <th>Name</th>
  246. <th>Type</th>
  247. <th>Description</th>
  248. <th>Example</th>
  249. </tr>
  250. <tr>
  251. <td>id</td>
  252. <td>Attribute</td>
  253. <td>Name of the service</td>
  254. <td>su</td>
  255. </tr>
  256. </table>
  257. Example:
  258. ```xml
  259. <service id="su">
  260. <!--
  261. Here you can put service specific options such as "enable", "debug" etc.
  262. See the options section of this document.
  263. -->
  264. </service>
  265. ```
  266. Location of the configuration file
  267. ----------------------------------
  268. By default, pam_usb.so and its tools will look for the configuration file at `/etc/security/pam_usb.conf`.
  269. If you want to use a different location, you will have to use the `-c` flag.
  270. # /etc/pam.d/common-auth
  271. auth sufficient pam_usb.so -c /some/other/path.conf
  272. auth required pam_unix.so nullok_secure
  273. You will also have to use the -c option when calling pam_usb's tools.
  274. pamusb-agent -c /some/other/path.conf