|
|
- ====== Configuration ======
-
- Configuration is done through the pamusb-conf tool, as explained in the
- [[quickstart]] section. Most users don't have to manually change pamusb.conf,
- however if you want to change some default settings, this document explains the
- syntax of the pamusb.conf configuration file.
-
- ===== Introduction =====
-
- * The configuration file is formatted in XML and subdivided in 4 sections:
- - Default options, shared among every device, user and service
- - Devices declaration and settings
- - Users declaration and settings
- - Services declaration and settings
-
- * The syntax is the following:
- <configuration>
- <defaults>
- <!-- default options -->
- </defaults>
-
- <devices>
- <!-- devices definitions -->
- </devices>
-
- <users>
- <!-- users definitions -->
- </users>
-
- <services>
- <!-- services definitions -->
- </services>
- </configuration>
-
- * Location of the configuration file
-
- By default, pam_usb.so and its tools will look for the configuration file
- located in /etc/pamusb.conf, but you can tell it to use a different file by
- using the -c option:
-
- # /etc/pam.d/common-auth
- auth sufficient pam_usb.so -c /some/other/path.conf
- auth required pam_unix.so nullok_secure
-
- You will also have to use the -c option when calling pam_usb's tools. For
- instance, when calling pamusb-agent:
- pamusb-agent -c /some/other/path.conf
-
-
-
-
-
- ===== Options =====
-
- ^ Name ^ Type ^ Default value ^ Description ^
- | enable | Boolean | true | Enable pam_usb
- |
- | debug | Boolean | false | Enable debug messages
- |
- | quiet | Boolean | false | Quiet mode (no verbose
- output) |
- | color_log | Boolean | true | Enable colored output
- |
- | one_time_pad | Boolean | true | Enable the use of one
- time pads |
- | deny_remote | Boolean | true | Deny access from
- remote host (ssh) |
- | probe_timeout | Time | 10s | Time to wait for the
- volume to be detected|
- | pad_expiration| Time | 1h | Time between pads
- regeneration|
- | hostname | String | Computer's hostname | Computer name. Must be
- unique accross computers using the same device |
-
- | system_pad_directory | String | .pamusb | Relative path to the
- user's home used to store one time pads |
- | device_pad_directory | String | .pamusb | Relative path to the
- device used to store one time pads|
-
- * Example:
-
- <configuration>
- <defaults>
- <!-- Disable colored output by default -->
- <option name="color_log">false</option>
- <!-- Enable debug output -->
- <option name="debug">true</option>
- </defaults>
- <users>
- <user id="root">
- <!-- Enable colored output for user "root" -->
- <option name="color_log">true</option>
- </user>
- <user id="scox">
- <!-- Disable debug output for user "scox" -->
- <option name="debug">false</option>
- </users>
- <devices>
- <device id="sandisk">
- <!-- Wait 15 seconds instead of the default 10 seconds for the "sandisk"
- device to be detected -->
- <option name="probe_timeout">15</option>
- </devices>
- <services>
- <service id="su">
- <!-- Disable pam_usb for "su" ("su" will ask for a password as usual) -->
- <option name="enable">false<option>
- </service>
- </services>
- </configuration>
-
- ===== Devices =====
-
- ^ Name ^ Type ^ Description ^
- Example ^
- | id | Attribute | Arbitrary device name |
- MyDevice |
- | vendor | Element | device's vendor name |
- SanDisk Corp. |
- | model | Element | device's model name |
- Cruzer Titanium |
- | serial | Element | serial number of the device |
- SNDKXXXXXXXXXXXXXXXX |
- | volume_uuid | Element | UUID of the device's volume used to store pads |
- 6F6B-42FC |
-
-
- * Example:
-
- <device id="MyDevice">
- <vendor>SanDisk Corp.</vendor>
- <model>Cruzer Titanium</model>
- <serial>SNDKXXXXXXXXXXXXXXXX</serial>
- <volume_uuid>6F6B-42FC</volume_uuid>
- </device>
-
-
-
- ===== Users =====
-
- ^ Name ^ Type ^ Description ^
- Example ^
- | id | Attribute | Login of the user | root
- |
- | device | Element | id of the device associated to the user |
- MyDevice |
- | agent | Element | Agent commands, for use with pamusb-agent | See
- below |
-
- * Example:
-
- <user id="scox">
- <device>MyDevice</device>
-
- <!-- When the user "scox" removes the usb device, lock the screen and pause
- beep-media-player -->
- <agent event="lock">gnome-screensaver-command --lock</agent>
- <agent event="lock">beep-media-player --pause</agent>
-
- <!-- Resume operations when the usb device is plugged back and authenticated -->
- <agent event="unlock">gnome-screensaver-command --deactivate</agent>
- <agent event="unlock">beep-media-player --play</agent>
- </user>
-
- ===== Services =====
-
- ^ Name ^ Type ^ Description ^ Example ^
- | id | Attribute | Name of the service | su |
-
- <service id="su">
- <!--
- Here you can put service specific options such as "enable", "debug" etc.
- See the options section of this document.
- -->
- </service>
-
-
-
-
- ===== Full example =====
-
- This example demonstrates how to write a pam_usb configuration file and how to
- combine and override options.
-
- <configuration>
- <!-- Default options -->
- <defaults>
- <!-- Enable debug output by default-->
- <option name="debug">true</option> -->
- <!-- Disable one time pads by default -->
- <option name="one_time_pad">false</option> -->
- </defaults>
-
- <!-- Device settings -->
- <devices>
- <device id="MyDevice">
- <!-- This part was generated by pamusb-conf -->
- <vendor>SanDisk Corp.</vendor>
- <model>Cruzer Titanium</model>
- <serial>SNDKXXXXXXXXXXXXXXXX</serial>
- <volume_uuid>6F6B-42FC</volume_uuid>
-
- <!--
- Override the debug option previously enabled by "defaults".
- Everytime a user associated to that device tries to authenticate,
- debugging will be disabled.
- For other users using different devices, the debugging will still be
- enabled.
- -->
- <option name="debug">disable</option>
- </device>
- </devices>
-
- <!-- User settings -->
- <users>
-
- <!-- Authenticate user "root" with device "MyDevice". -->
- <user id="root">
- <device>MyDevice</device>
-
- <!--
- One time pads were disabled in the "defaults" section.
- Now we want to enable them for the user "root" so we override the option:
- -->
- <option name="one_time_pad">true</option>
- </user>
-
- <!-- Authenticate user "scox" with device "MyDevice". -->
- <user id="scox">
- <device>MyDevice</device>
-
- <!-- We want pam_usb to work in quiet mode when authenticating "scox", so we
- override the "quiet" option -->
- <option name="quiet">true</option>
-
- <!-- Agent settings, used by pamusb-agent -->
- <agent event="lock">gnome-screensaver-command --lock</agent>
- <agent event="unlock">gnome-screensaver-command --deactivate</agent>
- </user>
- </users>
-
- <!-- Services settings (e.g. gdm, su, sudo...) -->
- <services>
-
- <!-- Disable pam_usb for gdm (a password will be asked as usual) -->
- <service id="gdm">
- <option name="enable">false</option>
- </service>
-
- <!--
- We already disabled one time pads in the defaults section, but then
- re-enabled them for the
- user "root" in the users section.
-
- Now we want to speed up console login for user root, so we simply override
- again the one_time_pad option
- for the "login" (console) service.
- -->
- <service id="login">
- <option name="one_time_pad">false</option>
- </service>
- </services>
- </configuration>
- </code>
|