Hardware authentication for Linux using ordinary USB Flash Drives.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

246 lines
7.3 KiB

  1. ====== Configuration ======
  2. ===== Introduction =====
  3. * The configuration file is formatted in XML and subdivided in 4 sections:
  4. - Default options, shared among every device, user and service
  5. - Devices declaration and settings
  6. - Users declaration and settings
  7. - Services declaration and settings
  8. * The syntax is the following:
  9. <configuration>
  10. <defaults>
  11. <!-- default options -->
  12. </defaults>
  13. <devices>
  14. <!-- devices definitions -->
  15. </devices>
  16. <users>
  17. <!-- users definitions -->
  18. </users>
  19. <services>
  20. <!-- services definitions -->
  21. </services>
  22. </configuration>
  23. * Location of the configuration file
  24. By default, pam_usb.so and its tools will look for the configuration file
  25. located in /etc/pusb/pusb.conf, but you can tell it to use a different file by
  26. using the -c option:
  27. # /etc/pam.d/common-auth
  28. auth sufficient pam_usb.so -c /some/other/path.conf
  29. auth required pam_unix.so nullok_secure
  30. You will also have to use the -c option when calling pamusb's tools. For
  31. instance, when calling pusb_hotplug:
  32. pusb_hotplug -c /some/other/path.conf
  33. ===== Options =====
  34. ^ Name ^ Type ^ Default value ^ Description ^
  35. | enable | Boolean | true | Enable pamusb
  36. |
  37. | debug | Boolean | false | Enable debug messages
  38. |
  39. | quiet | Boolean | false | Quiet mode (no verbose
  40. output) |
  41. | color_log | Boolean | true | Enable colored output
  42. |
  43. | one_time_pad | Boolean | true | Enable the use of one
  44. time pads |
  45. | probe_timeout | Integer | 10 | Time (in seconds) to
  46. wait for the volume to be detected|
  47. | hostname | String | Computer's hostname | Computer name. Must be
  48. unique accross computers using the same device |
  49. | system_pad_directory | String | .pusb | Relative path to the
  50. user's home used to store one time pads |
  51. | device_pad_directory | String | .pusb | Relative path to the
  52. device used to store one time pads|
  53. * Example:
  54. <configuration>
  55. <defaults>
  56. <!-- Disable colored output by default -->
  57. <option name="color_log">false</option>
  58. <!-- Enable debug output -->
  59. <option name="debug">true</option>
  60. </defaults>
  61. <users>
  62. <user id="root">
  63. <!-- Enable colored output for user "root" -->
  64. <option name="color_log">true</option>
  65. </user>
  66. <user id="scox">
  67. <!-- Disable debug output for user "scox" -->
  68. <option name="debug">false</option>
  69. </users>
  70. <devices>
  71. <device id="sandisk">
  72. <!-- Wait 15 seconds instead of the default 10 seconds for the "sandisk"
  73. device to be detected -->
  74. <option name="probe_timeout">15</option>
  75. </devices>
  76. <services>
  77. <service id="su">
  78. <!-- Disable pamusb for "su" ("su" will ask for a password as usual) -->
  79. <option name="enable">false<option>
  80. </service>
  81. </services>
  82. </configuration>
  83. ===== Devices =====
  84. ^ Name ^ Type ^ Description ^
  85. Example ^
  86. | id | Attribute | Arbitrary device name |
  87. MyDevice |
  88. | vendor | Element | device's vendor name |
  89. SanDisk Corp. |
  90. | model | Element | device's model name |
  91. Cruzer Titanium |
  92. | serial | Element | serial number of the device |
  93. SNDKXXXXXXXXXXXXXXXX |
  94. | volume_uuid | Element | UUID of the device's volume used to store pads |
  95. 6F6B-42FC |
  96. * Example:
  97. <device id="MyDevice">
  98. <vendor>SanDisk Corp.</vendor>
  99. <model>Cruzer Titanium</model>
  100. <serial>SNDKXXXXXXXXXXXXXXXX</serial>
  101. <volume_uuid>6F6B-42FC</volume_uuid>
  102. </device>
  103. ===== Users =====
  104. ^ Name ^ Type ^ Description ^
  105. Example ^
  106. | id | Attribute | Login of the user | root
  107. |
  108. | device | Element | id of the device associated to the user |
  109. MyDevice |
  110. | hotplug | Element | Hotplug commands, for use with pusb_hotplug | See
  111. below |
  112. * Example:
  113. <user id="scox">
  114. <device>MyDevice</device>
  115. <!-- When the user "scox" removes the usb device, lock the screen and pause
  116. beep-media-player -->
  117. <hotplug event="lock">gnome-screensaver-command --lock</hotplug>
  118. <hotplug event="lock">beep-media-player --pause</hotplug>
  119. <!-- Resume operations when the usb device is plugged back and authenticated -->
  120. <hotplug event="unlock">gnome-screensaver-command --deactivate</hotplug>
  121. <hotplug event="unlock">beep-media-player --play</hotplug>
  122. </user>
  123. ===== Services =====
  124. ^ Name ^ Type ^ Description ^ Example ^
  125. | id | Attribute | Name of the service | su |
  126. <service id="su">
  127. <!--
  128. Here you can put service specific options such as "enable", "debug" etc.
  129. See the options section of this document.
  130. -->
  131. </service>
  132. ===== Full example =====
  133. This example demonstrates how to write a pamusb configuration file and how to
  134. combine and override options.
  135. <configuration>
  136. <!-- Default options -->
  137. <defaults>
  138. <!-- Enable debug output by default-->
  139. <option name="debug">true</option> -->
  140. <!-- Disable one time pads by default -->
  141. <option name="one_time_pad">false</option> -->
  142. </defaults>
  143. <!-- Device settings -->
  144. <devices>
  145. <device id="MyDevice">
  146. <!-- This part was generated by pusb_adm -->
  147. <vendor>SanDisk Corp.</vendor>
  148. <model>Cruzer Titanium</model>
  149. <serial>SNDKXXXXXXXXXXXXXXXX</serial>
  150. <volume_uuid>6F6B-42FC</volume_uuid>
  151. <!--
  152. Override the debug option previously enabled by "defaults".
  153. Everytime a user associated to that device tries to authenticate,
  154. debugging will be disabled.
  155. For other users using different devices, the debugging will still be
  156. enabled.
  157. -->
  158. <option name="debug">disable</option>
  159. </device>
  160. </devices>
  161. <!-- User settings -->
  162. <users>
  163. <!-- Authenticate user "root" with device "MyDevice". -->
  164. <user id="root">
  165. <device>MyDevice</device>
  166. <!--
  167. One time pads were disabled in the "defaults" section.
  168. Now we want to enable them for the user "root" so we override the option:
  169. -->
  170. <option name="one_time_pad">true</option>
  171. </user>
  172. <!-- Authenticate user "scox" with device "MyDevice". -->
  173. <user id="scox">
  174. <device>MyDevice</device>
  175. <!-- We want pamusb to work in quiet mode when authenticating "scox", so we
  176. override the "quiet" option -->
  177. <option name="quiet">true</option>
  178. <!-- Hotplugging settings, used by pusb_hotplug -->
  179. <hotplug event="lock">gnome-screensaver-command --lock</hotplug>
  180. <hotplug event="unlock">gnome-screensaver-command --deactivate</hotplug>
  181. </user>
  182. </users>
  183. <!-- Services settings (e.g. gdm, su, sudo...) -->
  184. <services>
  185. <!-- Disable pamusb for gdm (a password will be asked as usual) -->
  186. <service id="gdm">
  187. <option name="enable">false</option>
  188. </service>
  189. <!--
  190. We already disabled one time pads in the defaults section, but then
  191. re-enabled them for the
  192. user "root" in the users section.
  193. Now we want to speed up console login for user root, so we simply override
  194. again the one_time_pad option
  195. for the "login" (console) service.
  196. -->
  197. <service id="login">
  198. <option name="one_time_pad">false</option>
  199. </service>
  200. </services>
  201. </configuration>
  202. </code>