====== Configuration ======
Configuration is done through the pamusb-conf tool, as explained in the
[[quickstart]] section. Most users don't have to manually change pamusb.conf,
however if you want to change some default settings, this document explains the
syntax of the pamusb.conf configuration file.
===== Introduction =====
* The configuration file is formatted in XML and subdivided in 4 sections:
- Default options, shared among every device, user and service
- Devices declaration and settings
- Users declaration and settings
- Services declaration and settings
* The syntax is the following:
* Location of the configuration file
By default, pam_usb.so and its tools will look for the configuration file
located in /etc/pamusb.conf, but you can tell it to use a different file by
using the -c option:
# /etc/pam.d/common-auth
auth sufficient pam_usb.so -c /some/other/path.conf
auth required pam_unix.so nullok_secure
You will also have to use the -c option when calling pam_usb's tools. For
instance, when calling pamusb-agent:
pamusb-agent -c /some/other/path.conf
===== Options =====
^ Name ^ Type ^ Default value ^ Description ^
| enable | Boolean | true | Enable pam_usb
|
| debug | Boolean | false | Enable debug messages
|
| quiet | Boolean | false | Quiet mode (no verbose
output) |
| color_log | Boolean | true | Enable colored output
|
| one_time_pad | Boolean | true | Enable the use of one
time pads |
| deny_remote | Boolean | true | Deny access from
remote host (ssh) |
| probe_timeout | Time | 10s | Time to wait for the
volume to be detected|
| pad_expiration| Time | 1h | Time between pads
regeneration|
| hostname | String | Computer's hostname | Computer name. Must be
unique accross computers using the same device |
| system_pad_directory | String | .pamusb | Relative path to the
user's home used to store one time pads |
| device_pad_directory | String | .pamusb | Relative path to the
device used to store one time pads|
* Example:
===== Devices =====
^ Name ^ Type ^ Description ^
Example ^
| id | Attribute | Arbitrary device name |
MyDevice |
| vendor | Element | device's vendor name |
SanDisk Corp. |
| model | Element | device's model name |
Cruzer Titanium |
| serial | Element | serial number of the device |
SNDKXXXXXXXXXXXXXXXX |
| volume_uuid | Element | UUID of the device's volume used to store pads |
6F6B-42FC |
* Example:
SanDisk Corp.Cruzer TitaniumSNDKXXXXXXXXXXXXXXXX6F6B-42FC
===== Users =====
^ Name ^ Type ^ Description ^
Example ^
| id | Attribute | Login of the user | root
|
| device | Element | id of the device associated to the user |
MyDevice |
| agent | Element | Agent commands, for use with pamusb-agent | See
below |
* Example:
MyDevicegnome-screensaver-command --lockbeep-media-player --pausegnome-screensaver-command --deactivatebeep-media-player --play
===== Services =====
^ Name ^ Type ^ Description ^ Example ^
| id | Attribute | Name of the service | su |
===== Full example =====
This example demonstrates how to write a pam_usb configuration file and how to
combine and override options.
-->
-->
SanDisk Corp.Cruzer TitaniumSNDKXXXXXXXXXXXXXXXX6F6B-42FCMyDeviceMyDevicegnome-screensaver-command --lockgnome-screensaver-command --deactivate