Hardware authentication for Linux using ordinary USB Flash Drives.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

264 lines
7.7 KiB

====== Configuration ======
Configuration is done through the pamusb-conf tool, as explained in the
[[quickstart]] section. Most users don't have to manually change pamusb.conf,
however if you want to change some default settings, this document explains the
syntax of the pamusb.conf configuration file.
===== Introduction =====
* The configuration file is formatted in XML and subdivided in 4 sections:
- Default options, shared among every device, user and service
- Devices declaration and settings
- Users declaration and settings
- Services declaration and settings
* The syntax is the following:
<configuration>
<defaults>
<!-- default options -->
</defaults>
<devices>
<!-- devices definitions -->
</devices>
<users>
<!-- users definitions -->
</users>
<services>
<!-- services definitions -->
</services>
</configuration>
* Location of the configuration file
By default, pam_usb.so and its tools will look for the configuration file
located in /etc/pamusb.conf, but you can tell it to use a different file by
using the -c option:
# /etc/pam.d/common-auth
auth sufficient pam_usb.so -c /some/other/path.conf
auth required pam_unix.so nullok_secure
You will also have to use the -c option when calling pam_usb's tools. For
instance, when calling pamusb-agent:
pamusb-agent -c /some/other/path.conf
===== Options =====
^ Name ^ Type ^ Default value ^ Description ^
| enable | Boolean | true | Enable pam_usb
|
| debug | Boolean | false | Enable debug messages
|
| quiet | Boolean | false | Quiet mode (no verbose
output) |
| color_log | Boolean | true | Enable colored output
|
| one_time_pad | Boolean | true | Enable the use of one
time pads |
| deny_remote | Boolean | true | Deny access from
remote host (ssh) |
| probe_timeout | Time | 10s | Time to wait for the
volume to be detected|
| pad_expiration| Time | 1h | Time between pads
regeneration|
| hostname | String | Computer's hostname | Computer name. Must be
unique accross computers using the same device |
| system_pad_directory | String | .pamusb | Relative path to the
user's home used to store one time pads |
| device_pad_directory | String | .pamusb | Relative path to the
device used to store one time pads|
* Example:
<configuration>
<defaults>
<!-- Disable colored output by default -->
<option name="color_log">false</option>
<!-- Enable debug output -->
<option name="debug">true</option>
</defaults>
<users>
<user id="root">
<!-- Enable colored output for user "root" -->
<option name="color_log">true</option>
</user>
<user id="scox">
<!-- Disable debug output for user "scox" -->
<option name="debug">false</option>
</users>
<devices>
<device id="sandisk">
<!-- Wait 15 seconds instead of the default 10 seconds for the "sandisk"
device to be detected -->
<option name="probe_timeout">15</option>
</devices>
<services>
<service id="su">
<!-- Disable pam_usb for "su" ("su" will ask for a password as usual) -->
<option name="enable">false<option>
</service>
</services>
</configuration>
===== Devices =====
^ Name ^ Type ^ Description ^
Example ^
| id | Attribute | Arbitrary device name |
MyDevice |
| vendor | Element | device's vendor name |
SanDisk Corp. |
| model | Element | device's model name |
Cruzer Titanium |
| serial | Element | serial number of the device |
SNDKXXXXXXXXXXXXXXXX |
| volume_uuid | Element | UUID of the device's volume used to store pads |
6F6B-42FC |
* Example:
<device id="MyDevice">
<vendor>SanDisk Corp.</vendor>
<model>Cruzer Titanium</model>
<serial>SNDKXXXXXXXXXXXXXXXX</serial>
<volume_uuid>6F6B-42FC</volume_uuid>
</device>
===== Users =====
^ Name ^ Type ^ Description ^
Example ^
| id | Attribute | Login of the user | root
|
| device | Element | id of the device associated to the user |
MyDevice |
| agent | Element | Agent commands, for use with pamusb-agent | See
below |
* Example:
<user id="scox">
<device>MyDevice</device>
<!-- When the user "scox" removes the usb device, lock the screen and pause
beep-media-player -->
<agent event="lock">gnome-screensaver-command --lock</agent>
<agent event="lock">beep-media-player --pause</agent>
<!-- Resume operations when the usb device is plugged back and authenticated -->
<agent event="unlock">gnome-screensaver-command --deactivate</agent>
<agent event="unlock">beep-media-player --play</agent>
</user>
===== Services =====
^ Name ^ Type ^ Description ^ Example ^
| id | Attribute | Name of the service | su |
<service id="su">
<!--
Here you can put service specific options such as "enable", "debug" etc.
See the options section of this document.
-->
</service>
===== Full example =====
This example demonstrates how to write a pam_usb configuration file and how to
combine and override options.
<configuration>
<!-- Default options -->
<defaults>
<!-- Enable debug output by default-->
<option name="debug">true</option> -->
<!-- Disable one time pads by default -->
<option name="one_time_pad">false</option> -->
</defaults>
<!-- Device settings -->
<devices>
<device id="MyDevice">
<!-- This part was generated by pamusb-conf -->
<vendor>SanDisk Corp.</vendor>
<model>Cruzer Titanium</model>
<serial>SNDKXXXXXXXXXXXXXXXX</serial>
<volume_uuid>6F6B-42FC</volume_uuid>
<!--
Override the debug option previously enabled by "defaults".
Everytime a user associated to that device tries to authenticate,
debugging will be disabled.
For other users using different devices, the debugging will still be
enabled.
-->
<option name="debug">disable</option>
</device>
</devices>
<!-- User settings -->
<users>
<!-- Authenticate user "root" with device "MyDevice". -->
<user id="root">
<device>MyDevice</device>
<!--
One time pads were disabled in the "defaults" section.
Now we want to enable them for the user "root" so we override the option:
-->
<option name="one_time_pad">true</option>
</user>
<!-- Authenticate user "scox" with device "MyDevice". -->
<user id="scox">
<device>MyDevice</device>
<!-- We want pam_usb to work in quiet mode when authenticating "scox", so we
override the "quiet" option -->
<option name="quiet">true</option>
<!-- Agent settings, used by pamusb-agent -->
<agent event="lock">gnome-screensaver-command --lock</agent>
<agent event="unlock">gnome-screensaver-command --deactivate</agent>
</user>
</users>
<!-- Services settings (e.g. gdm, su, sudo...) -->
<services>
<!-- Disable pam_usb for gdm (a password will be asked as usual) -->
<service id="gdm">
<option name="enable">false</option>
</service>
<!--
We already disabled one time pads in the defaults section, but then
re-enabled them for the
user "root" in the users section.
Now we want to speed up console login for user root, so we simply override
again the one_time_pad option
for the "login" (console) service.
-->
<service id="login">
<option name="one_time_pad">false</option>
</service>
</services>
</configuration>
</code>