Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: pam_usb login with USB memory stick
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
gentoo_weazle
n00b
n00b


Joined: 07 Mar 2005
Posts: 3

PostPosted: Tue Mar 08, 2005 1:13 pm    Post subject: HOWTO: pam_usb login with USB memory stick Reply with quote

HOWTO: pam_usb login with USB memory stick
===============================

Introduction

This relates to a project of mine, a Single Sign On solution using a usb-memory stick. An advantage is when you have too many passwords to remember, SSO brings this back to one password and one point where you have to login and then use these credentials to access all your applications and resources. For example your webmail, forums etc.

Goals:


  • Login locally with your usb memory stick on the console (this howto)
  • Login locally with your usb memory stick on XDM,GDM,KDM
  • The possibility to remotely login (via ssh) with the the usb memory stick
  • A layer build on top of the linux login process (locally/remote) which handles the authenication between the the usb memory stick and the keyserver/ Certificate Authority


Comments are welcome :-)

PAM_USB

1. emerge pam_usb
2. Read the Quickstart and Options files on http://www.pamusb.org/

5. Make the keys on the usb memory stick, as described in the Quickstart. I made one for root and one for my normal user account. I used a DSA keypair of 4096 bits :mrgreen:

Code:

usbadm keygen [/path/to/mounted/usbmemorystick] [username] [bits]


Check if the keys are made correctly. They are in the .auth directory on the usb memory stick.

Simply by issueing a command like
Code:

more .auth/[username].[hostname]


If it spits out all kind of DSA code gibberish, the key is ok.

6. BACKUP all the /etc/pam.d files somewhere, in case something goes wrong.

7. Configuration:

- Make the logfile (for debugging purposes)

make a empty file:
Code:

vi /var/log/pam_usb.log

save & exit.

- Edit /etc/pam.d/login. Check whether your filesystem is vfat, otherwise replace fs= with your filesystem on the usb memory stick, e.g reiserfs or ext3 or whatever.

example:

Code:

auth required pam_usb.so force_device=/dev/sda  fs=vfat check_if_mounted=1 debug=1 log_file=/var/log/pam_usb.log


My /etc/pam.d/login file:
Code:

#
# The PAM configuration file for the Shadow `login' service
#
# NOTE: If you use a session module (such as kerberos or NIS+)
# that retains persistent credentials (like key caches, etc), you
# need to enable the `CLOSE_SESSIONS' option in /etc/login.defs
# in order for login to stay around until after logout to call
# pam_close_session() and cleanup.
#

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
#auth       requisite  pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
#auth       requisite  pam_nologin.so

# This module parses /etc/environment (the standard for setting
# environ vars) and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# (Replaces the `ENVIRON_FILE' setting from login.defs)
auth       required   pam_env.so
auth       required pam_usb.so force_device=/dev/sda  fs=vfat check_if_mounted=1 debug=1 log_file=/var/log/pam_usb.log

# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please uncomment and edit /etc/security/group.conf if you
# wish to use this.
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
# auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
account  required       pam_access.so

# Standard Un*x account and session
#@include common-account
@include common-session

# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
# session    required   pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
#session    optional   pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
#session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). You
# can also enable a MAIL environment variable from here, but it
# is better handled by /etc/login.defs, since userdel also uses
# it to make sure that removing a user, also removes their mail
# spool file.
#session    optional   pam_mail.so standard noenv
@include common-password

9. Test stuff
Depending on how you set the mode on pam_usb, play a little around with it. There are 3 modes according to the Quickstart:

1. Unique

auth required pam_usb.so

2. Alternative

auth sufficient pam_usb.so

3. Additional

auth required pam_usb.so

I found out that in Additional mode you cannot login if the usb memory stick isn't there (doh') and that you _can_ login if the stick is present.

8. If things go wrong

Well, I if you stare at the screen at errors like this:
Code:

Authentication token is no longer valid; new one required.

and you locked yourself out because you didn't leave a root terminal open :shock:

*don't panic*

There are a couple of things you can do:

1. blame someone else
2. reboot into single user mode.I have GRUB installed as bootmanager so in the GRUB menu upon boot I edited the line starting the kernel and added the word "single" to it. Now your system will boot in single-user mode and you can login and repair the damage.[/list]

// end
Back to top
View user's profile Send private message
latz-twn
Tux's lil' helper
Tux's lil' helper


Joined: 08 Nov 2003
Posts: 95
Location: Luxembourg

PostPosted: Tue Mar 08, 2005 1:58 pm    Post subject: Reply with quote

sounds like fun! I will try this!
_________________
LinuxCounter: #353618
Back to top
View user's profile Send private message
gentoo_weazle
n00b
n00b


Joined: 07 Mar 2005
Posts: 3

PostPosted: Wed Mar 09, 2005 9:30 am    Post subject: Cool Reply with quote

Lemme know if it works and share your experience :-)

// weazle
Back to top
View user's profile Send private message
frilled
Retired Dev
Retired Dev


Joined: 15 Mar 2004
Posts: 386
Location: Atlantis, inner city ring

PostPosted: Wed Oct 19, 2005 4:08 pm    Post subject: Reply with quote

Did you try this with gdm/kdm? There's an xdm file in /etc/pam.d, but I don't know whether anything besides xdm will use it ... that'd be interesting :D
_________________
"Failure is not an option!"
"Sir, we are out of further options."
Back to top
View user's profile Send private message
coolsnowmen
Veteran
Veteran


Joined: 30 Jun 2004
Posts: 1479
Location: No.VA

PostPosted: Thu Nov 03, 2005 6:17 am    Post subject: Passwordless kdm login Reply with quote

With:

/etc/pam.d/system-auth
Code:
auth       required     pam_env.so

auth    sufficient      pam_usb.so fs=vfat debug=0 check_device=-1 check_if_mounted=-1 force_device=/dev/sda

auth       sufficient   pam_unix.so likeauth nullok
auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so

I have passwordless kdm and shell logins. I do not know the difference between putting it here or the login file. This is simply what I tried first, and I love it.
Back to top
View user's profile Send private message
salam
Apprentice
Apprentice


Joined: 29 Sep 2005
Posts: 205

PostPosted: Fri Apr 21, 2006 9:41 am    Post subject: Reply with quote

i keep getting these messages:

[pam.c:203] Cannot authenticate user "root"

though i want not root to be authenticated, but common user
in /etc/pam_usb/hotplug.conf i have AUTH=username and USER=username, but it is still trying root

how can i fix this?
Back to top
View user's profile Send private message
scottevil
n00b
n00b


Joined: 29 Apr 2006
Posts: 6

PostPosted: Sun Apr 30, 2006 4:50 pm    Post subject: Reply with quote

this is trivial but

Code:
vi /var/log/pam_usb.log
:wq


could be changed to:

Code:
touch /var/log/pam_usb.log
Back to top
View user's profile Send private message
Allochtoon
Tux's lil' helper
Tux's lil' helper


Joined: 22 Jan 2004
Posts: 123
Location: Rotterdam, The Netherlands

PostPosted: Thu Jun 01, 2006 11:49 am    Post subject: Reply with quote

I have to say i love this howto.
But since today i use rxvt-unicode and it wont let me 'su' without a password anymore. Where should i look?
Back to top
View user's profile Send private message
glowworm
Tux's lil' helper
Tux's lil' helper


Joined: 28 Jun 2005
Posts: 85

PostPosted: Sat Sep 02, 2006 5:52 am    Post subject: Re: Passwordless kdm login Reply with quote

Great howto and simple as anything to implement.

coolsnowmen wrote:
With:
/etc/pam.d/system-auth


This is the mode I ended choosing too, it looks like the /etc/pam.d/login file structure has changed somewhat and the suggested file contents in the OP are no longer valid (so it seems) the trivial change to system-auth works nicely though.

This is great... it allows quite a complex backup password for emergency/remote access with the physical key to allow simple quick passwordless login when at the console.

Hmmm, I wonder if a dead mans switch can be added so the session is force logged out if the key is removed.
_________________
2.6.18-gentoo-r1 x86
Core2Duo E6300 on an Intel DG965WH M/B
NVidia 7600GT / AIGLX / KDE / Beryl CVS
Back to top
View user's profile Send private message
beatryder
Veteran
Veteran


Joined: 08 Apr 2005
Posts: 1138

PostPosted: Sat Sep 23, 2006 8:01 pm    Post subject: Reply with quote

Well, I managed to get this working... I found that the version of pam_usb in portage is old. Once I upgraded to the newest version everything worked great!
_________________
Dont make it idiot proof, make it work.
Neucode.org
<suppressed key>
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum