PAM Authentication using USB Devices

provides hardware authentication for Linux using ordinary USB Flash Drives, and can be used to simplify logins (by not requiring a password) and easing the use of the system when using su. It can also be used to provide another level of authentication during the login process, by requiring the the pre-authorized usb drive in addition to the account password.

Installation
This guide uses the latest unstable version of pam_usb, 0.4.2. The 0.4.* versions of pam_usb are masked by ~* keyword, so you should unmask it, before emerging the package.

Adding USB Devices
Connect your USB stick to PC and type:

Then follow the instructions: Please select the device you wish to add.
 * Using " USB Flash Memory (0930_USB_Flash_Memory_07652723938-0:0)" (only option)

Which volume would you like to use for storing data ?
 * Using "/dev/sdc1 (UUID: e5ff07ac-a517-4dae-9468-d9d0b309ee62)" (only option)

Name           : MyDevice Vendor         : Unknown Model          : USB Flash Memory Serial         : 0930_USB_Flash_Memory_07652723938-0:0 UUID           : e5ff07ac-a517-4dae-9468-d9d0b309ee62

Save to /etc/pamusb.conf ? [Y/n]y Done. You need to perform this step for every device you want to use for authentication.

Adding Users
After adding devices you should add user information. The users should also be added to the plugdev group to allow the usb device to be mounted. If you have added more than one device, you can select the individual device to be used here. Be sure to only associate one device per user, although multiple users can use the same device.

Follow the instructions: Which device would you like to use for authentication ? * Using "MyDevice" (only option) User           : michael_d Device         : MyDevice Save to /etc/pamusb.conf ? [Y/n] y Done.

If you associate a user with two devices, neither of them will work. If this happens, you will need to edit the file /etc/pamusb.conf and remove all except one of the identical user sections. You should bear in mind that if a usb device associated with the root account becomes lost, the finder could use it to gain access to the system before it gets disabled.

PAM configuration
Now you can use pam_usb for authentication through PAM. Here is an example for su.

Now the user can switch to the root account without a password if the appropriate device is connected.

To enable paswordless system logins add the following line to the beginning of /etc/pam.d/system-auth

Most programs that request the account password and use PAM for authentication, for example 'su' or a login via the console or GDM/KDM, will allow access using only the usb device, usually by pressing return once or twice.

Additional Security
If you want to use pam_usb to make system logins more secure, by requiring a correct usb device and the account password:


 * 1) Add the required devices as above
 * 2) Add the user information as above
 * 3) Add the following line to /etc/pam.d/system-auth

The system will now require the usb device associated with the users account to be present when a password is required.

Success
If all goes well, using pam_usb to 'su' to another user should be fairly easy guest@maxdata ~ $ su - jonathan jonathan@maxdata ~ $ If the usb device is missing, you will be prompted for the account password instead. guest@maxdata ~ $ su - jonathan Password: jonathan@maxdata ~ $
 * pam_usb v0.4.2
 * Authentication request for user "jonathan" (su)
 * Device "512MbPendrive" is connected (good).
 * Performing one time pad verification...
 * Access granted.
 * pam_usb v0.4.2
 * Authentication request for user "jonathan" (su)
 * Device "512MbPendrive" is not connected.
 * Access denied.