Security/PamUsb/ConfigurationFile
Aller à la navigation
Aller à la recherche
Configuration file reference
The configuration file is formatted in XML and subdivided in 4 sections:
- Default options, shared among every device, user and service
- Devices declaration and settings
- Users declaration and settings
- Services declaration and settings
The syntax is the following:
<configuration>
<defaults>
<!-- default options -->
</defaults>
<devices>
<!-- devices definitions -->
</devices>
<users>
<!-- users definitions -->
</users>
<services>
<!-- services definitions -->
</services>
</configuration>
Options
| Name | Type | Default | Description |
|---|---|---|---|
| enable | Boolean | true | Enable pam_usb |
| debug | Boolean | false | Enable debug messages |
| quiet | Boolean | false | Quiet mode |
| color_log | Boolean | true | Enable colored output |
| one_time_pad | Boolean | true | Enable the use of one time pads |
| deny_remote | Boolean | true | Deny access from remote host (ssh) |
| probe_timeout | Time | 10s | Time to wait for the volume to be detected |
| pad_expiration | Time | 1h | Time between pads regeneration |
| hostname | String | Computer's hostname | Must be unique accross computers using the same device |
| system_pad_directory | String | .pamusb | Relative path to the user's home used to store one time pads |
| device_pad_directory | String | .pamusb | Relative path to the device used to store one time pads |
Example:
<configuration>
<defaults>
<!-- Disable colored output by default -->
<option name="color_log">false</option>
<!-- Enable debug output -->
<option name="debug">true</option>
</defaults>
<users>
<user id="root">
<!-- Enable colored output for user "root" -->
<option name="color_log">true</option>
</user>
<user id="scox">
<!-- Disable debug output for user "scox" -->
<option name="debug">false</option>
</user>
</users>
<devices>
<device id="mydevice">
<!-- Wait 15 seconds instead of the default 10 seconds for "mydevice" to be detected -->
<option name="probe_timeout">15</option>
</device>
</devices>
<services>
<service id="su">
<!-- Disable pam_usb for "su" ("su" will ask for a password as usual) -->
<option name="enable">false<option>
</service>
</services>
</configuration>
Devices
| Name | Type | Description | Example |
|---|---|---|---|
| id | Attribute | Arbitrary device name | MyDevice |
| vendor | Element | device's vendor name | SanDisk Corp. |
| model | Element | device's model name | Cruzer Titanium |
| serial | Element | serial number of the device | SNDKXXXXXXXXXXXXXXXX |
| volume_uuid | Element | UUID of the device's volume used to store pads | 6F6B-42FC |
Example:
<device id="MyDevice">
<vendor>SanDisk Corp.</vendor>
<model>Cruzer Titanium</model>
<serial>SNDKXXXXXXXXXXXXXXXX</serial>
<volume_uuid>6F6B-42FC</volume_uuid>
</device>
Users
| Name | Type | Description | Example |
|---|---|---|---|
| id | Attribute | Login of the user | root |
| device | Element | id of the device associated to the user | MyDevice |
| agent | Element | Agent commands, for use with pamusb-agent |
Example:
<user id="scox">
<device>MyDevice</device>
<!-- When the user "scox" removes the usb device, lock the screen and pause
beep-media-player -->
<agent event="lock">gnome-screensaver-command --lock</agent>
<agent event="lock">beep-media-player --pause</agent>
<!-- Resume operations when the usb device is plugged back and authenticated -->
<agent event="unlock">gnome-screensaver-command --deactivate</agent>
<agent event="unlock">beep-media-player --play</agent>
</user>
Services
| Name | Type | Description | Example |
|---|---|---|---|
| id | Attribute | Name of the service | su |
Example:
<service id="su">
<!--
Here you can put service specific options such as "enable", "debug" etc.
See the options section of this document.
-->
</service>
Location of the configuration file
By default, pam_usb.so and its tools will look for the configuration file at <path>/etc/pamusb.conf</path>.
If you want to use a different location, you will have to use the -c flag.
File <path>/etc/pam.d/common-auth</path>
auth sufficient pam_usb.so -c /some/other/path.conf auth required pam_unix.so nullok_secure
You will also have to use the -c option when calling pam_usb's tools.
pamusb-agent -c /some/other/path.conf