« Security/PamUsb/GettingStarted » : différence entre les versions
(Page créée avec « = Getting Started = Setting up pam_usb requires the following, Install: # Set up devices and users # Configuring PAM for system authentication #... ») |
Aucun résumé des modifications |
||
| Ligne 5 : | Ligne 5 : | ||
# Set up devices and users | # Set up devices and users | ||
# Configuring PAM for system authentication | # Configuring PAM for system authentication | ||
# (Optional) Configuring | # (Optional) Configuring {{app|pamusb-agent}} to run programs when the device is inserted or removed | ||
== Setting up Devices and Users == | == Setting up Devices and Users == | ||
Once you've connected your USB device to the computer, use pamusb-conf to add it to the configuration file: | Once you've connected your USB device to the computer, use {{app|pamusb-conf}} to add it to the configuration file: | ||
# pamusb-conf --add-device MyDevice | # pamusb-conf --add-device MyDevice | ||
| Ligne 40 : | Ligne 40 : | ||
== Check the configuration == | == Check the configuration == | ||
You can run | You can run {{app|pamusb-check}} anytime to check if everything is correctly worked. | ||
This tool will simulate an authentication request (requires your device to be connected, otherwise it will fail). | This tool will simulate an authentication request (requires your device to be connected, otherwise it will fail). | ||
| Ligne 52 : | Ligne 52 : | ||
== Setting up the PAM module == | == Setting up the PAM module == | ||
To add pam_usb into the system authentication process, we need to edit | To add pam_usb into the system authentication process, we need to edit <path>/etc/pam.d/common-auth</path> | ||
{{Admon/note|If you are using RedHat or Fedora|This file can be known as /etc/pam/system-auth.}} | {{Admon/note|If you are using RedHat or Fedora|This file can be known as /etc/pam/system-auth.}} | ||
| Ligne 66 : | Ligne 66 : | ||
auth required pam_unix.so nullok_secure | auth required pam_unix.so nullok_secure | ||
The | The ''suffient'' keyword means that if pam_usb allows the authentication, then no password will be asked. | ||
If the authentication fails, then the default password-based authentication will be used as fallback. | If the authentication fails, then the default password-based authentication will be used as fallback. | ||
If you change it to | If you change it to ''required'', it means that *both* the USB flash drive and the password will be required to grant | ||
access to the system. | access to the system. | ||
| Ligne 82 : | Ligne 82 : | ||
* Access granted. | * Access granted. | ||
Agent | == Agent == | ||
The pam_usb agent (pamusb-agent) allows you to automatically execute commands | The pam_usb agent ({{app|pamusb-agent}}) allows you to automatically execute commands | ||
upon locking and unlocking events. Those events are generated when you insert or | upon locking and unlocking events. Those events are generated when you insert or | ||
remove your authentication device. | remove your authentication device. | ||
To configure the commands, you have to edit pam_usb's configuration file | To configure the commands, you have to edit pam_usb's configuration file | ||
(/etc/pamusb.conf) and add agent entries into your user section. | (<path>/etc/pamusb.conf</path>) and add agent entries into your user section. | ||
For instance, you could automatically start your screensaver as soon as you | For instance, you could automatically start your screensaver as soon as you | ||
| Ligne 113 : | Ligne 112 : | ||
</syntaxhighlight> | </syntaxhighlight> | ||
You can execute more commands by adding extra | You can execute more commands by adding extra <nowiki><agent></nowiki> entries. | ||
$ pamusb-agent | $ pamusb-agent | ||
Version du 13 décembre 2012 à 14:19
Getting Started
Setting up pam_usb requires the following, Install:
- Set up devices and users
- Configuring PAM for system authentication
- (Optional) Configuring pamusb-agent to run programs when the device is inserted or removed
Setting up Devices and Users
Once you've connected your USB device to the computer, use pamusb-conf to add it to the configuration file:
# pamusb-conf --add-device MyDevice Please select the device you wish to add. * Using "SanDisk Corp. Cruzer Titanium (SNDKXXXXXXXXXXXXXXXX)" (only option) Which volume would you like to use for storing data ? * Using "/dev/sda1 (UUID: <6F6B-42FC>)" (only option) Name : MyDevice Vendor : SanDisk Corp. Model : Cruzer Titanium Serial : SNDKXXXXXXXXXXXXXXXX Volume UUID : 6F6B-42FC (/dev/sda1) Save to /etc/pamusb.conf ? [Y/n] y Done.
MyDevice can be any arbitrary name you'd like. Also, you can add as many devices as you want.
Next, configure users you want to be able to authenticate with pam_usb:
# pamusb-conf --add-user root Which device would you like to use for authentication ? * Using "MyDevice" (only option) User : root Device : MyDevice Save to /etc/pamusb.conf ? [Y/n] y Done.
Check the configuration
You can run pamusb-check anytime to check if everything is correctly worked. This tool will simulate an authentication request (requires your device to be connected, otherwise it will fail).
# pamusb-check root * Authentication request for user "root" (pamusb-check) * Device "MyDevice" is connected (good). * Performing one time pad verification... * Verification match, updating one time pads... * Access granted.
Setting up the PAM module
To add pam_usb into the system authentication process, we need to edit <path>/etc/pam.d/common-auth</path>
This file can be known as /etc/pam/system-auth.
Your default PAM common-auth configuration should include the following line:
auth required pam_unix.so nullok_secure
This is a current standard which uses passwords to authenticate a user.
Alter your /etc/pam.d/common-auth configuration to:
auth sufficient pam_usb.so auth required pam_unix.so nullok_secure
The suffient keyword means that if pam_usb allows the authentication, then no password will be asked. If the authentication fails, then the default password-based authentication will be used as fallback.
If you change it to required, it means that *both* the USB flash drive and the password will be required to grant access to the system.
At this point, you should be able to authenticate with the relevant USB device plugged-in.
scox $ su * pam_usb v.SVN * Authentication request for user "root" (su) * Device "MyDevice" is connected (good). * Performing one time pad verification... * Verification match, updating one time pads... * Access granted.
Agent
The pam_usb agent (pamusb-agent) allows you to automatically execute commands upon locking and unlocking events. Those events are generated when you insert or remove your authentication device. To configure the commands, you have to edit pam_usb's configuration file (<path>/etc/pamusb.conf</path>) and add agent entries into your user section.
For instance, you could automatically start your screensaver as soon as you remove the device, and deactivate it when you plug the device back.
GNOME (gnome-screensaver):
<user id="scox">
<device>MyDevice</device>
<agent event="lock">gnome-screensaver-command --lock</agent>
<agent event="unlock">gnome-screensaver-command --deactivate</agent>
</user>
KDE (kscreensaver):
<user id="scox">
<device>MyDevice</device>
<agent event="lock">dcop kdesktop KScreensaverIface lock</agent>
<agent event="unlock">dcop kdesktop KScreensaverIface quit</agent>
</user>
You can execute more commands by adding extra <agent> entries.
$ pamusb-agent pamusb-agent[18329]: pamusb-agent up and running. pamusb-agent[18329]: Watching device "MyDevice" for user "scox" pamusb-agent[18329]: Device "MyDevice" has been removed, locking down user "scox"... pamusb-agent[18329]: Running "gnome-screensaver-command --lock" pamusb-agent[18329]: Locked. pamusb-agent[18329]: Device "MyDevice" has been inserted. Performing verification... pamusb-agent[18329]: Executing "/usr/bin/pamusb-check --quiet --config=/etc/pamusb.conf --service=pamusb-agent scox" pamusb-agent[18329]: Authentication succeeded. Unlocking user "scox"... pamusb-agent[18329]: Running "gnome-screensaver-command --deactivate" pamusb-agent[18329]: Unlocked.
Depending on your desktop environment, you have to add pamusb-agent to the list of autostarted applications so it will be started automatically.
GNOME:
- Open System -> Preferences -> Sessions
- Select Startup Programs and press Add
- Enter pamusb-agent and press OK
- Press Close
KDE:
$ cd ~/.kde/Autostart
$ ln -s /usr/bin/pamusb-agent pamusb-agent
Fine Tuning
There are many options available configure pam_usb.
Check out the Configuration File.