Introduction

PAM USB is a module that allows the authentication of a user by inserting a token (a USB stick), in which a one-time password is stored.

Installation

# apt-get install libpam-usb pamusb-common

libpam-usb provides the module PAM USB, and pamusb-common, that is a dependency of libpam-usb, provides the tools to set it up.

Configuration of PAM USB

There is just one configuration file (/etc/pamusb.conf), and pamusb-conf is the recommended tool to add devices and users to this file.

Add devices

Insert a USB stick you want to use as a token for the authentication, and assign it a unique name:

# pamusb-conf --add-device="NAME"

Add users

Add every user that should be able to authenticate using a token:

# pamusb-conf --add-user="USER_NAME"

and assign each user a USB stick.

Note that if the authentication through the token is required (profiles: Additional Mode, Unique Mode) and not just sufficient (profile: Alternative Mode, the default), every user should be added to a token, otherwise he/she will not be able to access the system anymore.

In such situations you can bypass this module rebooting the system in single-user mode.

Profiles for the Authentication

The default profile, corresponding to the Alternative Mode, is located in /usr/share/pam-configs/usb. If this file does not exist or you want another profile, you have to create/edit it.

Alternative Mode

Users can authenticate either with their password or by inserting their USB stick.

Name: USB authentication
Default: yes
Priority: 257
Auth-Type: Primary
Auth:
    sufficient      pam_usb.so

It is the default configuration.

Additional Mode

Users must authenticate both with their password and by inserting their USB stick. If a user has not been added to a token, his/her authentication will always fail.

Name: USB authentication
Default: yes
Priority: 257
Auth-Type: Primary
Auth:
    required      pam_usb.so

Unique Mode

Users must authenticate by inserting their USB stick. If a user has not been added to a token, his/her authentication will always fail.

Name: USB authentication
Default: yes
Priority: 511
Auth-Type: Primary
Auth:
    [success=done default=die]    pam_usb.so

Note that its priority (511) is higher, to assure that this policy is executed before the others (which will be ignored).

Enable or disable the profile for PAM USB

The profiles /etc/pam.d/common-* can be updated by executing:

# pam-auth-update

and selecting/deselecting the checkbox for the USB authentication (the name assigned in the profile /usr/share/pam-configs/usb).

Test the authentication through PAM USB

It is recommended, especially if you have set up either the Additional Mode or the Unique Mode, to simulate the authentication of the module PAM USB for every user.

After having inserting the USB stick assigned to USER_NAME, write:

# pamusb-check USER_NAME && echo Ok || echo FAILED

So if the test fails, you can still disable the profile of PAM USB with pam-auth-update.

Uninstall

# apt-get remove libpam-usb pamusb-common

To delete also the configuration files:

# apt-get purge libpam-usb pamusb-common

and you have to remove the directory .pamusb in the home of each user added to the module.


CategorySystemSecurity