PAM (Pluggable Authentication Module) USB Authentication


PAM (Pluggable Authentication Module) USB Authentication

In this article we are going to look at setting up a USB device to perform authentication using the pam_usb PAM module. pam_usb provides authentication for Linux using standard USB devices and other type of media i.e. (SD, MMC, etc). We will be using OpenSUSE 10.3. The reason for this is pam_usb has been developed for the latest version of HAL (hal-0.5.9) thus not being able to work on older versions of HAL.


In this article we will compile the pam_usb module, which can be downloaded from the [1] website. The installation of pam_usb requires four dependent packages. The dependencies are listed in Table 1 and can be installed using the “yast2 sw_single” command.

Dependency Description
libxml2-devel This package includes libraries and files mandatory for development.
hal-devel Developer package for HAL (Hardware Abstraction Layer).
pam-devel This package includes libraries and files for PAM development.
dbus-1-python This package provides python bindings for D-Bus.

Table 1: “pam_usb” dependencies.

Once you have installed each package listed in Table 1 you can begin the installation of pam_usb. The “pam_usb-0.4.2.tar.gz” archive first needs to be decompressed as shown in Figure 1.

linux-uxp3:/usr/src # tar zvxf pam_usb-0.4.2.tar.gz

Figure 1: Decompressing the “pam_usb” archive.

Once you have decompressed the pam_usb archive you can begin the installation by issuing the “make” command followed by the “make install” command as shown in Figure 1.1.

linux-uxp3:/usr/src/pam_usb-0.4.2 # make && make install && make clean

Figure 1.1: Installing “pam_usb”.

In Figure 1.1 you might be wondering what the ampersands (&) are for and also the “make clean” command. The ampersands allow each command to be executed only if the previous command was successful and the “make clean” command deletes any files that were left behind during the compiling stage.


Configuring pam_usb is very simple, simply place your USB device into your machine and use the “pamusb-conf” command to add your device to the “pam_usb” configuration file, as shown in Figure 2.

linux-uxp3:~ # pamusb-conf --add-device "Damian Myerscough"
Please select the device you wish to add.
* Using "Kingston DataTraveler II+ (Kingston_DataTraveler_II+_5B770D9200D1-0:0)" (only option)

Which volume would you like to use for storing data ?
* Using "/dev/sdc1 (UUID: 47A8-7EC9)" (only option)

Name            : Damian
Vendor          : Kingston
Model           : DataTraveler II+
Serial            : Kingston_DataTraveler_II+_5B770D9200D1-0:0
UUID            : 47A8-7EC9

Save to /etc/pamusb.conf ?
[Y/n] y

Figure 2: Preparing the USB stick for authentication.

Once you have successfully added your USB device to the pam_usb configuration file you can assign a user to the USB device using the “pamusb-conf –add-user damian” command as shown in Figure 2.1.

linux-uxp3:~ # pamusb-conf --add-user damian
Which device would you like to use for authentication ?
* Using "Damian Myerscough" (only option)

User              : damian
Device            : Damian Myerscough

Save to /etc/pamusb.conf ?
[Y/n] y

Figure 2.1: Assigning the user to the USB stick.

Once you have assigned a user to the USB device you will need to edit the “/etc/pam.d/gdm” configuration file to enable the pam_usb module. The directives that you need to add to the “gdm” configuration file are shown in Figure 2.2.

auth       sufficient

Figure 2.2: “/etc/pam.d/gdm” configuration file.


Once you have modified the “/etc/pam.d/gdm” configuration file you can use the “pamusb-check” command to see if your device is capable of being authenticated as shown in Figure 3.

Linux-uxp3:~ # pamusb-check damian
* Authentication request for user "damian" (pamusb-check)
* Device "Damian Myerscough" is connected (good).
* Performing one time pad verification...
* Regenerating new pads...
* Access granted.

Figure 3: Checking “pam_usb” authentication.

Once you have run the “pamusb-check” command and have seen that access is granted you can now logout of your machine and log back into your machine using the USB device.

Final Thoughts

The pam_usb module is an excellent PAM module as it tightens security thus making it hard for malicious users to attack your account. The pam_usb also supports one time pad passwords which can be configured to expire after a certain period of time or change after each login. I would recommend visiting the pam_usb website [1] to find out more.



(Visited 1 times, 1 visits today)


  • xlwood says:

    It doesn’t seem possible to compile this on SLED 11 R 2. I downloaded the Novell SDK in order to get the libxml2-devel package, but this seems to have broken my login scripts. When I try to run pamusb-conf, I get this error:

    Traceback (most recent call last):
      File "/usr/bin/pamusb-conf", line 254, in 
      File "/usr/lib/python2.6/site-packages/dbus/", line 244, in get_object
      File "/usr/lib/python2.6/site-packages/dbus/", line 241, in __init__
        self._named_service = conn.activate_name_owner(bus_name)
      File "/usr/lib/python2.6/site-packages/dbus/", line 183, in activate_name_owner
      File "/usr/lib/python2.6/site-packages/dbus/", line 281, in start_service_by_name
        'su', (bus_name, flags)))
      File "/usr/lib/python2.6/site-packages/dbus/", line 622, in call_blocking
        message, timeout)
    dbus.exceptions.DBusException: org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.UDisks was not provided by any .service files
  • Leave a Reply

    Your email address will not be published.