PAM (Pluggable Authentication Module) USB Authentication

PAM (Pluggable Authentication Module) USB Authentication

In this article we are going to look at setting up a USB device to perform authentication using the pam_usb PAM module. pam_usb provides authentication for Linux using standard USB devices and other type of media i.e. (SD, MMC, etc). We will be using OpenSUSE 10.3. The reason for this is pam_usb has been developed for the latest version of HAL (hal-0.5.9) thus not being able to work on older versions of HAL.

Installation

In this article we will compile the pam_usb module, which can be downloaded from the [1] website. The installation of pam_usb requires four dependent packages. The dependencies are listed in Table 1 and can be installed using the “yast2 sw_single” command.

Table 1: “pam_usb” dependencies.

Once you have installed each package listed in Table 1 you can begin the installation of pam_usb. The “pam_usb-0.4.2.tar.gz” archive first needs to be decompressed as shown in Figure 1.

linux-uxp3:/usr/src # tar zvxf pam_usb-0.4.2.tar.gz

Figure 1: Decompressing the “pam_usb” archive.

Once you have decompressed the pam_usb archive you can begin the installation by issuing the “make” command followed by the “make install” command as shown in Figure 1.1.

linux-uxp3:/usr/src/pam_usb-0.4.2 # make && make install && make clean

Figure 1.1: Installing “pam_usb”.

In Figure 1.1 you might be wondering what the ampersands (&) are for and also the “make clean” command. The ampersands allow each command to be executed only if the previous command was successful and the “make clean” command deletes any files that were left behind during the compiling stage.

Configuration

Configuring pam_usb is very simple, simply place your USB device into your machine and use the “pamusb-conf” command to add your device to the “pam_usb” configuration file, as shown in Figure 2.

linux-uxp3:~ # pamusb-conf --add-device "Damian Myerscough"
Please select the device you wish to add.
* Using "Kingston DataTraveler II+ (Kingston_DataTraveler_II+_5B770D9200D1-0:0)" (only option)

Which volume would you like to use for storing data ?
* Using "/dev/sdc1 (UUID: 47A8-7EC9)" (only option)

Name            : Damian
Vendor          : Kingston
Model           : DataTraveler II+
Serial            : Kingston_DataTraveler_II+_5B770D9200D1-0:0
UUID            : 47A8-7EC9

Save to /etc/pamusb.conf ?
[Y/n] y

Figure 2: Preparing the USB stick for authentication.

Once you have successfully added your USB device to the pam_usb configuration file you can assign a user to the USB device using the “pamusb-conf –add-user damian” command as shown in Figure 2.1.

linux-uxp3:~ # pamusb-conf --add-user damian
Which device would you like to use for authentication ?
* Using "Damian Myerscough" (only option)

User              : damian
Device            : Damian Myerscough

Save to /etc/pamusb.conf ?
[Y/n] y
Done.

Figure 2.1: Assigning the user to the USB stick.

Once you have assigned a user to the USB device you will need to edit the “/etc/pam.d/gdm” configuration file to enable the pam_usb module. The directives that you need to add to the “gdm” configuration file are shown in Figure 2.2.

auth       sufficient      pam_usb.so

Figure 2.2: “/etc/pam.d/gdm” configuration file.

Testing

Once you have modified the “/etc/pam.d/gdm” configuration file you can use the “pamusb-check” command to see if your device is capable of being authenticated as shown in Figure 3.

Linux-uxp3:~ # pamusb-check damian
* Authentication request for user "damian" (pamusb-check)
* Device "Damian Myerscough" is connected (good).
* Performing one time pad verification...
* Regenerating new pads...
* Access granted.

Figure 3: Checking “pam_usb” authentication.

Once you have run the “pamusb-check” command and have seen that access is granted you can now logout of your machine and log back into your machine using the USB device.

Final Thoughts

The pam_usb module is an excellent PAM module as it tightens security thus making it hard for malicious users to attack your account. The pam_usb also supports one time pad passwords which can be configured to expire after a certain period of time or change after each login. I would recommend visiting the pam_usb website [1] to find out more.

References

[1] http://www.pamusb.org/