Page 1 of 4 123 ... LastLast
Results 1 to 10 of 37

Thread: HOWTO: pam_usb login with USB memory stick

  1. #1
    Join Date
    Mar 2005
    Beans
    4

    Post HOWTO: pam_usb login with USB memory stick

    Howto : pam_usb login with USB memory stick
    =================================

    Introduction

    This relates to a project of mine, a Single Sign On solution using a usb-memory stick. An advantage is when you have too many passwords to remember, SSO brings this back to one password and one point where you have to login and then use these credentials to access all your applications and resources. For example your webmail, forums etc.

    Goals:

    • Login locally with your usb memory stick on the console (this howto)
    • Login locally with your usb memory stick on XDM,GDM,KDM
    • The possibility to remotely login (via ssh) with the the usb memory stick
    • A layer build on top of the linux login process (locally/remote) which handles the authenication between the the usb memory stick and the keyserver/ Certificate Authority


    Comments are welcome

    PAM_USB

    1. Get pam_usb from the website http://www.pamusb.org/ latest version is 0.3.2

    2. Get all the packages needed by pam_usb, it depends on what you have installed already, but I needed:

    • libncurses5-dev
    • libreadline4-dev


    3. Unpack and install the source, do a:

    Code:
    tar xvzf pam_usb-0.3.2.tar.gz
    ./configure
    make
    make install
    4. Read the Quickstart and Options files on http://www.pamusb.org/

    5. Make the keys on the usb memory stick, as described in the Quickstart. I made one for root and one for my normal user account. I used a DSA keypair of 4096 bits

    Code:
    usbadm keygen [/path/to/mounted/usbmemorystick] [username] [bits]
    Check if the keys are made correctly. They are in the .auth directory on the usb memory stick.

    Simply by issueing a command like
    Code:
    more .auth/[username].[hostname]
    If it spits out all kind of DSA code gibberish, the key is ok.

    6. BACKUP all the /etc/pam.d files somewhere, in case something goes wrong.

    7. Edit /etc/pam.d/login. I added the following line (copy-pasted it from some gentoow forum). Check whether your filesystem is vfat, otherwise replace fs= with your filesystem, e.g reiserfs or ext3 or whatever.

    Code:
    auth       required   pam_usb.so fs=vfat check_device=-1 check_if_mounted=-1 force_device=/dev/sda log_file=/var/log/pam_usb.log
    8. Make the logfile (for debugging purposes)

    make a empty file:
    Code:
    vi /var/log/pam_usb.log
    save & exit.

    My /etc/pam.d/login file:
    Code:
    #
    # The PAM configuration file for the Shadow `login' service
    #
    # NOTE: If you use a session module (such as kerberos or NIS+)
    # that retains persistent credentials (like key caches, etc), you
    # need to enable the `CLOSE_SESSIONS' option in /etc/login.defs
    # in order for login to stay around until after logout to call
    # pam_close_session() and cleanup.
    #
    
    # Outputs an issue file prior to each login prompt (Replaces the
    # ISSUE_FILE option from login.defs). Uncomment for use
    # auth       required   pam_issue.so issue=/etc/issue
    
    # Disallows root logins except on tty's listed in /etc/securetty
    # (Replaces the `CONSOLE' setting from login.defs)
    #auth       requisite  pam_securetty.so
    
    # Disallows other than root logins when /etc/nologin exists
    # (Replaces the `NOLOGINS_FILE' option from login.defs)
    #auth       requisite  pam_nologin.so
    
    # This module parses /etc/environment (the standard for setting
    # environ vars) and also allows you to use an extended config
    # file /etc/security/pam_env.conf.
    # (Replaces the `ENVIRON_FILE' setting from login.defs)
    auth       required   pam_env.so
    
    auth       required   pam_usb.so fs=vfat check_device=-1 check_if_mounted=-1 force_device=/dev/sda log_file=/var/log/pam_usb.log
    
    # Standard Un*x authentication. The "nullok" line allows passwordless
    # accounts.
    @include common-auth
    
    # This allows certain extra groups to be granted to a user
    # based on things like time of day, tty, service, and user.
    # Please uncomment and edit /etc/security/group.conf if you
    # wish to use this.
    # (Replaces the `CONSOLE_GROUPS' option in login.defs)
    # auth       optional   pam_group.so
    
    # Uncomment and edit /etc/security/time.conf if you need to set
    # time restrainst on logins.
    # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
    # as well as /etc/porttime)
    account    requisite  pam_time.so
    
    # Uncomment and edit /etc/security/access.conf if you need to
    # set access limits.
    # (Replaces /etc/login.access file)
    account  required       pam_access.so
    
    # Standard Un*x account and session
    #@include common-account
    @include common-session
    
    # Sets up user limits, please uncomment and read /etc/security/limits.conf
    # to enable this functionality.
    # (Replaces the use of /etc/limits in old login)
    # session    required   pam_limits.so
    
    # Prints the last login info upon succesful login
    # (Replaces the `LASTLOG_ENAB' option from login.defs)
    #session    optional   pam_lastlog.so
    
    # Prints the motd upon succesful login
    # (Replaces the `MOTD_FILE' option in login.defs)
    #session    optional   pam_motd.so
    
    # Prints the status of the user's mailbox upon succesful login
    # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). You
    # can also enable a MAIL environment variable from here, but it
    # is better handled by /etc/login.defs, since userdel also uses
    # it to make sure that removing a user, also removes their mail
    # spool file.
    #session    optional   pam_mail.so standard noenv
    @include common-password
    9. Test stuff
    Depending on how you set the mode on pam_usb, play a little around with it. There are 3 modes according to the Quickstart:

    1. Unique

    auth required pam_usb.so

    2. Alternative

    auth sufficient pam_usb.so

    3. Additional

    auth required pam_usb.so

    I found out that in Additional mode you cannot login if the usb memory stick isn't there (doh') and that you _can_ login if the stick is present.

    8. If things go wrong

    Well, I if you stare at the screen at errors like this:
    Code:
    Authentication token is no longer valid; new one required.
    and you locked yourself out because you didn't leave a root terminal open

    *don't panic*

    There are a couple of things you can do:

    1. blame someone else
    2. reboot into single user mode.I have GRUB installed as bootmanager so in the GRUB menu upon boot I edited the line starting the kernel and added the word "single" to it. Now your system will boot in single-user mode and you can login and repair the damage.

    // end
    Last edited by weazle; March 7th, 2005 at 12:05 PM.

  2. #2
    Join Date
    Mar 2005
    Location
    Prince George, BC
    Beans
    20

    Re: HOWTO: pam_usb login with USB memory stick

    Other packages needed on a fresh ubuntu install:
    GCC (Obviously)
    libssl-dev
    libpam0g-dev

  3. #3
    Join Date
    May 2005
    Beans
    67

    Re: HOWTO: pam_usb login with USB memory stick

    I've been trying to install....installed everything mentioned so far....getting the following:

    make all -C src
    make[1]: Entering directory `/home/temp/pam_usb-0.3.2/src'
    gcc -c -Wall -O2 -fPIC -o auth.o auth.c
    In file included from auth.c:23:
    dsa.h:4:26: openssl/rand.h: No such file or directory
    dsa.h:5:25: openssl/pem.h: No such file or directory
    dsa.h:6:24: openssl/bn.h: No such file or directory
    dsa.h:7:25: openssl/dsa.h: No such file or directory
    In file included from auth.c:23:
    dsa.h:9: error: syntax error before '*' token
    dsa.h:9: warning: type defaults to `int' in declaration of `import_public_key'
    dsa.h:9: warning: data definition has no type or storage class
    dsa.h:10: error: syntax error before '*' token
    dsa.h:10: warning: type defaults to `int' in declaration of `import_private_key'
    dsa.h:10: warning: data definition has no type or storage class
    dsa.h:11: error: syntax error before '*' token
    auth.c: In function `authenticate':
    auth.c:182: error: `DSA' undeclared (first use in this function)
    auth.c:182: error: (Each undeclared identifier is reported only once
    auth.c:182: error: for each function it appears in.)
    auth.c:182: error: `private' undeclared (first use in this function)
    auth.c:183: error: `public' undeclared (first use in this function)
    auth.c:214: warning: implicit declaration of function `DSA_free'
    make[1]: *** [auth.o] Error 1
    make[1]: Leaving directory `/home/temp/pam_usb-0.3.2/src'
    make: *** [pam_usb] Error 2

    This is a bit above my head right now...can anyone point me in the direction to help me solve this?

  4. #4
    Join Date
    Oct 2005
    Beans
    3

    Re: HOWTO: pam_usb login with USB memory stick

    As the previous posts explianed you need the following packages installed

    libncurses5-dev
    libreadline4-dev
    libssl-dev
    libpam0g-dev

    The lines

    dsa.h:4:26: openssl/rand.h: No such file or directory
    dsa.h:5:25: openssl/pem.h: No such file or directory
    dsa.h:6:24: openssl/bn.h: No such file or directory
    dsa.h:7:25: openssl/dsa.h: No such file or directory

    Are complaining that libssl-dev is not installed!

  5. #5
    Join Date
    May 2005
    Location
    Cairns, Australia
    Beans
    357
    Distro
    Edgy Eft Testing

    Re: HOWTO: pam_usb login with USB memory stick

    Can someone help me please?

    I have installed pam_usb (0.3.3) in exactly the same way that you mention. I have generated the key, and checked it is there. I have exactly the same login file as you. Whether the USB stick is in or not, when I boot my computer and it gets to the Gnome login, I am still prompted for my details. I type in my username, followed by my password, and then it logs me in.

    Am I missing something? It's as if I haven't done anything at all to my system - it just behaves as normal - whether the USB stick is in my computer or not.

    Should I type something in place of my login name to activate the pam_usb?

    I would appreciate any help.

    Andy

    [edit]I've just made a key for root. Typing sudo su takes me straight to root without needing a password. So it is obviously working on the terminal side of things. So can someone please explain how I get it to work with the GUI password bits?[/edit]

    UPDATE...

    Sorry to keep with the questions!

    I have the line:
    Code:
    auth       required   pam_usb.so fs=vfat check_device=-1 check_if_mounted=-1 force_device=/dev/sda log_file=/var/log/pam_usb.log
    As per this howto. Unless I'm mistaken, using the 'required' option would mean one of two things. Both of which would require my USB stick to be mounted. Either typing sudo su would just let me straight in using the USB key, or I would get prompted for a password AND I would have to have the key mounted.

    So how come, if I reboot without the USB stick in my PC, and type sudo su, I am prompted for my password, and after giving it all is fine? Should it not check to make sure that my key is correct too?

    Andy
    Last edited by andrewsawyer; November 17th, 2005 at 02:23 AM.

  6. #6
    Join Date
    Mar 2006
    Beans
    20

    Re: HOWTO: pam_usb login with USB memory stick

    I got su and sudo su - to work with pam_usb. But not GDM. Odd. The result is the same for me even on Fedora Core 3, using pam_usb 0.3.3.

  7. #7
    Join Date
    Mar 2006
    Beans
    20

    Re: HOWTO: pam_usb login with USB memory stick

    Added allow_remote to the system-auth in Fedora and common-auth in Ubuntu and now it works for GDM. Hooray!

    ... but xscreensaver refused to work ... why?

  8. #8
    Join Date
    Jul 2005
    Location
    trieste - italy
    Beans
    Hidden!
    Distro
    Ubuntu 8.04 Hardy Heron

    Re: HOWTO: pam_usb login with USB memory stick

    i do not understand the statement above
    Last edited by pek; July 14th, 2006 at 01:14 PM.
    check my wonderful blog -> www.suppah.eu
    i am NOT this guy -> http://pekwm.org

  9. #9
    Join Date
    Feb 2005
    Location
    Lexington, Kentucky
    Beans
    109

    Re: HOWTO: pam_usb login with USB memory stick

    I lost my track on where I found these, so if anyone knows the author of the deb's please give him my KUDOS! I rec'd many compiler errors in dapper with the latest version, and stumbled on these. I've uploaded them to a free file sharing site so that others can enjoy the dbl click install goodness.

    http://www.4shared.com/file/2511990/...033-1_all.html

    http://www.4shared.com/file/2511986/...33-1_i386.html

    Enjoy!

    fish

  10. #10
    Join Date
    Apr 2006
    Beans
    Hidden!

    Re: HOWTO: pam_usb login with USB memory stick

    Same thing for me, I could make login work with pam_usb 0.3.3 but not gdm.

    I activated logging to a file :
    auth sufficient pam_usb.so log_file=/var/log/pam_usb.log

    both in /etc/pam.d/login and in /etc/pam.d/gdm

    When I log with login, I type my username and it immediately logs me in. This generates some messages in the log file.

    With gdm, I still get the password request, and nothing is writtent to the log file.

    I believe that the ordering of the options is significant.

    My /etc/pam.d/gdm file :

    #%PAM-1.0

    auth required pam_env.so

    # pam usb
    auth sufficient pam_usb.so log_file=/var/log/pam_usb.log

    auth requisite pam_nologin.so
    @include common-auth
    @include common-account
    session required pam_limits.so
    @include common-session
    @include common-password

Page 1 of 4 123 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •