Results 1 to 10 of 37

Thread: HOWTO: pam_usb login with USB memory stick

Threaded View

  1. #1
    Join Date
    Mar 2005

    Post HOWTO: pam_usb login with USB memory stick

    Howto : pam_usb login with USB memory stick


    This relates to a project of mine, a Single Sign On solution using a usb-memory stick. An advantage is when you have too many passwords to remember, SSO brings this back to one password and one point where you have to login and then use these credentials to access all your applications and resources. For example your webmail, forums etc.


    • Login locally with your usb memory stick on the console (this howto)
    • Login locally with your usb memory stick on XDM,GDM,KDM
    • The possibility to remotely login (via ssh) with the the usb memory stick
    • A layer build on top of the linux login process (locally/remote) which handles the authenication between the the usb memory stick and the keyserver/ Certificate Authority

    Comments are welcome


    1. Get pam_usb from the website latest version is 0.3.2

    2. Get all the packages needed by pam_usb, it depends on what you have installed already, but I needed:

    • libncurses5-dev
    • libreadline4-dev

    3. Unpack and install the source, do a:

    tar xvzf pam_usb-0.3.2.tar.gz
    make install
    4. Read the Quickstart and Options files on

    5. Make the keys on the usb memory stick, as described in the Quickstart. I made one for root and one for my normal user account. I used a DSA keypair of 4096 bits

    usbadm keygen [/path/to/mounted/usbmemorystick] [username] [bits]
    Check if the keys are made correctly. They are in the .auth directory on the usb memory stick.

    Simply by issueing a command like
    more .auth/[username].[hostname]
    If it spits out all kind of DSA code gibberish, the key is ok.

    6. BACKUP all the /etc/pam.d files somewhere, in case something goes wrong.

    7. Edit /etc/pam.d/login. I added the following line (copy-pasted it from some gentoow forum). Check whether your filesystem is vfat, otherwise replace fs= with your filesystem, e.g reiserfs or ext3 or whatever.

    auth       required fs=vfat check_device=-1 check_if_mounted=-1 force_device=/dev/sda log_file=/var/log/pam_usb.log
    8. Make the logfile (for debugging purposes)

    make a empty file:
    vi /var/log/pam_usb.log
    save & exit.

    My /etc/pam.d/login file:
    # The PAM configuration file for the Shadow `login' service
    # NOTE: If you use a session module (such as kerberos or NIS+)
    # that retains persistent credentials (like key caches, etc), you
    # need to enable the `CLOSE_SESSIONS' option in /etc/login.defs
    # in order for login to stay around until after logout to call
    # pam_close_session() and cleanup.
    # Outputs an issue file prior to each login prompt (Replaces the
    # ISSUE_FILE option from login.defs). Uncomment for use
    # auth       required issue=/etc/issue
    # Disallows root logins except on tty's listed in /etc/securetty
    # (Replaces the `CONSOLE' setting from login.defs)
    #auth       requisite
    # Disallows other than root logins when /etc/nologin exists
    # (Replaces the `NOLOGINS_FILE' option from login.defs)
    #auth       requisite
    # This module parses /etc/environment (the standard for setting
    # environ vars) and also allows you to use an extended config
    # file /etc/security/pam_env.conf.
    # (Replaces the `ENVIRON_FILE' setting from login.defs)
    auth       required
    auth       required fs=vfat check_device=-1 check_if_mounted=-1 force_device=/dev/sda log_file=/var/log/pam_usb.log
    # Standard Un*x authentication. The "nullok" line allows passwordless
    # accounts.
    @include common-auth
    # This allows certain extra groups to be granted to a user
    # based on things like time of day, tty, service, and user.
    # Please uncomment and edit /etc/security/group.conf if you
    # wish to use this.
    # (Replaces the `CONSOLE_GROUPS' option in login.defs)
    # auth       optional
    # Uncomment and edit /etc/security/time.conf if you need to set
    # time restrainst on logins.
    # (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
    # as well as /etc/porttime)
    account    requisite
    # Uncomment and edit /etc/security/access.conf if you need to
    # set access limits.
    # (Replaces /etc/login.access file)
    account  required
    # Standard Un*x account and session
    #@include common-account
    @include common-session
    # Sets up user limits, please uncomment and read /etc/security/limits.conf
    # to enable this functionality.
    # (Replaces the use of /etc/limits in old login)
    # session    required
    # Prints the last login info upon succesful login
    # (Replaces the `LASTLOG_ENAB' option from login.defs)
    #session    optional
    # Prints the motd upon succesful login
    # (Replaces the `MOTD_FILE' option in login.defs)
    #session    optional
    # Prints the status of the user's mailbox upon succesful login
    # (Replaces the `MAIL_CHECK_ENAB' option from login.defs). You
    # can also enable a MAIL environment variable from here, but it
    # is better handled by /etc/login.defs, since userdel also uses
    # it to make sure that removing a user, also removes their mail
    # spool file.
    #session    optional standard noenv
    @include common-password
    9. Test stuff
    Depending on how you set the mode on pam_usb, play a little around with it. There are 3 modes according to the Quickstart:

    1. Unique

    auth required

    2. Alternative

    auth sufficient

    3. Additional

    auth required

    I found out that in Additional mode you cannot login if the usb memory stick isn't there (doh') and that you _can_ login if the stick is present.

    8. If things go wrong

    Well, I if you stare at the screen at errors like this:
    Authentication token is no longer valid; new one required.
    and you locked yourself out because you didn't leave a root terminal open

    *don't panic*

    There are a couple of things you can do:

    1. blame someone else
    2. reboot into single user mode.I have GRUB installed as bootmanager so in the GRUB menu upon boot I edited the line starting the kernel and added the word "single" to it. Now your system will boot in single-user mode and you can login and repair the damage.

    // end
    Last edited by weazle; March 7th, 2005 at 12:05 PM.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts