It was kinda late, and I wanted to do something tonight…something interesting. I was looking at my usb key when I had this flash…”Could I use my usb key to login to my pc with a certain account ?”.
Googling … googling… I need a PAM module to do it. eix time now!
#eix pam usb * sys-libs/pam_usb Available versions: 0.3.1 0.3.2 Homepage: http://www.pamusb.org/ Description: A PAM module that enables authentication using an USB-Storage device (such as an USB Pen) through DSA private/public keys.
I emerged it and edited /etc/pam.d/system-auth and /etc/pam.d/login
In the very first line of the files I added:
auth sufficient /lib/security/pam_usb.so !check_device allow_remote=1 force_device=/dev/sda1 fs=vfat debug=1 log_file=/var/log/pam_usb.log
Then I just did:
mount /mnt/corsair usbadm keygen /mnt/corsair root 4096
as the great quickstart of pam_usb describes and I am set!
just a test then…:
$ su #
Damn! I liked that!
and you can check the debug log too:
[device.c:371] Forcing device /dev/sda1 [device.c:346] Creating temporary mount point... [device.c:354] Scheduling [/tmp/pam_usbI7wL6Z] for dropping [device.c:358] Using /tmp/pam_usbI7wL6Z as mount point [device.c:237] Trying to mount /dev/sda1 on /tmp/pam_usbI7wL6Z using vfat [device.c:253] Device mounted, trying to open private key [device.c:181] Opening /tmp/pam_usbI7wL6Z/.auth/root.XXXXXX [device.c:261] Private key opened [auth.c:207] Private key imported [auth.c:218] Public key imported [device.c:455] Dropping [/tmp/pam_usbI7wL6Z] [dsa.c:77] Checking DSA key pair... [dsa.c:87] Signing pseudo random data [1 time(s)]... [dsa.c:94] Valid signature [dsa.c:87] Signing pseudo random data [2 time(s)]... [dsa.c:94] Valid signature [dsa.c:87] Signing pseudo random data [3 time(s)]... [dsa.c:94] Valid signature [pam.c:207] Access granted
What about if I remove the usb key ?
$ su Password: su: Authentication failure Sorry. $
and the debug log:
[device.c:371] Forcing device /dev/sda1 [device.c:346] Creating temporary mount point... [device.c:354] Scheduling [/tmp/pam_usbTMRHEZ] for dropping [device.c:358] Using /tmp/pam_usbTMRHEZ as mount point [device.c:237] Trying to mount /dev/sda1 on /tmp/pam_usbTMRHEZ using vfat [device.c:242] mount failed: No such file or directory [device.c:249] Unable to mount /dev/sda1, tried with 1 fs [device.c:376] Device forcing failed, back to guess mode [device.c:419] Cannot find any device [device.c:455] Dropping [/tmp/pam_usbTMRHEZ] [auth.c:186] Invalid device [pam.c:203] Cannot authenticate user "root"