It was kinda late, and I wanted to do something tonight…something interesting. I was looking at my usb key when I had this flash…”Could I use my usb key to login to my pc with a certain account ?”.
Googling … googling… I need a PAM module to do it. eix time now!
#eix pam usb
* sys-libs/pam_usb
Available versions: 0.3.1 0.3.2
Homepage: http://www.pamusb.org/
Description: A PAM module that enables authentication using an USB-Storage device (such as an USB Pen) through DSA private/public keys.
Bingo!
I emerged it and edited /etc/pam.d/system-auth and /etc/pam.d/login
In the very first line of the files I added:
auth sufficient /lib/security/pam_usb.so !check_device allow_remote=1 force_device=/dev/sda1 fs=vfat debug=1 log_file=/var/log/pam_usb.log
Then I just did:
usbadm keygen /mnt/usb1 root 4096
as the great quickstart of pam_usb describes and I am set!
just a test then…:
$ su
#
Damn! I liked that!
and you can check the debug log too:
[device.c:371] Forcing device /dev/sda1
[device.c:346] Creating temporary mount point...
[device.c:354] Scheduling [/tmp/pam_usbI7wL6Z] for dropping
[device.c:358] Using /tmp/pam_usbI7wL6Z as mount point
[device.c:237] Trying to mount /dev/sda1 on /tmp/pam_usbI7wL6Z using vfat
[device.c:253] Device mounted, trying to open private key
[device.c:181] Opening /tmp/pam_usbI7wL6Z/.auth/root.XXXXXX
[device.c:261] Private key opened
[auth.c:207] Private key imported
[auth.c:218] Public key imported
[device.c:455] Dropping [/tmp/pam_usbI7wL6Z]
[dsa.c:77] Checking DSA key pair...
[dsa.c:87] Signing pseudo random data [1 time(s)]...
[dsa.c:94] Valid signature
[dsa.c:87] Signing pseudo random data [2 time(s)]...
[dsa.c:94] Valid signature
[dsa.c:87] Signing pseudo random data [3 time(s)]...
[dsa.c:94] Valid signature
[pam.c:207] Access granted
What about if I remove the usb key ?
$ su
Password:
su: Authentication failure
Sorry.
$
and the debug log:
[device.c:371] Forcing device /dev/sda1
[device.c:346] Creating temporary mount point...
[device.c:354] Scheduling [/tmp/pam_usbTMRHEZ] for dropping
[device.c:358] Using /tmp/pam_usbTMRHEZ as mount point
[device.c:237] Trying to mount /dev/sda1 on /tmp/pam_usbTMRHEZ using vfat
[device.c:242] mount failed: No such file or directory
[device.c:249] Unable to mount /dev/sda1, tried with 1 fs
[device.c:376] Device forcing failed, back to guess mode
[device.c:419] Cannot find any device
[device.c:455] Dropping [/tmp/pam_usbTMRHEZ]
[auth.c:186] Invalid device
[pam.c:203] Cannot authenticate user "root"
I really liked that today…felt like Mission Impossible..yeah 😛
I wonder if I could make that work with xscreensaver too…would be pretty cool, wouldn’t it ?