pam_usb: Finally a new release
By scox on Monday, April 9 2007, 22:22 - security - Permalink
After way too much time, I have finally released pam_usb 0.4.0.
For those of you not familiar with the project, it "provides hardware authentication for Linux using ordinary USB Flash Drives".Basically, it makes applications such as GDM/KDM, gnome-screensaver/kscreensaver, su/sudo and so forth authenticate users using a USB stick instead of askingfor a password over and over. If you're lazy like me, you'll appreciate it.
So, what's new with this release ? Well, everything. For starters, I've rewritten everything from scratch. It contains many new features,including one time pads authentication and support for hardware detection throughHAL.
I've also written a set of tools in Python:
- pamusb-agent, a daemon that can trigger actions (such as locking the screen) upon device authentication and removal.
- pamusb-conf, a tool that can save you the hassle of editing pamusb.conf by hand. As for now, it supports the --add-device and --add-user options.
The project has now a brand new website powered by the Dokuwiki wiki engine.I have also reworked the documentation as the old one seemed to scare people. Someday I'll probably do a screencast to show how to setup pam_usb in 5 minutes. Until then, have fun with the documentation :)
Comments
Hi, scox,I've just discover pam_usb and i try to use it. I'm in the same case than "T" and it stop in my experiment. My main device doesn't provide vendor information (in "lusb" command for example) and i cannot use it for auth. I'm very impatient for the fix of this, but consider this message like congratulations for your work.Best regards,Ludo,
Fixed in SVN. Thank you for the bug report.
Hi, scox.First of all, I think pam-usb is a great idea. So great even that I'm writing a GUI to edit the xml file (using pygtk), I'll send you the code as soon as I'm finished. But I have one problem... think there is a bug in gksu. When I enable pam-usb in the pam files and my device is not plugged in, gksu won't launch anything... any ideas how to solve this? Greetz,Batist
Hi Batist,
The problem with gksu is that it parses the output of 'su' which now contains pam_usb messages (and gksu doesn't expect those).
A quick solution would be to disable pamusb for the service 'su' so that gksu could work as usual (but without pamusb):
Or you could use pam_usb SVN version with the 'quiet' option:
By enabling this option, pamusb won't print any messages to stdout so gksu should work fine. Beware that pamusb 0.4.0 prints error messages even in quiet mode, so you'll need the SVN version to make this work.
Hi scox,first of all i will thank you for this great prog. And now my suggestions ;-)
Thx and Greetz, Detlef
BTW: Do you ever think about to implement a USB-Auth for GRUB or LiLo?
Hi, thanks for the support :)
About the option to remove user/devices I totally agree. pamusb-conf was started as a hack (and called, scan_devices.py) and then grew in what pamusb-conf is today. I'm planning to add remove, list, edit etc options, so that users shouldn't even have to know there's a XML file behind that.
About the silent option, in pam_usb 0.4.1 the quiet option is now really quiet, so that should do it.
Hi scox,
Indeed, the program is now really quiet and works perfect with gksu!Although editing the xml file is really simple, I can't wait to see the add/remove/list functions.
Great work!Greetz,Batist.
Hi scox,
First of all, thank you for this great tool.
Second: I am having trouble using my usb stick.I installed pam_usb with gentoo emerge. But if I do pamusb-conf --add-device MyDevice then I get only my external hdd. But not my usb stick.I read about the bug here, I unmerged pam_usb and installed it from svn.Same problem.
It would be great if you can solve this.
Greetings.
This is what is in dmesg when I connect the device:usb 1-4: new high speed USB device using ehci_hcd and address 9usb 1-4: configuration #1 chosen from 1 choicehub 1-4:1.0: USB hub foundhub 1-4:1.0: 1 port detectedusb 1-4.1: new high speed USB device using ehci_hcd and address 10usb 1-4.1: configuration #1 chosen from 1 choicescsi4 : SCSI emulation for USB Mass Storage devicesusb-storage: device found at 10usb-storage: waiting for device to settle before scanningscsi 4:0:0:0: Direct-Access USB 2.0 Flash Disk PROL PQ: 0 ANSI: 0 CCSSCSI device sda: 256000 512-byte hdwr sectors (131 MB)sda: Write Protect is offsda: Mode Sense: 00 06 00 00sda: assuming drive cache: write throughSCSI device sda: 256000 512-byte hdwr sectors (131 MB)sda: Write Protect is offsda: Mode Sense: 00 06 00 00sda: assuming drive cache: write through sda: sda1sd 4:0:0:0: Attached scsi removable disk sdasd 4:0:0:0: Attached scsi generic sg0 type 0
I also tried with 3.1 and looked into the log file:[pam.c:138] Searching the utmp entry for tty pts/0...[pam.c:152] Authentication request from pts/0 (:0.0)[device.c:74] Directory /proc/scsi/usb-storage-0/ not found[pam.c:198] Device not valid.
Thing is, that my device is /proc/scsi/usb-storage/4
Could you mail me the output of hal-device ?
Hi Scox,First of all thanks for the project! :)I've installed latest released version not svn one on a Ubuntu 7.04 distro and every time I try to execute a pamusb-conf --add-device I receive a "No devices detected." message. I've tried a lot of usb and others sdx objects but same result. It seems to be an HAL problem but I really don't know how to solve it. Thanks in advance.
Hi, thanks for the support :)
There seems to be many users experiencing the same problem, so I'm trying to gather as many hal-device outputs as possible (please send me yours too). Perhaps, it might be related to the kernel configuration as the USB tokens seems to be recognized as SCSI devices rather than USB disk drives. The kernel configuration of your system could be useful as well.
using the latest version 4.1 i still have the no devices detected problem, i used flash memory from 2 different vendors and still the same problem(ubuntu 7.04) please help
the mount command give this output
bourlas@torrentakos:~$ mount/dev/sdb1 on /media/CBUSB type vfat (rw,nosuid,nodev,shortname=mixed,uid=1000,utf8,umask=077)
Thanks in advance
Hi,
I've commited a fix into the SVN, please let me know if it solves the problem.
Thank you scox for the fast answer, I tried the svn version, and still the same.
I tried also the --verbose option on pamusb-conf and the output is the following
bourlas@torrentakos:~/pam_usb$ pamusb-conf --verbose --add-device=CBUSBInspecting /org/freedesktop/Hal/devices/usbdeviceea02168noserial Invalid: 'usb_device.serial'Inspecting /org/freedesktop/Hal/devices/usbdevice00000000_021 Invalid: Device does not contain any volumeInspecting /org/freedesktop/Hal/devices/usbdevice00000000_020 Invalid: Device does not contain any volumeNo devices detected.
using my other flash memory the only difference is the invalid usb_device.vendor
Hey,
first of all, you did a great job. pamusb works very fine, but there is one proplem: When i'm in kde and in the Konsolo from kde and make a "su" i get the following error message:
everything else runs good. login to kdm, login in the first terminal etc.. all without typing in my pw. except su... :( can you help me?
another question. Is it possible that kdm can auto-login you, if the usb stick is connected?
Hi,
New fixes commited to the SVN.
bourlas: You should try again. However, by seeing the output of the first flash drive (usbdevice.serial) i assume the device has no serial number, which is required to work with pamusb. Perhaps the second flash drive will work just fine.
Jan: I'm aware of that problem, I'll try to find why. Autologin is not yet supported, I'm currently trying to fix as much bugs as possible before adding new features.
Jan: I've managed to find out why pam_usb doesn't work with su, it was a DBUS bug. I've sent them a patch and commited a workaround to the SVN.
thanks scox, the svn version as of 29/8/07 it does work at least with one of my usb flash memories, when I go back home i will check also the other one
Well your soft roxx :-)Thank you for your work.I do have a problem with 0.4.2 version...When I typed 'su' in the console, I have :
I have in service su disabled in pamusb.conf..Any idea ?
please read : in the above message
Hi, you must disable messages for su.To do so, set the su service to quiet:
Otherwise, you could use 0.4.3 along with gksudo which works well without disabling output messages.
I keep getting an error message: '* No devices configured for user "user".' This is with version 0.4.2 on Ubuntu 7.10 Gutsy. Everything seems to be going find until I go to use the authentication, and it says there are no devices configured every time.
The following is the latest example of my situation:
user@machine:~$ sudo pamusb-conf --add-user user
User : userDevice : SonyMicroVault
Save to /etc/pamusb.conf ?[Y/n] yDone.user@machine:~$ pamusb-check user