[[getting_started]]
 

Getting started

The following few steps are needed to get pam_usbng running

1. Prepare your device & generate configuartion file

Plug in the USB device you would like to use for authentication.

When everything has been installed, the uaconf.pl utility should be called from the command line (note that this must be run as root or via sudo). uaconf will guide you through the whole process from chosing the USB device you want to use, until the configuration file is generated and ready to use. 

 $ sudo uaconf.pl

2. Setup your device

After a configuration file has been written, you have to run uadevwrite, which parses a given configuration file and writes the corresponding authentication information upon the device you chose. For this, you have to give the path to the configuration file and the USB serial number as arguments. 

 $ sudo uadevwrite /etc/pamauth-ng.conf 03847D83JD3

3. Set up your applications to use USB authentication

The final part deserves changing the PAM configuration files. If you don't know what PAM is, you might want to take a look here.

Every application using PAM, redirects authentication requests (e.g. if you login via SSH) to PAM, which then will perform the authentication routine according to what's defined in the configuration file for this application.

The application-specific configuration files are normally found in /etc/pam.d/.

Example: How to set up USB authentication for sudo Edit the PAM configuration file for sudo: 

 vi /etc/pam.d/sudo

This file will probably just look something like this: 

 #%PAM-1.0
 @include common-auth
 @include common-account

We now comment the first include directive, and replace it with 

 auth sufficient pam_usbng.so
 auth sufficient pam_unix.so

The new /etc/pam.d/sudo file now looks like this: 

 #%PAM-1.0
 auth sufficient pam_usbng.so
 auth sufficient pam_unix.so
 @include common-account

Which means: First try to authenticate via an USB device; if that fails, fallback to standard Linux authentication (via /etc/passwd by default).

Full example

tomhet@inferno:~$ ''svn co svn://v281.ncsrv.de/svn/pam_usbng''
A    pam_usbng/build
A    pam_usbng/include
A    pam_usbng/include/uauthd.h
A    pam_usbng/include/pam_auth.h
A    pam_usbng/include/uadevwrite.h
A    pam_usbng/include/libpamauth.h
A    pam_usbng/.project
A    pam_usbng/doc
A    pam_usbng/doc/TODO
A    pam_usbng/doc/pamauth-ng.conf
A    pam_usbng/.cproject
A    pam_usbng/src
A    pam_usbng/src/uadevwrite.c
A    pam_usbng/src/uaconf.pl
A    pam_usbng/src/libpamauth.c
A    pam_usbng/src/uauthd.c
A    pam_usbng/src/pam_usbng.c
A    pam_usbng/Makefile
Checked out revision 61.

tomhet@inferno:~$ cd pam_usbng/

tomhet@inferno:~/pam_usbng$ make
gcc -o build/pam_usbng.so -shared -I/usr/include -Wall -lcrypt -lssl -g src/pam_usbng.c src/libpamauth.c
gcc -o build/uadevwrite  -I/usr/include -Wall -lcrypt -lssl -g src/uadevwrite.c src/libpamauth.c
gcc -o build/uauthd -I/usr/include -Wall -lcrypt -lssl -g src/uauthd.c src/libpamauth.c

tomhet@inferno:~/pam_usbng$ sudo make install
install -D build/pam_usbng.so /lib/security/pam_usbng.so
install -D -m 0700 build/uadevwrite /usr/sbin/uadevwrite
install -D -m 0700 build/uauthd /usr/sbin/uauthd
install -D -m 0700 src/uaconf.pl /usr/sbin/uaconf.pl
install -D -m 0600 doc/pamauth-ng.conf /etc/pamauth-ng.conf
Thank you for using pam_auth-ng. You may want to start uaconf.pl or uawritedev now.


tomhet@inferno:~/pam_usbng$ sudo uaconf.pl
Make sure that your main authentication USB device is plugged in, then press enter.
(and in addition, if you like, a second device as backup-solution).


Searching for USB storage devices... OK
        [0] GH_PicoBit pointing to /dev/sde [USBID 0773143900A6], 1029MB
        [1] WD_3200JS_External pointing to /dev/sdd [USBID 57442D574341504431303935343139], 320GB

Please enter the number of the device you want set up for use with usbauth: 0
If you like to create a backup-key-device of the above, enter number: 

The chosen device contains the following currently mounted partitions:
         [partition] /dev/sde1

Try to unmount? (Y/n)y
        Trying to unmount /dev/sde1
Ok, all partitions have been unmounted. Let's proceed.


                ************************************************************
                                       W A R N I N G                       
                ************************************************************
All data on the selected device will be lost!
Are you -sure- to prepare the USB memory device
        GH_PicoBit [USB ID: 0773143900A6],
        located at /dev/sde
        holding 1029MB of data? (y/N) y
Deleting partition table... OK
Creating new partition table... OK
Everything seems to be fine. Please specify the user which shall be able to gain authentication: root
Your configuration file has been saved to pamauth-ng.1.conf. You may now run:
sudo uadevwrite pamauth-ng.1.conf 0773143900A6


NOTE: Don't forget to copy the new config to /etc/pamauth-ng.conf!

tomhet@inferno:~/pam_usbng$ sudo cp pamauth-ng.1.conf /etc/pam
pamauth-ng.conf  pam.conf         pam.d/           
tomhet@inferno:~/pam_usbng$ sudo cp pamauth-ng.1.conf /etc/pamauth-ng.conf 
tomhet@inferno:~/pam_usbng$ sudo uadevwrite /etc/pamauth-ng.conf 0773143900A6
[DEBUG] Loaded 1 users from configfile.
        Writing data on 0773143900A6 for user root with password M0QqGEJanhEh... 
                PIN: 123
done
tomhet@inferno:~/pam_usbng$ su
PIN: 
root@inferno:/home/tomhet/pam_usbng#
 
getting_started.txt · Last modified: 2009/04/10 13:16 (external edit)
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki