4

I want to be able to authenticate with PAM using a USB drive with a file on it. I've read about how to do this with a PAM module that reads the specific USB hardware ID of a device, but if the device malfunctions or is lost, there would be no way to authenticate. I would prefer to use the method BitLocker uses, requiring a particular file to be found on the drive in order to authenticate. That way I can keep another drive in a secure location as a backup.

Any other suggestions are welcome. I just want to require a higher level of security that just a password.

Edit: The existing pam way (that I don't like): http://ubuntuforums.org/showthread.php?t=17571

themicahmachine
  • 353
  • 1
  • 6
  • How does "Make the keys on the usb memory stick" imply that it uses the hardware ID of the drive? – Ignacio Vazquez-Abrams Dec 22 '10 at 16:04
  • http://www.xtarutaru.com/2010/03/05/ubuntu-pam-usb-authentication/ – themicahmachine Dec 22 '10 at 16:52
  • @Ignacio: The file `doc/FAQ` in `pam_usb` source _does_: "The USB device is both identified by its manufacturer attributes (vendor, product, serial number) and by a few random bytes called one time pads that pam_usb writes and updates on the USB device upon authentication." – u1686_grawity Dec 22 '10 at 20:10

2 Answers2

2

PAM modules are stackable. It's very easy to configure authentication so that if one module fails, it falls back to asking for a password. So I see no reason for you not to use pam_usb (as suggested in the Ubuntu Forums thread).

auth    sufficient      pam_usb.so
@include common-auth

(Note sufficient as opposed to required)

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • That's true, but I'm trying to require the USB. As in, if someone was to install a keylogger and get the password, they still cannot gain access without the physical device. – themicahmachine Dec 22 '10 at 20:13
  • @themicahmachine: 1) If somebody manages to install a keylogger that affects the _login screen_, he must already have `root` access, in which case you're own3d, USB or no USB. 2) A device check like that is merely a _check_, which can be easily bypassed: the same forum page mentions single-user mode, which skips PAM and only checks `shadow`. For such checks to work, you would need strict physical security - locked case, restricted bootloader. – u1686_grawity Dec 22 '10 at 20:18
  • @themicahmachine: One workaround I can think of is to have one device for yourself and another for `root`. If you lose device A, login as root and configure a new one. If you lose device B, login as yourself, `su(do)` to `root`, configure a new device. // Alternatively, you could require either USB or one-time password (a list of which you stash away in the "backup key" location; there also are PAM modules for token-generated passwords). – u1686_grawity Dec 22 '10 at 20:20
  • Good points... I'm marking your answer as correct just for all the good info. It seems like I can accomplish what I want using TrueCrypt and running full-disk encryption and putting the boot loader on a usb stick. No USB = no decrypting the drive. And as far as key loggers... If someone has physical access to the machine they could install a hardware key logger. USB device that goes inline between the keyboard and the computer... undetectable unless you actually look behind the machine. – themicahmachine Dec 22 '10 at 22:40
  • 1
    @themicahmachine: In case of hardware keylogger, even your full-disk encryption password will be logged. (But FDE is still a better option than simple USB check, as with the latter the attacker might be able to boot from his own media, bypassing all other kinds of protection.) – u1686_grawity Dec 22 '10 at 23:47
  • @grawity: yes, a hardware key logger would get the encryption password, but not they key file that resides on the usb stick. – themicahmachine Dec 23 '10 at 00:17
0

Here is a faq that i typed up a while back. maybe it can be of use.

http://forums.debian.net/viewtopic.php?t=110813

jesse
  • 1
  • 2
    Hi jesse, while this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. Please take a look here: [Why and how are some answers deleted?](http://superuser.com/help/deleted-answers) – bummi Apr 22 '15 at 09:18