Local PAM authentication for USB storage devices

Wednesday, April 25. 2007

Local PAM authentication for USB storage devices

Security policies commonly don't fit the laziness of users and system administrators. You shouldn't be logged in as root directly, you shouldn't use short and unsafe passwords, and so on.

pam_usbauth.so let's you authenticate yourself on your system, passwordless with just having something like a "crypto USB device" plugged in - without additional uncommon hardware.

Update: You may also visit http://usbauth.delta-xi.net for FAQ.

Crypto smartcards, as provided by the FSFE are a really great idea - passwordless authentication everywhere and for everything. But there are two big disadvantages: First, cryptographic smartcards can't be just "buyed and configured", but you have to choose a company providing them, and trust them.

Secondly, you need a smartcard reader - most laptops don't have a built-in smartcard reader, so you can't use them everywhere you want.

Here, the PAM plugin pam_usbauth.so gets the middle way: Whenever you have plugged in your local storage device (primary designed for USB-storage devices, but suitable for nearly every device), you'll get authenticated passwordless for every service (or PAM-suporting program) you would like to use.

The package also provides uapasswd, a client program which makes writing the configuration file and setting up an existing USB device much easier than doing it manually.

All configuration options (valid users, devices where keys are stored, etc) are defined in /etc/usbauth.conf. You can use every storage device, not only USB (e.g. SC, MC of CF cards). It's strongly recommended to set up a 1024k partition for the key(s) - nevertheless, the rest of your device is still accessable to use them as storage.

It can be obtained from svn.delta-xi.net, or via svn co svn://delta-xi.net/svn/pam_usbauth, and has to be compiled and installed via "make". Have fun!

Notice: USB authentication isn't as secure as using smartcards, because USB storage devices doesn't have a built-in logic - so don't use it in really sensitive environment.

For more information, have a look at http://usbauth.sf.net

Posted by Erik Sonnleitner in Security at 10:55 | Comments (10) | Trackbacks (0)

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

Could you please describe how the software gets the keys from the usbdrive?
I use pam_usb for auth but I noticed it uses hal and dbus for mounting, getting the key, updating "one time pads" and unmounting which is bad if it is required in PAM and dbus or hal breaks...
And please describe the advantages of pam_usbauth over pam_usb.
Thank you in advance.

#1 McEnroe on 2007-04-25 15:26 (Reply)

Of course. Running "make" also installs a manpage on your system, where uapasswd is described in more detail. I hope this few steps are suitable for your needs.

#1.1 Erik (Homepage) on 2007-04-25 15:51 (Reply)

I encountered a problem - whatever I tried to do, it was impossible to access the device:

Apr 25 21:58:48 trottel [pam_usbauth]: Found password blah for user ja
Apr 25 21:58:48 trottel [pam_usbauth]: Adding device /dev/sdb1
Apr 25 21:58:48 trottel [pam_usbauth]: devcnt: 1
Apr 25 21:58:48 trottel [pam_usbauth]: Error accessing given device /dev/sdb1
Apr 25 21:58:48 trottel [pam_usbauth]: Denying access to user ja

reading the partition header reveals the following:

trottel ~ # cat /dev/sdb1 | head -c 6
blahx
trottel ~ #

Any solution for my problem?

johannes

#2 ja on 2007-04-25 21:07 (Reply)

For which application is it for? I'm currently just having this problem when trying to authenticate Xscreensaver. All others seem to work fine (su, sudo, ssh, gdm, kdm, login et al) here.

Please be sure to only use uapasswd with the -P switch instead of -p, otherwise passwords would be saved in cleartext -- this should basically only be used for debugging reasons.

#2.1 Erik on 2007-04-25 22:54 (Reply)

It's a simple system-auth via login or gdm - I always get this message

johannes

#2.1.1 Johannes Agricola on 2007-05-02 15:49 (Reply)

I'm afraid this could be a bug within the old parser engine, you may find version 0.3 more stable (already packaged at usbauth.delta-xi.net).

#2.1.1.1 Erik on 2007-05-02 17:42 (Reply)

It works perfectly

. Thanks.

#2.1.1.1.1 ja on 2007-05-25 08:48 (Reply)

hi!

/etc/usbauth.conf is per default world-readable.
please fix!

//richard

#3 rw on 2007-04-25 23:21 (Reply)

Already fixed in rev9.

#3.1 Erik on 2007-04-25 23:30 (Reply)

No, you don't have to type the password if you put pam_usbauth.so before pam_unix.so in /etc/pam.d/.

But if pam_unix.so is used before, it's enough to give an empty password, because then pam_unix.so will fail, and pam_usbauth is getting called by PAM.

#4 Erik on 2007-04-26 08:26 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: You can use [geshi lang=lang_name [,ln={y\|n}]][/lang] tags to embed source code snippets
	Remember Information? Subscribe to this entry