Tip of the Week 2005-08-08

From FedoraNEWS.ORG

Welcome to Tip of the Week!

Tip of the Week releases on every monday with Fedora Weekly News.

Tip of the Week: Use a USB stick for Authentication

This will help you create a key on a USB disk to use as authentication - submitted by Carlos Peraza.

The program will create two keys, a private one in your usb flash disk in the folder <usb>/.auth and a public one in the folder ~/.auth

This will work in a FAT FlashDisk, even if it has other data in it

How to Install The Package

• Install the pam_USB package

 rpm -Uvh http://solid.bounceme.net/pub_files/packages/fedora/4/i386/RPMS.solid/pam_usb-0.3.2-1.fc4.solid.i386.rpm

• Create a private/public key pair for a user (as root)

 usbadm keygen <mountpoint of USB> <username> 2048

This will work with all programs that use PAM. Their config files are in the folder /etc/pam.d

Here are a few that can be made to use this

• su
• sudo
• kde
• gdm
• login

Actually, your key can be used to verify your identity for any thing that uses PAM, but I'm using the above as examples.

How to set up su to use USB authentication

• Open /etc/pam.d/su
• Insert this after the first line (If you want the USB to be optional)

 auth       sufficient   pam_usb.so !check_device

• For USB compulsarily needed, add this line instead

 auth       required   pam_usb.so !check_device

• The file will now read:

#%PAM-1.0
auth	   sufficient   pam_usb.so !check_device
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
auth       required	/lib/security/$ISA/pam_stack.so service=system-auth
account    required	/lib/security/$ISA/pam_stack.so service=system-auth
password   required	/lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session	   required	/lib/security/$ISA/pam_selinux.so close
session    required	/lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session	   required	/lib/security/$ISA/pam_selinux.so open multiple
session    optional	/lib/security/$ISA/pam_xauth.so

How to set up login screens (login/gdm/kde) to use USB authentication

• Open the file /etc/pam.d/(login | gdm | kde)
• Insert this after the second line (If you want the USB to be optional)

 auth       sufficient   pam_usb.so !check_device

• For USB compulsarily needed, add this line instead

 auth       required   pam_usb.so !check_device

• The File will now read:

#%PAM-1.0
auth       required	pam_securetty.so
auth       sufficient   pam_usb.so !check_device
auth       required	pam_stack.so service=system-auth
auth       required	pam_nologin.so
account    required	pam_stack.so service=system-auth
password   required	pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required	pam_selinux.so close
session    required	pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    optional	pam_console.so
# pam_selinux.so open should be the last session rule
session    required	pam_selinux.so multiple open

Previous Tips of the Week Can be found Here: Tips of the IceBurg

Add a Tip

If you have a tip you want to add, contact Tejas Dinkar (mailto:tejasdinkar@gmail.com).