LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-01-2007, 06:46 AM   #1
x_terminat_or_3
Member
 
Registered: Mar 2007
Location: Plymouth, UK
Distribution: Fedora Core, RHEL, Arch
Posts: 342

Rep: Reputation: 38
Question pam_usb configuration problem


Hi there

I am trying to install pam_usb at home and at the office. Don't really need it at home, but at the office, since I am admin, I require to type in my root password a lot, and usually there's a person standing at my desk and I don't want them to see my password. So I usually go like 'turn around' or hide my hands under a sheet of paper while typing in the password...

I considered smart cards, but why buy something if I already have usb sticks galore?

Ok, so I found pam_usb, installed it via yum, created my keys, and then went to try and use su - but it keeps saying

* pam_usb v0.3.3, (C) 2003-2005 Andrea Luzzardi <scox@sig11.org>
* Authentication denied: remote user.

It does not even try to access the usb device (I would know this by the flashing of the led on the usb stick)

So I tried a few things, like autofs, which works when I go to the directory /mnt/auto/Home_Keys , I added an entry in fstab and played with the options but nothing seems to work.

------= Command history =---------
usbadm keygen /mnt/auto/Home_Keys andy 2048
[!] Directory /mnt/auto/Home_Keys/.auth/ not found, creating one...
[!] Generating 2048 DSA key pair for andy@earth.Andy.home
[!] Extracting private key...
[+] Private key extracted.
[+] Private key successfully written.
[!] Writing public key...
[+] Public key successfully written.
[root@earth /]# usbadm keygen /mnt/auto/Home_Keys root 2048
[!] Generating 2048 DSA key pair for root@earth.Andy.home
[!] Extracting private key...
[+] Private key extracted.
[+] Private key successfully written.
[!] Writing public key...
[+] Public key successfully written.

-------= /etc/auto.master =-----------
/mnt/auto /etc/auto.tero --timeout=4

-------= /etc/auto.tero =-------------
Home_Keys -fstype=ext3,rw,nosuid,nodev,user :/dev/sdd1

-------= /etc/fstab =-----------------
/dev/sdd1 /mnt/Home_Keys ext3 noauto

-------= /etc/pam.d/su =--------------
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth sufficient pam_usb.so force_device=/dev/sdd1
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so


System Information:

Linux earth.Andy.home 2.6.20-1.2925_1.fc6.cubbi_suspend2 #1 SMP Thu Mar 15 13:15:19 CET 2007 i686 i686 i386 GNU/Linux

pam-0.99.6.2-3.16.fc6
pam_usb-0.3.3-6.fc6

Thank you for any help.

Andy
 
Old 04-04-2007, 01:28 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Hmm. Maybe post the exact steps you took to make this work (HOWTO URI?). Would make it easier for us to see which parts of the system are involved and how we could make them spit out debug info. What do dmesg and syslog say from the moment you add the stick? Does the stick get mounted? Did you try running your complete PAM stack with "debug" flag added (where appropriate)?
 
Old 04-04-2007, 01:40 AM   #3
x_terminat_or_3
Member
 
Registered: Mar 2007
Location: Plymouth, UK
Distribution: Fedora Core, RHEL, Arch
Posts: 342

Original Poster
Rep: Reputation: 38
I used the very simple how to found at http://www.pamusb.org/quickstart.html

Stick is configured on automount, so when it is present and I go to a certain directory, I do see the auth files.

dmesg usually says something like new highspeed device, waiting for it to settle before scanning, and then attached sdd or sde

Not sure how to turn on debugging for the entire pam stack though.
 
Old 04-04-2007, 04:15 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
OK. The "quickstart" page says you should work on login or related PAM stacks in /etc/pam.d/ like or xdm. "su" is not a login. Debug options like setting the debug and logfile flags are explained on the "options" page.
 
Old 04-04-2007, 04:16 PM   #5
x_terminat_or_3
Member
 
Registered: Mar 2007
Location: Plymouth, UK
Distribution: Fedora Core, RHEL, Arch
Posts: 342

Original Poster
Rep: Reputation: 38
su IS a login, as found in /etc/pam.d/su

this is the current file for su:

#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth sufficient pam_usb.so !check_device !check_if_mounted force_device=/mnt/auto/Home_Keys

auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
 
Old 04-04-2007, 06:04 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
su IS a login, as found in /etc/pam.d/su
IMHO the fact you have a PAM su conf doesn't mean it's a login as in "logging in to a box". Of course it might be that I'm just an inexperienced and babbling simp, a total dolt w/o any clue wrt *NIX concepts and such. In any case I'd say try to get "login" or "xdm" to work, as posted in the HOWTO, before anything else.
 
Old 04-05-2007, 10:43 AM   #7
SgtPepperKSU
LQ Newbie
 
Registered: Apr 2007
Posts: 6

Rep: Reputation: 0
From the message you get, I'd try changing
Code:
auth sufficient pam_usb.so force_device=/dev/sdd1
to
Code:
auth sufficient pam_usb.so force_device=/dev/sdd1 allow_remote=1
I can't vouch for this working, as I am currently just looking into installing pam_usb, but another how to I've seen had people getting around that error this way. I'd be interested to see if it works for your su problem.
 
Old 04-05-2007, 01:24 PM   #8
x_terminat_or_3
Member
 
Registered: Mar 2007
Location: Plymouth, UK
Distribution: Fedora Core, RHEL, Arch
Posts: 342

Original Poster
Rep: Reputation: 38
Smile

Quote:
Originally Posted by unSpawn
su IS a login, as found in /etc/pam.d/su
IMHO the fact you have a PAM su conf doesn't mean it's a login as in "logging in to a box". Of course it might be that I'm just an inexperienced and babbling simp, a total dolt w/o any clue wrt *NIX concepts and such. In any case I'd say try to get "login" or "xdm" to work, as posted in the HOWTO, before anything else.

Love your sarcasm. Thanks. Really!
 
Old 04-05-2007, 01:31 PM   #9
x_terminat_or_3
Member
 
Registered: Mar 2007
Location: Plymouth, UK
Distribution: Fedora Core, RHEL, Arch
Posts: 342

Original Poster
Rep: Reputation: 38
Hi all

I have tried the allow_remote=1 option and it does work, finally!

As far as login or xdm or even kdm is concerned, I do not care, since I do not want to run my desktop as root anyway.

What would be really nice,that one would be able to insert the usb device AFTER it prompts for password, and then when you stick the stick(!) in, it validates you as root.

Thanks all for your help!
 
Old 04-09-2007, 01:45 PM   #10
SgtPepperKSU
LQ Newbie
 
Registered: Apr 2007
Posts: 6

Rep: Reputation: 0
I'm glad that worked for you!

Now, I've gone ahead and set up pam_usb, and overall it works great. The only thing is that it still goes to a password prompt when unlocking the screen. This would be okay since I don't really ever manually lock the screen, but when I switch users it automatically locks the screen for the old user. So, when I switch back, I'm asked for my password.

Does anybody know how to get pam_usb to work for unlocking the screen?

EDIT: forgot to mention the only change in the pam.d files I made was adding the pam_usb line to common-auth.

Last edited by SgtPepperKSU; 04-09-2007 at 01:53 PM.
 
Old 04-09-2007, 03:41 PM   #11
x_terminat_or_3
Member
 
Registered: Mar 2007
Location: Plymouth, UK
Distribution: Fedora Core, RHEL, Arch
Posts: 342

Original Poster
Rep: Reputation: 38
I noticed something else too

When you do the command su -c 'ssh somehost' then it gains root privileges through pam_usb, but does not do shared key authentication for some reason. I have to type in the root password for somehost.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
pam_usb make error akyl Debian 0 04-14-2006 11:26 AM
SNAT working problem(is that configuration problem?) cranium2004 Linux - Networking 11 05-12-2005 08:18 AM
Lan configuration problem - NFS boot problem - RX&TX packets errors 242VDM242 Linux - Networking 4 11-25-2004 01:35 PM
X configuration problem - OR - Where did the configuration tool go??? t3kn0lu5t Debian 3 09-25-2003 07:19 PM
Configuration problem kabong Linux - General 1 08-18-2001 10:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration