Linux (Ubuntu) USB Auth

I want to be able to authenticate with PAM using a USB drive with a file on it. I've read about how to do this with a PAM module that reads the specific USB hardware ID of a device, but if the device malfunctions or is lost, there would be no way to authenticate. I would prefer to use the method BitLocker uses, requiring a particular file to be found on the drive in order to authenticate. That way I can keep another drive in a secure location as a backup.

Any other suggestions are welcome. I just want to require a higher level of security that just a password.

Edit: The existing pam way (that I don't like): http://ubuntuforums.org/showthread.php?t=17571

themicahmachine

Posted 2010-12-22T13:17:44.140

Reputation: 353

How does "Make the keys on the usb memory stick" imply that it uses the hardware ID of the drive? – Ignacio Vazquez-Abrams – 2010-12-22T16:04:31.737

http://www.xtarutaru.com/2010/03/05/ubuntu-pam-usb-authentication/ – themicahmachine – 2010-12-22T16:52:57.563

@Ignacio: The file doc/FAQ in pam_usb source does: "The USB device is both identified by its manufacturer attributes (vendor, product, serial number) and by a few random bytes called one time pads that pam_usb writes and updates on the USB device upon authentication." – user1686 – 2010-12-22T20:10:10.773

Answers

PAM modules are stackable. It's very easy to configure authentication so that if one module fails, it falls back to asking for a password. So I see no reason for you not to use pam_usb (as suggested in the Ubuntu Forums thread).

auth    sufficient      pam_usb.so
@include common-auth

(Note sufficient as opposed to required)

user1686

Posted 2010-12-22T13:17:44.140

Reputation: 283 655

That's true, but I'm trying to require the USB. As in, if someone was to install a keylogger and get the password, they still cannot gain access without the physical device. – themicahmachine – 2010-12-22T20:13:05.080

@themicahmachine: 1) If somebody manages to install a keylogger that affects the login screen, he must already have root access, in which case you're own3d, USB or no USB. 2) A device check like that is merely a check, which can be easily bypassed: the same forum page mentions single-user mode, which skips PAM and only checks shadow. For such checks to work, you would need strict physical security - locked case, restricted bootloader. – user1686 – 2010-12-22T20:18:42.560

@themicahmachine: One workaround I can think of is to have one device for yourself and another for root. If you lose device A, login as root and configure a new one. If you lose device B, login as yourself, su(do) to root, configure a new device. // Alternatively, you could require either USB or one-time password (a list of which you stash away in the "backup key" location; there also are PAM modules for token-generated passwords). – user1686 – 2010-12-22T20:20:58.020

Good points... I'm marking your answer as correct just for all the good info. It seems like I can accomplish what I want using TrueCrypt and running full-disk encryption and putting the boot loader on a usb stick. No USB = no decrypting the drive.

And as far as key loggers... If someone has physical access to the machine they could install a hardware key logger. USB device that goes inline between the keyboard and the computer... undetectable unless you actually look behind the machine. – themicahmachine – 2010-12-22T22:40:17.490

1@themicahmachine: In case of hardware keylogger, even your full-disk encryption password will be logged. (But FDE is still a better option than simple USB check, as with the latter the attacker might be able to boot from his own media, bypassing all other kinds of protection.) – user1686 – 2010-12-22T23:47:19.710

@grawity: yes, a hardware key logger would get the encryption password, but not they key file that resides on the usb stick. – themicahmachine – 2010-12-23T00:17:33.537

Here is a faq that i typed up a while back. maybe it can be of use.

http://forums.debian.net/viewtopic.php?t=110813

jesse

Posted 2010-12-22T13:17:44.140

Reputation: 1

Hi jesse, while this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. Please take a look here: Why and how are some answers deleted?

– bummi – 2015-04-22T09:18:50.447