Mon, 26 Mar 2012
Well, We have discussed the encrypted container files, and you have your ssh and gpg keys secured. Now to take the authentication one step further.
When you authenticate to your system you have to type a login and a password. This is ok but we can improve this. Linux uses PAM (Pluggable Authentication Modules) to set the authentication requirements for the system. We can extend this one step further and greate a OTP (One Time Pad) on a USB key that is then required to be present before you can login. This means that you will need your login, your password, and a special USB key plugged into a USB port on the system to log in.
To start this you will need to download the PAM USB module from HERE To continue with the instructions click the Read More Once you have downloaded the pam_usb program you will need to make and install it on your system. You will need to be root and you can just to a make all make install Once it is installed you will need to add the USB pen drive to the configuration and add a user to the pen drive. for this we usr the included tool pamusb-conf. This will let you add devices to the config and add users to the device. So as root you will run the following command. pamusb-conf --add-device PenDrive You can replace PenDrive with whatever you wish to call your USB drive. It should look like this. [root@horus cl]# pamusb-conf --add-device PenDrive Please select the device you wish to add. 0) USB 2.0 USB Flash Drive (USB_2.0_USB_Flash_Drive_XXXXXXXXXXXXX-0:0) 1) ICSI CF Card CF (ICSI_CF_Card_CF_XXXXXXXXX-0:0) [0-1]: 0 Which volume would you like to use for storing data ? * Using "/dev/sdh1 (UUID: XXXX-XXXX)" (only option) Name : PenDrive Vendor : USB 2.0 Model : USB Flash Drive Serial : USB_2.0_USB_Flash_Drive_19a3f806f05592-0:0 UUID : XXXX-XXXX Save to /etc/pamusb.conf ? [Y/n] y Done. This will add the drive to the pamusb.conf file and configure this USB drive to usage in the system. Now we need to add a user to the USB drive. This is done with the same pamusb-conf command this time with the --add-user ption pamusb-conf --add-user joe Replace joe with the users login name on the system. The output should look like this. [root@horus cl]# pamusb-conf --add-user joe Which device would you like to use for authentication ? 0) MyDevice 1) PenDrive [0-1]: 1 User : joe Device : PenDrive Save to /etc/pamusb.conf ? [Y/n] y Done. NOTE: you can add multiple users to the same pen drive. For example you can had a pen drive to authenticate user joe and user root, however I have found that it messes the system up if you try to add one user to more than one pen drive. so for example if you have the user joe on PenDrive and add joe to another pen drive called MyDisk. User joe will no longer be able to login to the system. This seems to be a bug in the pam_usb module so watch out for it! Now we want to configure the authentication services to use the pam_usb module. I suggest starting with the su service. You will want to cd into the /etc/pam.d directory and edit the file named su. You will want to add "auth required pam_usb.so" to the file. You can see where I added it in this example. #%PAM-1.0 auth sufficient pam_rootok.so auth required pam_usb.so auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so Now when you su to any user it will require that the USB key be in the system for that user. This is a good way to test the system, just make sure that you have a key made for root before you do this! You can also change required to sufficient in the pam.d config file and make the system skip the password when the key is plugged in. So lets see it work! In this example I have the key pulled out but type the correct password. [cl@horus ~]$ su joe * pam_usb v0.4.2 * Authentication request for user "joe" (su) * Device "PenDrive" is connected (good). * Performing one time pad verification... * Probing volume (this could take a while)... * Access denied. Password: su: incorrect password In this example I have the key plugged into the USB port and type the correct password. [cl@horus ~]$ su joe * pam_usb v0.4.2 * Authentication request for user "joe" (su) * Device "PenDrive" is connected (good). * Performing one time pad verification... * Access granted. Password: If you are going to deploy this to you system be careful! You can lock your self out of the system to the point that you have to boot from a CD, mount the file system, and remove the pamusb driver from the config. Sometimes the keys go bad, the OTP is no longer valid, etc. It has happened to me once. My solution was to set up ssh from one of the systems here at the house to my main system. SSH with registered keys is secure so this lets me in with out the need for a USB key. However, when you are sitting at the console, you must have the USB key EVEN FOR X11 access! Oh, NEVER ADD IT TO THE system-auth FILE! Always add it to the individual pam files. The system-auth will make it 100% across the board required for any login. More security and privacy stuff to come! Stay tuned.
TrackBack ping me at: