Ubuntu PAM USB authentication
The most secure you can get a box from a login point of view involves three authentication methods: Something you have, something you know, and something about you.
So to secure my laptop a little more I decided to implement the “something you have” method. The “something you know” method is obviously the password. Currently I don’t see the need or have the ability to easily add the “something about you” method, but maybe in the future.
Obviously I always have a USB flash drive on me, being a computer geek. Thus I decided to use pam-usb, which allows me to use a USB flash drive as an authentication method.
First, install the following two packages:
apt-get install pamusb-tools libpam-usb pmount
Then plug in your flash drive and run:
pamusb-conf --add-device <name>
Where <name> is whatever you like. You will then be asked to select your storage device. Select the desired drive and afterward:
pamusb-conf --add-user <account>
Account is whatever account you want to use the flash drive for. When asked for a device just select the one you previously configured. If you only configured one device than it will be selected by default.
Finally confirm you can authenticate properly. The flash drive must be plugged in for this step!
pamusb-check <account>
If you are told that the authentication succeeded congrats! Else, check your configuration again.
The final step to complete is to change everything in /etc/pam.d/gdm so that it now says:
#%PAM-1.0 auth requisite pam_nologin.so auth required pam_env.so readenv=1 auth required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth auth optional pam_gnome_keyring.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_limits.so @include common-session session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open session optional pam_gnome_keyring.so auto_start @include common-password auth required pam_usb.so fs=fat check_device=-1 check_if_mounted=-1
Then just restart GDM or restart your computer. After that try to login without your flash drive inserted. It should simply fail. Afterwards try plugging in the flash drive, waiting a few seconds, and trying again. This time the login should succeed. Note the above setup is for using both a password and flash drive, not just a flash drive.
