pam_usb – Linux authentication with USB media
pam_usb is a PAM module providing user authentication on Linux by using USB media in addition, or replacement, for passwords. Additionally it provides a service to take actions when the configured authentication media is removed/inserted – like locking/unlocking your session. It was initially written by Andrea Luzzardi but he stopped maintaining it quite some years ago.
Now I have picked up the ball and started a yet another fork, combining all the improvements done by the community over the years. But unlike the other forks I plan to actually maintain this since I’m using pam_usb myself quite heavily on multiple machines. I’ve also added some new stuff. In example the repository now provides packaging files for Debian based distributions „out of the box“.
Pull requests for further improvements are also heavily welcome. This also applies to further packaging support like for RPM.
Current version is 0.7.0, with 0.5.0 being the last upstream pam_usb release by aluzzardi.
0.6.0 was used by some downstream packaged versions to override distribution provided packages and included varying changes – depending on the source repository. This also means some of the changes listed as changed in 0.7.0 were already contained in some 0.6.0 builds too. Quite messy? Yeah, thought so too – that’s why I’ve choosen to go with 0.7.0 instead of incrementing 0.6.x.
What has changed in pam_usb?
So what’s new in pam_usb 0.7.0 you may ask? Quite a bit…
- Ported to Python 3
- pamusb-agent is now a systemd unit
- pamusb-agent config can now hold environment vars
- pamusb-conf got new options for automation (–list-devices, –list-volumes, –device, –volume, –yes)
- pamusb-conf now properly ignores read-only media (like optical drives)
- Support for devices lacking vendor and/or model
- PAM module gets installed using libpam-runtime/pam-auth-update
- Using debconf to create fully working config on install
- Documentation / example config updated
- Wiki updated
But again, not all of these improvements were done by me. See the repository, esp. the file AUTHORS and the commit history, for details. Also some of the additions are Debian(-based distribution) specific. This applies to the auto-installation using pam-auth-update and auto-config on package installation. Though this can easily be implemented for other distributions, too.
Prebuilt Debian packages can be found at https://apt.mcdope.org/, with https://apt.mcdope.org/libpam-usb_0.7.0_amd64.deb currently being the latest built. See the repository page for details on how to add the repo to your system. But please note, these packages are currently only tested on Ubuntu focal