One thing I already asked myself, whether watching 24 on TV or dreaming awake, was how can you actually log into a system, using a USB stick as authentication. It remained unanswered, until I found out about libpam-usb.
As you probably already know, PAM stands for Pluggable Authentication Modules : “a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API).” By installing and configuring a simple package, we’ll see how to use a USB stick to authenticate into your Ubuntu computer.
First off, we need to install a couple of packages :
$ sudo aptitude install libpam-usb pamusb-tools
Once you have these packages installed, configuring your USB login key is quite simple. You can find the steps to follow in the included doc of libpam-usb :
$ zcat /usr/share/doc/libpam-usb/QUICKSTART.gz|less
Basically, you’ll add a USB device to use as a login key, and associate it with every user you’d like. I might add : in the above mentioned documentation, the root user is used for a USB login example. As you know, on an Ubuntu system root user is disabled by default, we use sudo instead.
I don’t think it’s a safe – or useful, for that matters – thing to do. Sudo remains a very good way of handling Super User actions, and enabling root user doesn’t justify simply by the means of its access, its being active is in question here.
The documentation is otherwise very complete and libpam-usb is very, very powerful. One little thing it can do, using pamusb-agent brings your USB key very close to an actual key : you can easily setup gnome-screen-saver to enable itself once the USB key is unplugged, and deactivate only by plugging the USB key back.
