Single Sign On with pam_usb

By | September 9, 2005

Single sign on solutions provide an authentication mechanism whereby a single action of user authorization permits the user to access all the resources based on his access permissions. The technique reduces the need to remember multiple user-password combinations and improves information security strategy.

In order to achieve single sign on (SSO) authentication under Linux, the use of pluggable authentication modules (PAM) is required. PAM allows system administrators to choose how applications authenticate users without touching the applications themselves.

The PAM module required for setting up SSO is pam_usb. This module enables either two-token (password + public-key) or password-less (public-key only) authentication using removable storage device such as USB flash memory, CD-ROM etc.

The authentication is done using DSA keys, where the private key is stored on the device and the public key on the system in user’s home directory. Whenever a user tried to authenticate, the module will compute a private/public key challenge and proceed with the authentication.

pam_usb can handle authentication in three different modes:

  • Unique: Users must provide the removable device to be able to login.
  • Alternative: Plugging the device is enough to login. If the device could not be detected, the user is prompted to enter password.
  • Additional: Two-token authentication. Both password and device are required to login.

The PAM library is configured locally with a series of configuration files (the name represents the actual program) located in /etc/pam.d to authenticate a user request via locally authentication modules.

Prior to modifying the applications’ PAM configuration files, one needs to generate a pair of public-private keys using the usbadm tool which is included in the pam_usb package:

# usbadm keygen /mnt/usb david 1024

This will generate a public key in /mnt/usb/.auth/ (the mounting point of the USB device or any other removable device) and the private key in /home/david/.auth/. The keys will be stored in the format USER_NAME.HOST_NAME.

If we are interested to allow consol login using removable device, we will modify /etc/pam.d/login and insert one of the following lines based on the mode we want pam_usb to run:

  • Unique mode: auth required
  • Alternative mode: auth sufficient
  • Additional mode: auth required

The module can be configured to act differently for each program using a list of options appended as the fourth column in the PAM configuration file.

The current release of pam_usb supports floppy and CD-ROM devices as well as USB flash memory devices. The module works both on Linux 2.4.x and 2.6.x kernels.

Leave a Reply