Eu estava tentando usar in order to create a physical key for better security within my system. After installingo pacote AUR 'pam_usb pam_usb` e executando o seguinte código (de acordo com a documentação do Archwiki ):
[user@host /some/dir]$ sudo pamusb-conf --add-device KEY
* Using "AI Mass Storage (AI_Mass_Storage-0:0)" (only option)
Which volume would you like to use for storing data ?
* Using "/dev/sda1 (UUID: 12CB-F616)" (only option)
Name : KEY
Vendor : AI
Model : Mass Storage
Serial : AI_Mass_Storage-0:0
UUID : 12CB-F616
Save to /etc/security/pam_usb.conf? [Y/n]
Done.
[user@host /some/dir]$ sudo pamusb-conf --add-user guest
Which device would you like to use for authentication ?
* Using "KEY" (only option)
User : guest
Device : KEY
Save to /etc/security/pam_usb.conf? [Y/n]
Done.
então realizei uma verificação pamusb-checke obtive a seguinte saída:
[user@host /some/dir]$ sudo pamusb-check guest
* Authentication request for user "guest" (pamusb-check)
* Searching for "KEY" in the hardware database...
* Authentication device "KEY" is connected.
* Performing one time pad verification...
* Regenerating new pads...
* Unable to update system pads.
* Pad check succeeded, but updating failed!
* Access denied.
esta saída diz que não é possível atualizar alguma system padscoisa (não sei o que é) e, portanto, tenho um Access denied. Ainda não atualizei nenhum arquivo stack pam dentro da pasta /etc/pam.d/, com medo de arruinar meus futuros logins no sistema.
Então eu quero saber o que posso fazer? Ou se essa saída não representa nenhum problema para essa tarefa.
SISTEMA
Archlinux / 6.13.2-arch1-1
PACOTE
local/pam 1.7.0-1
PAM (Pluggable Authentication Modules) library
local/pam_usb 0.8.5-1
Hardware authentication for Linux using ordinary flash media (USB & Card based).
local/pam_usb-debug 0.8.5-1
Detached debugging symbols for pam_usb
local/pambase 20230918-2
Base PAM configuration for services
ARQUIVO DE CONFIGURAÇÃO PAM
<?xml version="1.0" ?><!--
pam_usb.conf: Configuration file for pam_usb.
See https://github.com/mcdope/pam_usb/wiki/Configuration
--><configuration>
<!-- Default options -->
<defaults>
<!-- Example:
<option name="debug">true</option>
<option name="deny_remote">true</option>
-->
</defaults>
<!-- Device settings -->
<devices>
<!-- Example:
Note: You should use pamusb-conf to add devices automatically.
<device id="MyDevice">
<vendor>SanDisk Corp.</vendor>
<model>Cruzer Titanium</model>
<serial>SNDKXXXXXXXXXXXXXXXX</serial>
<volume_uuid>6F6B-42FC</volume_uuid>
<option name="probe_timeout">10</option>
</device>
<device id="MySecondDevice">
<vendor>Commodore</vendor>
<model>REU</model>
<serial>CMDKXXXXXXXXXXXXXXXX</serial>
<volume_uuid>6F6B-00FF</volume_uuid>
<option name="probe_timeout">10</option>
</device>
-->
<device id="KEY">
<vendor>AI</vendor>
<model>Mass Storage</model>
<serial>AI_Mass_Storage-0:0</serial>
<volume_uuid>12CB-F616</volume_uuid>
</device></devices>
<!-- User settings -->
<users>
<!-- Note: Use pamusb-conf to add a user, then you can tweak
manually the configuration here if needed.
-->
<!-- Example:
Authenticate user scox using "MyDevice", and configure pamusb-agent
to automatically start/stop gnome-screensaver on key insertion and
removal:
<user id="scox">
<device>MyDevice</device>
<device>MySecondDevice</device>
<option name="quiet">true</option>
<agent event="lock">
<cmd>gnome-screensaver-command -\-lock</cmd>
<env>DISPLAY=:1</env>
<env>DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus</env>
<env>XAUTHORITY=/run/user/1000/gdm/Xauthority</env>
</agent>
<agent event="unlock">
<cmd>gnome-screensaver-command -\-deactivate</cmd>
<env>DISPLAY=:1</env>
<env>DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus</env>
<env>XAUTHORITY=/run/user/1000/gdm/Xauthority</env>
</agent>
</user>
Configure user root to authenticate using MyDevice, but update one
time pads at every login (default is 1 hour):
<user id="root">
<device>MyDevice</device>
<option name="pad_expiration">0</option>
</user>
-->
<user id="guest">
<device>KEY</device>
</user></users>
<!-- Services settings (e.g. gdm, su, sudo...) -->
<services>
<!-- Example: Speed up hotplugging by disabling one time pads -->
<!--
<service id="pamusb-agent">
<option name="one_time_pad">false</option>
</service>
-->
<!-- Disable output for 'su' (needed for gksu) -->
<!--
<service id="su">
<option name="quiet">true</option>
</service>
-->
<!--
Default whitelist for "deny_remote".
These services are whitelisted because either
a) they are graphical login managers and we assume these be available only locally
b) they are authorization agents afters successful authentication.
Template:
<service id=""><option name="deny_remote">false</option></service>
-->
<service id="pamusb-agent"><option name="deny_remote">false</option></service>
<service id="gdm-password"><option name="deny_remote">false</option></service>
<service id="xdm"><option name="deny_remote">false</option></service>
<service id="lxdm"><option name="deny_remote">false</option></service>
<service id="xscreensaver"><option name="deny_remote">false</option></service>
<service id="lightdm"><option name="deny_remote">false</option></service>
<service id="sddm"><option name="deny_remote">false</option></service>
<service id="polkit-1"><option name="deny_remote">false</option></service>
<service id="kde"><option name="deny_remote">false</option></service>
<service id="login"><option name="deny_remote">false</option></service>
</services>
</configuration>
