How to log into Linux using a pendrive

Alejandro (a.k.a KZKG^Gaara)

2 minutes

 Did you ever dream of log in with a pendrive on Linux? Are you sick of type your username and the blessed password every time you start the system, but do not dare to remove that protection for fear of intruders? Well, here is a fairly novel and safe method to leave your "windolero" friends speechless.


Install pamusb

sudo apt-get install libpam-usb pamusb-tools

Add your pendrive as an authentication token:

Connect the pendrive to the USB port and run:

sudo pamusb-conf --add-device keyusb

Where usbkey is an identifying name for the token, but it can be any other.

I added users to pam-usb:

It is very easy to add users as you can see in the following example in which we will add to Earendil to authenticate with pam-usb:

sudo pamusb-conf --add-user earendil

Test if authentication works:

With the pendrive connected, replacing earendil with the username you have chosen:

sudo pamusb-check earendil

If it says: access granted it's because everything is going smoothly.

Pam-usb as login system:

Edit the file /etc/pam.d/common-auth and I added the following line at the beginning:

auth sufficient pam_usb.so
If you replace Sufficient by required, GDM will do a double check, password and token. Otherwise it will only verify the token.

To do all this, you can use any pendrive without undergoing any modification, since the pam looks at the data of the hardware device, such as the manufacturer, uuid and serial number. The interesting thing is that even if we made a complete copy of the device, for example with dd, we would not obtain a correct key for the configured token.

Finally, it is worth mentioning that pamusb allows the automatic execution of commands when connecting the pendrive, so we could create a system to make backup copies when connecting the usb key, or a transfer system and many other things, but this I already leave. for you to investigate.


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   shapord said
    ago 11 years

    And if the Usb is lost?

    Reply to Shapord
    1.    DCOY said
      ago 11 years

      I guess you log in like you normally do ...

      Reply to Dcoy
  2.   Louis Carpio said
    ago 9 years

    I already did all the steps and everything is correct, but how do I test it, where do I put the user that I create and test the usb? because when I turn on the machine again it does not come out to enter with that user

    Reply to Luis Carpio