Two-factor authentication aims to solve the decades-old problem of password-based attacks, such as brute-force attacks and key-logging attacks. In Linux, two-factor authentication can be accomplished with pam_usb, a PAM module that provides a means by which you can authenticate against cryptographic tokens stored on removable media, such as a USB drive. Through the marvel of PAM's module chaining, this article walks you through configuring two-factor authentication.
PAM is short for pluggable authentication modules. According to the Linux-PAM home page:
PAM provides a way to develop programs that are independent of authentication scheme. These programs need authentication modules to be attached to them at run time in order to work. Which authentication module is to be attached is dependent upon the local system setup and is at the discretion of the local system administrator.
pam_usb is a PAM module written by Andrea Luzzardi that facilitates authentication from removable media, such as USB devices, based on strong cryptographic key pairs stored on the drive and on the system itself. pam_usb is available in source form or in binary packages for a variety of distributions, including Debian, Gentoo, Fedora, Mandrake and SUSE. pam_usb lends itself quite nicely to accomplishing two-factor authentication, although it can be used as the sole authentication module.
The term two-factor authentication refers to authentication being achieved using two separate and distinct criteria to authenticate a user's identity: usually this is something the user knows and something the user has. The something the user knows, in the configuration we're building, is the user name and password pair, while the something the user has is the strong cryptographic tokens we are going to generate and store on the USB drive.
Strictly speaking, you should be able to accomplish everything discussed here with any flavor of Linux that has a working PAM configuration and a 2.4 or newer kernel on a system with a supported USB controller. You also need a supported USB drive, the pam_usb module source and a C compiler.
I achieved everything discussed here with a Lexar 128MB Impact USB 1.1 drive on an IBM NetVista with an Intel 82820 Camino USB controller. It is running Debian 3.0 stable with the stock bf kernel (2.4) and gcc-2.3.
You can check to see if your controller and USB drive are supported by attaching your USB drive and running lsusb as root. If your controller and drive are supported, you should see the drive listed in the output of lsusb. If it isn't, don't despair; your distribution may not have auto-loaded the necessary modules. Consult The USB Guide (see the on-line Resources) for help getting your USB environment set up. Your PAM install can be confirmed by checking to see if your login program is linked against libpam by running ldd /bin/login | grep -i pam and checking the output. If login is linked against libpam, your PAM configuration should be set.
The source for the pam_usb module can be downloaded from the project site (see Resources). Use any browser to navigate the Web site and download the latest source tarball. Remember where you save the download. When the download is complete, uncompress the tarball with tar -zxvf pam_usb-X.Y.Z.tar.gz, where X, Y and Z are the major, minor and build versions, respectively, of the particular version of pam_usb you downloaded. You now should have a pam_usb-X.Y.Z directory, so cd into the directory and take a quick peek to make sure you have some files in the directory.
pam_usb does not have any configure scripts, only a Makefile, so building is simply a matter of running make from within the pam_usb-X.Y.Z directory. If you encounter errors, as I did, you probably are missing libraries. On my Debian 3.0 stable system, I was missing the development packages for libncurses5, libpam0g and libreadline4. Once I installed the missing libraries, the make completed without errors. After pam_usb builds, you can install it with make install as root from within the pam_usb-X.Y.Z directory.
After the installation is complete, it's time to configure pam_usb. Configuring pam_usb is a relatively straightforward task that can be broken in to three broad steps: creating the pam_usb log file, backing up your existing PAM configuration and installing the new configuration.
Creating the pam_usb log file is a matter of choosing where to put it and what to call it, as well as creating the file. My personal preference is to keep all logs in /var/log, so that's where I set up my pam_usb log file and that is the location used throughout this article. Create the log file with touch /var/log/pam_usb.log as root. Next, set the ownership of the /var/log/pam_usb.log file to match the ownership of other files in /var/log, like this:
chown $USER:$GROUP /var/log/pam_usb.log
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- SUSE LLC's SUSE Manager
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- My +1 Sword of Productivity
- Managing Linux Using Puppet
- Non-Linux FOSS: Caffeine!
- Doing for User Space What We Did for Kernel Space
- SuperTuxKart 0.9.2 Released
- Parsing an RSS News Feed with a Bash Script
- Google's SwiftShader Released
- Rogue Wave Software's Zend Server
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide