rpms/pam_usb/devel pam_usb-0.3.3-Makefile.patch, NONE, 1.1 pam_usb-options.html, NONE, 1.1 pam_usb-pam.d-gdm.example, NONE, 1.1 pam_usb-pam.d-login.example, NONE, 1.1 pam_usb-quickstart.html, NONE, 1.1 pam_usb.spec, NONE, 1.1 pam_usb.udev, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
Dmitry Butskoy (buc)
fedora-extras-commits at redhat.com
Thu Dec 29 12:58:04 UTC 2005
Author: buc
Update of /cvs/extras/rpms/pam_usb/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7706/devel
Modified Files:
.cvsignore sources
Added Files:
pam_usb-0.3.3-Makefile.patch pam_usb-options.html
pam_usb-pam.d-gdm.example pam_usb-pam.d-login.example
pam_usb-quickstart.html pam_usb.spec pam_usb.udev
Log Message:
auto-import pam_usb-0.3.3-2 on branch devel from pam_usb-0.3.3-2.src.rpm
pam_usb-0.3.3-Makefile.patch:
--- NEW FILE pam_usb-0.3.3-Makefile.patch ---
diff -Nrbu pam_usb-0.3.3/src/Makefile pam_usb-0.3.3-OK/src/Makefile
--- pam_usb-0.3.3/src/Makefile 2005-10-18 19:03:33.000000000 +0400
+++ pam_usb-0.3.3-OK/src/Makefile 2005-12-20 14:48:19.000000000 +0300
@@ -4,7 +4,8 @@
SO := pam_usb.so
SOURCES := $(wildcard *.c)
OBJS := $(patsubst %.c,%.o,$(SOURCES))
-PAM_MODULES := $(DESTDIR)/lib/security
+LIB := lib
+PAM_MODULES := $(DESTDIR)/$(LIB)/security
all: $(SO)
@@ -18,7 +19,8 @@
rm -f $(OBJS) $(SO)
install: all
- install -m644 $(SO) $(PAM_MODULES)
+ install -d $(PAM_MODULES)
+ install -m755 $(SO) $(PAM_MODULES)
deinstall:
rm -f $(PAM_MODULES)/$(SO)
diff -Nrbu pam_usb-0.3.3/tools/usbadm/Makefile pam_usb-0.3.3-OK/tools/usbadm/Makefile
--- pam_usb-0.3.3/tools/usbadm/Makefile 2005-10-18 19:03:33.000000000 +0400
+++ pam_usb-0.3.3-OK/tools/usbadm/Makefile 2005-12-20 14:49:21.000000000 +0300
@@ -19,7 +19,9 @@
$(CC) -c $(CFLAGS) -o $@ $<
install: all
+ install -d $(DEST)
install -m755 $(BIN) $(DEST)
+ install -d $(MANDIR)/man1
install usbadm.1.gz $(MANDIR)/man1/
deinstall:
diff -Nrbu pam_usb-0.3.3/tools/usbhotplug/Makefile pam_usb-0.3.3-OK/tools/usbhotplug/Makefile
--- pam_usb-0.3.3/tools/usbhotplug/Makefile 2005-10-18 19:03:33.000000000 +0400
+++ pam_usb-0.3.3-OK/tools/usbhotplug/Makefile 2005-12-20 14:50:34.000000000 +0300
@@ -21,12 +21,14 @@
$(CC) -c $(CFLAGS) -o $@ $<
install: all
+ install -d $(DEST)
install -m755 $(BIN) $(DEST)
install -d $(HOTPLUGDIR)/
install -m755 files/pamusb.hotplug $(HOTPLUGDIR)/
install -d $(PAMUSBCONF)/handlers/
install -m644 files/hotplug.conf $(PAMUSBCONF)/
install -m755 files/xlock.sh $(PAMUSBCONF)/handlers/
+ install -d $(PAMDIR)/usbhotplug
install -m644 files/usbhotplug.pam $(PAMDIR)/usbhotplug
deinstall:
--- NEW FILE pam_usb-options.html ---
<html><head></head>
<body>
As third argument of a pam.d file, it's possible to specify some
arguments.<br>
The following is a list of recognized options:<br>
<br>
<table>
<tbody><tr>
<td><b>name</b></td>
<td><b>type</b></td>
<td><b>description</b></td>
<td><b>default value</b></td></tr>
<tr><td>
mntpoint
</td><td>
string
</td><td>
Tells pam_usb the form of the temporary directory. XXXXXX (6 times) will be replaced by a temporary value.
</td><td>
/tmp/pam_usbXXXXXX
</td></tr>
<tr><td>
proc_basename
</td><td>
string
</td><td>
the device's procfile. You usually don't have to change this, it's where pam_usb searches for devices.
</td><td>
/proc/scsi/usb-storage-%d/%d
</td></tr>
<tr><td>
pwfile
</td><td>
string
</td><td>
The path pam_usb will search for public and private keys (~user/ and mntpoint/)
</td><td>
/.auth/
</td></tr>
<tr><td>
pubkey
</td><td>
string
</td><td>
The name of the public key located in the user's home
</td><td>
id_pub
</td></tr>
<tr><td>
snfile
</td><td>
string
</td><td>
the serial number file contains the allowed SN. If it doesn't exists, the default behaviour is to grant everything.
</td><td>
/etc/pam_usb/serials.conf
</td></tr>
<tr><td>
fs
</td><td>
string
</td><td>
comma-separated list of filesystems used to mount the device
</td><td>
ext2,vfat
</td></tr>
<tr><td>
utmp
</td><td>
string
</td><td>
location of the utmp file
</td><td>
/var/run/utmp
</td></tr>
<tr><td>
mount_opts
</td><td>
string
</td><td>
comma-separated list of mount options (including: ro,bind,sync,remount,nosuid,noexec,nodev)
</td><td>
</td></tr>
<tr><td>
log_file
</td><td>
string
</td><td>
print debug messages to that file instead of stdout
</td><td>
</td></tr>
<tr><td>
local_consoles
</td><td>
string
</td><td>
comma-separated list of consoles which be able to login when allow_remote=-1
</td><td>
/dev/vc/,/dev/tty,:
</td></tr>
<tr><td>
direct_open
</td><td>
boolean
</td><td>
Attempt to open the private key using O_DIRECT to avoid disk caching: will
work only on devices that support this feature.
</td></tr>
<tr><td>
local_hosts
</td><td>
string
</td><td>
comma-separated list of hosts that will be able to login when allow_remote=-1
</td><td>
:
</td></tr>
<tr><td>
force_device
</td><td>
string
</td><td>
Using this option, you can force pam_usb to use a specified device. If
it fails mounting, it'll switch back to auto guess mode
</td><td>
</td></tr>
<tr><td>
allow_remote
</td><td>
boolean
</td><td>
When set to false (!allow_remote) it will allow only local_hosts and
local_consoles to login.
</td><td>
false
</td></tr>
<tr><td>
check_device
</td><td>
boolean
</td><td>
If unset (!check_device), pam_usb will not check neither if the device is
attached, nor
its serial number.
</td><td>
true
</td></tr>
<tr><td>
check_if_mounted
</td><td>
boolean
</td><td>
if the usb device is already mounted pam_usb will use its mountpoint (avoid using it)
</td><td>
false
</td></tr>
<tr><td>
keep_mounted
</td><td>
boolean
</td><td>
When set to true, it'll keep mntpoint mounted. Useful if combined
with check_if_mounted.
</td><td>
false
</td></tr>
<tr><td>
sign_times
</td><td>
integer
</td><td>
Number of times pam_usb will do the sign/check challenge.
</td><td>
3
</td></tr>
<tr><td>
debug
</td><td>
boolean
</td><td>
enable debug mode
</td><td>
false
</td></tr>
</tbody></table>
<br>
Boolean variables can be set true by putting them as is (e.g. <i>option</i>), and to false by adding ! in front of them (e.g. <i>!option</i>).
<br>
<br>
The syntax is of the name=value form for string and integer options,
for example the following will
tell pam_usb to use either ext3 or reiserfs as filesystem, to enable
debug mode, to disable device checking and that the serial number file
is located at /etc/serials:<br>
<pre>auth requisite pam_usb.so fs=ext3,reiserfs debug !check_device snfile=/etc/serials
</pre>
<br>
<address>
Copyright © 2003,2004 Andrea Luzzardi <scox at gentoo.org>
</address>
</body></html>
--- NEW FILE pam_usb-pam.d-gdm.example ---
#%PAM-1.0
auth sufficient pam_usb.so check_if_mounted mount_opts=ro allow_remote
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
--- NEW FILE pam_usb-pam.d-login.example ---
#%PAM-1.0
auth sufficient pam_usb.so check_if_mounted mount_opts=ro quiet
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
--- NEW FILE pam_usb-quickstart.html ---
<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"></head>
<body>
<h1 style="border-top: medium none; padding-top: 0pt;" id="welcome">
Installing pam_usb</h1>
<pre>% tar -zxvf pam_usb-<i>VERSION</i>.tar.gz
% cd pam_usb-<i>VERSION</i>
% make
# make install
</pre>
<i>Replace VERSION with the version number you downloaded.</i><br>
This will unpack, compile and install the <i>pam_usb module</i> and its
tools <i>usbadm</i> and <i>usbhotplug</i>.<br>
<h1 id="features">Setup</h1>
Now pam_usb can be enabled for your login applications.<br>
A list of applications using PAM is avaible at /etc/pam.d/
(you may want to edit /etc/pam.d/login, and /etc/pam.d/xdm).<br>
pam_usb can work in 3 different modes:
<p><b>Unique</b>: You can login using your USB pen, if it's
not present, it isn't possible to login.
<br>
This mode can be enabled by commenting the line <i>auth required
pam_unix.so</i> (by adding a # at the beginning of the line), and add
the following line:<br>
</p><pre>auth required pam_usb.so
</pre>
<p></p>
<p><b>Alternative</b>: Plugging in the USB device is enough to
login.
If it's not present, the system prompts for password.<br>
To use such, add the following line before the <i>auth required
pam_unix.so</i> line:<br>
</p><pre>auth sufficient pam_usb.so
</pre>
<p></p>
<p><b>Additional</b>: To login, you have to put the USB device and type
your password.<br>
If you want to use this mode, add the following line before the <i>auth
required pam_unix.so</i> line:<br>
</p><pre>auth required pam_usb.so
</pre>
<p></p>
<i>
Please note that the /etc/pam.d/ directory name, and the pam_unix.so
module name are mostly the same in every distro, but could be different
(mandrake uses pam_stack.so instead of pam_unix.so).</i><br>
For a first usage, you should use a alternative mode, and enable the
debug mode.<br>
More info are avaible at the <a href="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html">PAM
documentation website</a>.<br>
<h1 id="features">Workarounds</h1>
<pre><dt>2.6 kernel</dt>
<dd>As the proc format has changed, a workaround is avaible to
use it under a 2.6 kernel.<br>
Add the <i>!check_device</i> option
in order to make it work.</dd>
<dt>Non USB-Storage devices</dt>
<dd>
Since the 0.2_rc2 version, it is possible to use a floppy, a cdrom or
another mountable device.
To use a floppy add the following options:<br>
<i>!check_device !check_if_mounted force_device=/dev/fd0</i><br>
Replace /dev/fd0 by the device you're using, as /dev/cdrom if you want
to store your private key on such support.<br>
CD-ROMs mounting will require to be read-only. To do so, add the option <i>mount_opts=ro</i>.
</dd>
</pre>
<h1 id="features">Key setup</h1>
<pre>Now that we told PAM to use pam_usb for authentication, we have to create a
couple of private and public keys that will be used for authentication.
We will use the fresh installed <i>usbadm</i> tool:
First you have to mount the USB device on your favourite mountpoint.
- If you didn't create a mountpoint for the usb pen then do so :
# mkdir /mnt/usb
Replace /mnt/usb with any other inexistent directory (or leave it alone).
- Mount the usb pen:
# mount /dev/sda1 /mnt/usb
Replace /dev/sda1 and /mnt/usb with the correct device name and mountpoint.
If you don't have any clue of what your device entry is, just plug the pen
and type dmesg. Usually, if you don't have any SCSI device it should be
/dev/sda1. Use an empty directory for mountpoint (the one you just created,
for example).
Ok, now the device is mounted and we can access it's content via /mnt/usb
- Now we can create a couple of private/public keys by using the usbadm tool:
The syntax is the following: <i>usbadm keygen <mntpoint> <user> <bits></i>
For example this will generate a private and public key for the user root using
a pair of 2048 bits DSA keys.
# usbadm keygen /mnt/usb root 1024
[!] Directory /root/.auth/ not found, creating one...
[!] Directory /mnt/usb/.auth/ not found, creating one...
[!] Generating 1024 DSA key pair for root at host
[!] Extracting private key...
[+] Private key extracted.
[+] Private key successfully written.
[!] Writing public key...
[+] Public key successfully written.
That's it. This will check the directories needed by pam_usb, generate, extract
and write private/public keys for the chosen user for the local host.
You can try with any configured application, like login or GDM.
For a first test, you may want to use su as you can test it without switching to
a console.
</pre>
<br>
<address>
Copyright © 2003,2004 Andrea Luzzardi <scox at gentoo.org>
</address>
</body></html>
--- NEW FILE pam_usb.spec ---
Name: pam_usb
Summary: PAM module for use with DSA key pairs and removable devices
Version: 0.3.3
Release: 2%{?dist}
License: GPL
Group: System Environment/Base
URL: http://www.pamusb.org
Source0: http://dl.sourceforge.net/pamusb/%{name}-%{version}.tar.gz
# lynx -source http://www.pamusb.org/quickstart.html >pam_usb-quickstart.html
Source1: pam_usb-quickstart.html
# lynx -source http://www.pamusb.org/options.html >pam_usb-options.html
Source2: pam_usb-options.html
Source3: pam_usb.udev
Source4: pam_usb-pam.d-login.example
Source5: pam_usb-pam.d-gdm.example
Patch0: pam_usb-0.3.3-Makefile.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: pam-devel, openssl-devel, readline-devel, ncurses-devel
%description
This PAM module provides authentication through DSA private/public keys.
Public keys placed on the target computer, whereas private keys are stored
on some removable device, including USB storages/flash drives, cdroms,
floppies, etc.
Any kind of mountable devices (not removable only) can be used.
Due to using of DSA key pairs, the passwordless authentication can be organized
(if a private key is stored not crypted on the media).
%package hotplug
Summary: Hotplug agent to use with USB flash
Group: System Environment/Base
Requires: %{name} = %{version}-%{release}
Requires: hotplug
%description hotplug
Hotplug agent to use with USB flash.
%prep
%setup -q
%patch0 -p1
cp -p %{SOURCE1} quickstart.html
cp -p %{SOURCE2} options.html
mkdir pam.d-examples
cp -p %{SOURCE4} pam.d-examples/login
cp -p %{SOURCE5} pam.d-examples/gdm
%build
# Note: we may not overwrite CFLAGS, so use CC instead...
make CC="%__cc $RPM_OPT_FLAGS" LIB=%{_lib} %{?_smp_mflags}
%install
rm -rf $RPM_BUILD_ROOT
make install LIB=%{_lib} DESTDIR=$RPM_BUILD_ROOT
# use new "udev" style instead of obsoleted "hotplug" ...
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/hotplug.d/default/*
install -D -m644 %{SOURCE3} \
$RPM_BUILD_ROOT%{_sysconfdir}/udev/rules.d/60-%{name}.rules
pushd $RPM_BUILD_ROOT/etc/pam.d
rm -rf usbhotplug
cat >usbhotplug <<EOF
auth sufficient pam_usb.so debug
EOF
popd
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root,-)
/%{_lib}/security/*
%{_bindir}/usbadm
%doc AUTHORS COPYING Changelog README *.html pam.d-examples
%dir %{_sysconfdir}/pam_usb
%attr(644,root,root) %{_mandir}/*/usbadm*
%files hotplug
%defattr(-,root,root)
%{_bindir}/usbhotplug
%config(noreplace) %{_sysconfdir}/pam_usb/*
%config(noreplace) %{_sysconfdir}/pam.d/*
%config(noreplace) %{_sysconfdir}/udev/rules.d/*
%changelog
* Thu Dec 29 2005 Dmitry Butskoy <Dmitry at Butskoy.name> - 0.3.3-2
- accepted for Fedora Extras (review by Wart <wart at kobold.org>)
* Thu Dec 22 2005 Dmitry Butskoy <Dmitry at Butskoy.name> - 0.3.3-2
- Use /etc/udev/rules.d instead of /etc/hotplug.d
- Add some pam.d examples (Wart at kobold.org)
* Tue Dec 20 2005 Dmitry Butskoy <Dmitry at Butskoy.name> - 0.3.3-1
- upgrade to 0.3.3
- always build hotplug package
- add Makefile patch (directory creation, permissions etc.)
- create usbhotplug pam file own way
* Wed Sep 7 2005 Dmitry Butskoy <Dmitry at Butskoy.name> - 0.3.2-1
- initial release
- copy quckstart.html and options.html from web-site to package
- separate hotplug stuff as an additional package, build it
when "--with hotplug" is specified only
--- NEW FILE pam_usb.udev ---
ACTION!="add", ACTION!="remove", GOTO="pam_usb_end"
SUBSYSTEM=="usb", ENV{PRODUCT}=="?*", \
RUN+="/usr/bin/usbhotplug block"
LABEL="pam_usb_end"
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/pam_usb/devel/.cvsignore,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- .cvsignore 29 Dec 2005 12:56:55 -0000 1.1
+++ .cvsignore 29 Dec 2005 12:58:04 -0000 1.2
@@ -0,0 +1 @@
+pam_usb-0.3.3.tar.gz
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/pam_usb/devel/sources,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sources 29 Dec 2005 12:56:55 -0000 1.1
+++ sources 29 Dec 2005 12:58:04 -0000 1.2
@@ -0,0 +1 @@
+45e73035b706ff6dd20d002210bf0cb3 pam_usb-0.3.3.tar.gz
More information about the scm-commits
mailing list