From 3b501067778f5bfb37357390f8414819eac0b180 Mon Sep 17 00:00:00 2001 From: McDope Date: Fri, 26 Jul 2024 20:05:13 +0200 Subject: [PATCH 1/8] #243: Update pamusb-conf manpage --- doc/pamusb-conf.1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/pamusb-conf.1 b/doc/pamusb-conf.1 index 18cd7875..7f65e120 100644 --- a/doc/pamusb-conf.1 +++ b/doc/pamusb-conf.1 @@ -31,7 +31,7 @@ Add a device .TP .B \fB--add-user\fP, \fB-u\fP -Add a user +Add a user (you can call this multiple times, to add multiple devices for a single user) .TP .B \fB--yes\fP, \fB-y\fP From 6a825c5eb32c6e9211c0c8adad9b318f9d6aec68 Mon Sep 17 00:00:00 2001 From: McDope Date: Fri, 26 Jul 2024 20:10:13 +0200 Subject: [PATCH 2/8] #243: Update ChangeLog --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 929e19b3..a703de6a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +* 0.8.5 + [Feature] Support multiple devices per user + [Enhancement] Misc. memory and string handling stuff + [Enhancement] Deny if pads can't be updated + [Enhancement] SELinux! There is now a profile for Fedora 40 (not installed automatically!) and a doc on how to create your own (see Wiki) + [Bugfix] LC_ALL usage + * 0.8.4 [Bugfix] loginctl usage was not sh compatible [Bugfix] Misc. fixes related to memory handling From bf66ab36faa07fd54e05a3ec87b5ab687cd51d85 Mon Sep 17 00:00:00 2001 From: make update-other-docs Date: Fri, 26 Jul 2024 20:10:44 +0200 Subject: [PATCH 3/8] [Docs] Update non-manpage "doc/" files Signed-off-by: McDope --- doc/CONFIGURATION | 12 +++++++++--- doc/QUICKSTART | 2 +- doc/SECURITY | 12 ++++++++++++ doc/TROUBLESHOOTING | 35 +++++++++++++++++++++++++++++++++-- 4 files changed, 55 insertions(+), 6 deletions(-) diff --git a/doc/CONFIGURATION b/doc/CONFIGURATION index dc662aed..b6103392 100644 --- a/doc/CONFIGURATION +++ b/doc/CONFIGURATION @@ -8,6 +8,8 @@ The configuration file is formatted in XML and subdivided in 4 sections: * Users declaration and settings * Services declaration and settings +Note that for changes to the agent / events config you need to restart the agent service for them to take effect. Other changes are picked up on next pam_usb usage. + The syntax is the following: ```xml @@ -104,8 +106,6 @@ The syntax is the following: Some cheap devices don't report a vendor and/or model. To use these devices you can use "Generic" for these values, then it won't be checked. Be aware that this reduces security if you have `one_time_pads` disabled since the device containing the volume won't be checked anymore (but these attributes could be faked with a custom firmware anyway). -You can configure as many devices as you want, but each user can only be configured to use a single device (currently). - ### Example: ```xml @@ -127,6 +127,8 @@ You can configure as many devices as you want, but each user can only be configu | `device` | Element | `id` of the device associated to the user | `MyDevice` | | `agent` | Element | Agent commands, for use with pamusb-agent | | +Note that one `` can have multiple `` (from v0.8.5 up). + ### Agent The agent is to be run as system service. If you installed by using the debian package it will automatically be configured as @@ -224,13 +226,17 @@ sudo pamusb-conf --add-device= where `` is a recognizable name for your device. This value is used internally in the configuration file as device `id` value and in output shown to users. (Note: because of it being used as an XML attribute value, it shouldn't contain ampersands etc.) +You can do this for multiple devices obviously. + 3. Add necessary user configuration into `/etc/security/pam_usb.conf` by running: ``` sudo pamusb-conf --add-user= ``` -where `` is a valid Unix user name. +where `` is a valid Unix user name. + +If you added multiple devices you can repeat this command to choose an additional device for this user (from v0.8.5 up). 4. Tweak `/etc/security/pam_usb.conf` manually as desired. Link devices and users, etc. diff --git a/doc/QUICKSTART b/doc/QUICKSTART index 94d46a99..09a734b5 100644 --- a/doc/QUICKSTART +++ b/doc/QUICKSTART @@ -30,7 +30,7 @@ Once you've connected your USB device to the computer, use pamusb-conf to add it Note that `MyDevice` can be any arbitrary name you'd like, but will be used as an XML attribute value so stay away from any special characters and stick to A-Z. -Also, you can add as many devices as you want. However, each user can currently only use a single device so additional devices can only be used for additional users. +Also, you can add as many devices as you want. However, in versions prior to v0.8.5 each user can currently only use a single device so additional devices can only be used for additional users. Starting from v0.8.5 a single user can have multiple devices assigned as well. Next, configure users you want to be able to authenticate with pam_usb: diff --git a/doc/SECURITY b/doc/SECURITY index d6e72763..d4b89884 100644 --- a/doc/SECURITY +++ b/doc/SECURITY @@ -1,3 +1,11 @@ +# General note about security + +`pam_usb` is intended as an "user comfort" utility. While it can enhance security, if used as a second factor, it can also reduce it. + +Make sure you are aware of how it works and what you combine it with (see other warnings). + +Also I want to point it that this isn't audited. I've tried to raise funds for it but there was literally no interest in it seemingly... + # Warning about XDMCP You should under no circumstances enable pamusb and XDMCP at the same time. Most graphical login managers are whitelisted and will not be checked for "remoteness" since issue #51 was fixed. This means if you enable XDMCP and have a usb device for an already configured user attached anyone connecting to your X-Server could login as that user! @@ -6,6 +14,10 @@ I repeat, UNDER NO CIRCUMSTANCES ENABLE PAMUSB AND XDMCP AT THE SAME TIME! Don't Note: you shouldn't use XDMCP these days anyway... +# Warning about TeamViewer and x11vnc + +Currently the local-check doesn't detect either TeamViewer or x11vnc connections. The same applies to gnome desktop sharing and I guess others also. There are attempts to resolve this, but even then there will likely always be some remote access software being able to circumvent the local check. + # Warning about remote access (SSH etc) In the past there have been ways to circumvent the local check (see issue [#51](https://github.com/mcdope/pam_usb/issues/51) and also the "[cup of tee](https://github.com/mcdope/pam_usb/issues/39)"). I'm confident that all known ways are fixed now. diff --git a/doc/TROUBLESHOOTING b/doc/TROUBLESHOOTING index 4f9b415b..3ea265eb 100644 --- a/doc/TROUBLESHOOTING +++ b/doc/TROUBLESHOOTING @@ -59,7 +59,7 @@ But if it does: please create an issue which should contain the output of `w` an Getting 'Pad checking failed!' when trying to authenticate -------------- -This error means that either the machine/host specific pad file on the device, or - more likely - the user specific pad file in your homedir is not in sync anymore. +This error means that either the machine/host specific pad file on the device, or - more likely - the user specific pad file in your homedir is not in sync anymore. It can also be caused if you use the same device on two computers and both share the same username (guess why I know :facepalm:). It can happen if you remove the authentication device without unmounting it before, manually mess with the pad files (like copying from a previous device) or your system crashed before file buffers were written to the media and similar. @@ -70,6 +70,37 @@ To resolve this you can use `pamusb-conf --reset-pads=`, which will re Agent configuration / commands don't work like expected -------------- +You have restarted the agent service after your config changes, right? RIIIIIIGHT? Seriously, you need to restart it for changes to be picked up. + The agent will log all executed commands, as well as their exitcode; stdout and stderr (since v0.8.3). You can view this log either via systemd, or - easier - by `tail`'ing `/var/log/auth.log`. -You can use this to a) verify your config is picked up like expected and b) configured commands do what you want. For some programs, esp. ones expecting to be run within a graphical environment, you will have to provide environment values via `` tags in the agent configuration. Usually the log will provide you with some good clues. But feel free to open a support issue if you need help. \ No newline at end of file +You can use this to a) verify your config is picked up like expected and b) configured commands do what you want. For some programs, esp. ones expecting to be run within a graphical environment, you will have to provide environment values via `` tags in the agent configuration. Usually the log will provide you with some good clues. But feel free to open a support issue if you need help. + + +pam_usb not working in login manager when the device wasn't plugged before login manager started / always asked for password +-------------- + +Are you using `lightdm` by any chance? + +Some login managers auto-select the first user they have in their list. This starts the pam chain and pam_usb will see "device is not plugged" and deny the request. At that point then pam_unix (or whatever your next module is) kicks in and asks for the password. This is intended behavior in pam_usb - the actual issue here is the login manager assuming which user wants to login. + +Even if you now plug the device, from pam_usb POV the request is failed/finished and it wont care anymore. You will have to press [ESC] to abort the current authentication request and click/select the user again (if not auto-selected). + +It's planned to implement a workaround for this in #221, but no ETA for that. + + +My media isn't accepted after I unplugged it before +-------------- + +Is that media NTFS formatted? NTFS really doesn't like unplugging while being mounted. It becomes flagged as "dirty" and you will have to run `chkdsk /R /F /V` on it. + +It isn't NTFS? That's a bug most likely, please report it as issue. + +SELinux and pam_usb +-------------- + +If you have SELinux enabled you will likely get errors with pam_usb. At least on Fedora 40 you need to allow some things that are by default denied. + +There is now a profile available for Fedora 40 that you can install to allow pam_usb to work like intended. To install it download both files from `selinux/` to some directory, open a shell in that directory and then run `semodule login.pp`. Replace "login" with the actual profile you want to install, but so far there is only one for login. It may work on other distributions or releases, too but this is untested. + +In case it doesn't work for you, see the discussion at https://github.com/mcdope/pam_usb/discussions/241 to find out how to create your own profile. \ No newline at end of file From 805ed51bd7debca383a51d5d9d4d1d8ef60c14fb Mon Sep 17 00:00:00 2001 From: McDope Date: Fri, 26 Jul 2024 20:15:41 +0200 Subject: [PATCH 4/8] #243: Update debian/changelog --- debian/changelog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/debian/changelog b/debian/changelog index 58595885..1236d72a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +libpam-usb (0.8.5) unstable; urgency=medium + * [Feature] Support multiple devices per user + * [Enhancement] Misc. memory and string handling stuff + * [Enhancement] Deny if pads can't be updated + * [Enhancement] SELinux! Wiki now has a doc on how to create your own profile + * [Bugfix] LC_ALL usage + + -- Tobias Bäumer Fri, 26 Jul 2024 21:00:00 +0200 + libpam-usb (0.8.4) unstable; urgency=medium * [Bugfix] loginctl usage was not sh compatible * [Bugfix] Misc. fixes related to memory handling From 1c148ff64abab4013e42952f4292f49bd94d46d9 Mon Sep 17 00:00:00 2001 From: McDope Date: Fri, 26 Jul 2024 20:17:17 +0200 Subject: [PATCH 5/8] #243: Update fedora specs changelog --- fedora/SPECS/pam_usb.spec | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fedora/SPECS/pam_usb.spec b/fedora/SPECS/pam_usb.spec index ed5ab9d8..66146dd7 100644 --- a/fedora/SPECS/pam_usb.spec +++ b/fedora/SPECS/pam_usb.spec @@ -56,6 +56,13 @@ rm -rf %{buildroot}/usr/share/pam-configs %doc %attr(0644,root,root) /usr/share/doc/pam_usb/TROUBLESHOOTING %changelog +* Thu Jul 26 2024 Tobias Bäumer - 0.8.5 +- [Feature] Support multiple devices per user +- [Enhancement] Misc. memory and string handling stuff +- [Enhancement] Deny if pads can't be updated +- [Enhancement] SELinux! There is now a profile for Fedora 40 (not installed automatically!) and a doc on how to create your own (see Wiki) +- [Bugfix] LC_ALL usage + * Thu Jan 04 2024 Tobias Bäumer - 0.8.4 - [Bugfix] loginctl usage was not sh compatible - [Bugfix] Misc. fixes related to memory handling From 37929b535453dd33141d476135c3807ad0704bf4 Mon Sep 17 00:00:00 2001 From: McDope Date: Fri, 26 Jul 2024 20:19:06 +0200 Subject: [PATCH 6/8] #243: Update misc version statements/tags --- arch_linux/PKGBUILD_git | 2 +- arch_linux/PKGBUILD_stable | 2 +- src/version.h | 2 +- tools/pamusb-conf | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/arch_linux/PKGBUILD_git b/arch_linux/PKGBUILD_git index e7b0fdcd..4ab50139 100644 --- a/arch_linux/PKGBUILD_git +++ b/arch_linux/PKGBUILD_git @@ -2,7 +2,7 @@ # Contributor: Pekka Helenius pkgname=pam_usb-git -pkgver=0.8.4_r549.gf015d91 +pkgver=0.8.5_r549.gf015d91 pkgrel=1 pkgdesc='Hardware authentication for Linux using ordinary flash media (USB & Card based).' arch=($CARCH) diff --git a/arch_linux/PKGBUILD_stable b/arch_linux/PKGBUILD_stable index 9e8cab4a..db86bd0d 100644 --- a/arch_linux/PKGBUILD_stable +++ b/arch_linux/PKGBUILD_stable @@ -2,7 +2,7 @@ # Contributor: Pekka Helenius pkgname=pam_usb -pkgver=0.8.4 +pkgver=0.8.5 pkgrel=1 pkgdesc='Hardware authentication for Linux using ordinary flash media (USB & Card based).' arch=($CARCH) diff --git a/src/version.h b/src/version.h index f0e29afe..0991dfb6 100644 --- a/src/version.h +++ b/src/version.h @@ -18,6 +18,6 @@ #ifndef PUSB_VERSION_H_ # define PUSB_VERSION_H_ -# define PUSB_VERSION "0.8.4" +# define PUSB_VERSION "0.8.5" #endif /* !PUSB_VERSION_H_ */ diff --git a/tools/pamusb-conf b/tools/pamusb-conf index f22d9283..ebc288b1 100755 --- a/tools/pamusb-conf +++ b/tools/pamusb-conf @@ -386,7 +386,7 @@ def resetPads(): sys.exit(0) def usage(): - print('Version 0.8.4') + print('Version 0.8.5') print('Usage: %s [--help] [--verbose] [--yes] [--config=path] [--reset-pads=username] [--add-user=name | --add-device=name [[--device=number] [--volume=number]]' % os.path.basename(__file__)) sys.exit(1) From eaae0f584f3597f7565c234e72e2d350b35c13b9 Mon Sep 17 00:00:00 2001 From: make update-other-docs Date: Fri, 26 Jul 2024 20:24:38 +0200 Subject: [PATCH 7/8] [Docs] Update non-manpage "doc/" files Signed-off-by: McDope --- doc/QUICKSTART | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/QUICKSTART b/doc/QUICKSTART index 09a734b5..62dc681f 100644 --- a/doc/QUICKSTART +++ b/doc/QUICKSTART @@ -30,7 +30,7 @@ Once you've connected your USB device to the computer, use pamusb-conf to add it Note that `MyDevice` can be any arbitrary name you'd like, but will be used as an XML attribute value so stay away from any special characters and stick to A-Z. -Also, you can add as many devices as you want. However, in versions prior to v0.8.5 each user can currently only use a single device so additional devices can only be used for additional users. Starting from v0.8.5 a single user can have multiple devices assigned as well. +Also, you can add as many devices as you want. However, in versions prior to v0.8.5 each user can only use a single device. So additional devices can only be used for additional users. Starting from v0.8.5 a single user can have multiple devices assigned as well. Next, configure users you want to be able to authenticate with pam_usb: From 713617a81dea701a86880c22524fa601a9336a80 Mon Sep 17 00:00:00 2001 From: McDope Date: Fri, 26 Jul 2024 20:29:43 +0200 Subject: [PATCH 8/8] #243: Arch git version --- arch_linux/PKGBUILD_git | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch_linux/PKGBUILD_git b/arch_linux/PKGBUILD_git index 4ab50139..bbe1b394 100644 --- a/arch_linux/PKGBUILD_git +++ b/arch_linux/PKGBUILD_git @@ -2,7 +2,7 @@ # Contributor: Pekka Helenius pkgname=pam_usb-git -pkgver=0.8.5_r549.gf015d91 +pkgver=0.8.5_r559.g4e4cfaa pkgrel=1 pkgdesc='Hardware authentication for Linux using ordinary flash media (USB & Card based).' arch=($CARCH)