Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#243: Prepare version 0.8.5 #244

Merged
merged 8 commits into from
Jul 26, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
* 0.8.5
[Feature] Support multiple devices per user
[Enhancement] Misc. memory and string handling stuff
[Enhancement] Deny if pads can't be updated
[Enhancement] SELinux! There is now a profile for Fedora 40 (not installed automatically!) and a doc on how to create your own (see Wiki)
[Bugfix] LC_ALL usage

* 0.8.4
[Bugfix] loginctl usage was not sh compatible
[Bugfix] Misc. fixes related to memory handling
Expand Down
2 changes: 1 addition & 1 deletion arch_linux/PKGBUILD_git
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Contributor: Pekka Helenius <fincer89 [at] hotmail [dot] com>

pkgname=pam_usb-git
pkgver=0.8.4_r549.gf015d91
pkgver=0.8.5_r559.g4e4cfaa
pkgrel=1
pkgdesc='Hardware authentication for Linux using ordinary flash media (USB & Card based).'
arch=($CARCH)
Expand Down
2 changes: 1 addition & 1 deletion arch_linux/PKGBUILD_stable
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Contributor: Pekka Helenius <fincer89 [at] hotmail [dot] com>

pkgname=pam_usb
pkgver=0.8.4
pkgver=0.8.5
pkgrel=1
pkgdesc='Hardware authentication for Linux using ordinary flash media (USB & Card based).'
arch=($CARCH)
Expand Down
9 changes: 9 additions & 0 deletions debian/changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,12 @@
libpam-usb (0.8.5) unstable; urgency=medium
* [Feature] Support multiple devices per user
* [Enhancement] Misc. memory and string handling stuff
* [Enhancement] Deny if pads can't be updated
* [Enhancement] SELinux! Wiki now has a doc on how to create your own profile
* [Bugfix] LC_ALL usage

-- Tobias Bäumer <[email protected]> Fri, 26 Jul 2024 21:00:00 +0200

libpam-usb (0.8.4) unstable; urgency=medium
* [Bugfix] loginctl usage was not sh compatible
* [Bugfix] Misc. fixes related to memory handling
Expand Down
12 changes: 9 additions & 3 deletions doc/CONFIGURATION
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ The configuration file is formatted in XML and subdivided in 4 sections:
* Users declaration and settings
* Services declaration and settings

Note that for changes to the agent / events config you need to restart the agent service for them to take effect. Other changes are picked up on next pam_usb usage.

The syntax is the following:

```xml
Expand Down Expand Up @@ -104,8 +106,6 @@ The syntax is the following:
Some cheap devices don't report a vendor and/or model. To use these devices you can use "Generic" for these values, then it won't be checked.
Be aware that this reduces security if you have `one_time_pads` disabled since the device containing the volume won't be checked anymore (but these attributes could be faked with a custom firmware anyway).

You can configure as many devices as you want, but each user can only be configured to use a single device (currently).

### Example:

```xml
Expand All @@ -127,6 +127,8 @@ You can configure as many devices as you want, but each user can only be configu
| `device` | Element | `id` of the device associated to the user | `MyDevice` |
| `agent` | Element | Agent commands, for use with pamusb-agent | |

Note that one `<user>` can have multiple `<device>` (from v0.8.5 up).

### Agent

The agent is to be run as system service. If you installed by using the debian package it will automatically be configured as
Expand Down Expand Up @@ -224,13 +226,17 @@ sudo pamusb-conf --add-device=<devicename>

where `<devicename>` is a recognizable name for your device. This value is used internally in the configuration file as device `id` value and in output shown to users. (Note: because of it being used as an XML attribute value, it shouldn't contain ampersands etc.)

You can do this for multiple devices obviously.

3. Add necessary user configuration into `/etc/security/pam_usb.conf` by running:

```
sudo pamusb-conf --add-user=<username>
```

where `<username>` is a valid Unix user name.
where `<username>` is a valid Unix user name.

If you added multiple devices you can repeat this command to choose an additional device for this user (from v0.8.5 up).

4. Tweak `/etc/security/pam_usb.conf` manually as desired. Link devices and users, etc.

Expand Down
2 changes: 1 addition & 1 deletion doc/QUICKSTART
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ Once you've connected your USB device to the computer, use pamusb-conf to add it

Note that `MyDevice` can be any arbitrary name you'd like, but will be used as an XML attribute value so stay away from any special characters and stick to A-Z.

Also, you can add as many devices as you want. However, each user can currently only use a single device so additional devices can only be used for additional users.
Also, you can add as many devices as you want. However, in versions prior to v0.8.5 each user can only use a single device. So additional devices can only be used for additional users. Starting from v0.8.5 a single user can have multiple devices assigned as well.

Next, configure users you want to be able to authenticate with pam_usb:

Expand Down
12 changes: 12 additions & 0 deletions doc/SECURITY
Original file line number Diff line number Diff line change
@@ -1,3 +1,11 @@
# General note about security

`pam_usb` is intended as an "user comfort" utility. While it can enhance security, if used as a second factor, it can also reduce it.

Make sure you are aware of how it works and what you combine it with (see other warnings).

Also I want to point it that this isn't audited. I've tried to raise funds for it but there was literally no interest in it seemingly...

# Warning about XDMCP

You should under no circumstances enable pamusb and XDMCP at the same time. Most graphical login managers are whitelisted and will not be checked for "remoteness" since issue #51 was fixed. This means if you enable XDMCP and have a usb device for an already configured user attached anyone connecting to your X-Server could login as that user!
Expand All @@ -6,6 +14,10 @@ I repeat, UNDER NO CIRCUMSTANCES ENABLE PAMUSB AND XDMCP AT THE SAME TIME! Don't

Note: you shouldn't use XDMCP these days anyway...

# Warning about TeamViewer and x11vnc

Currently the local-check doesn't detect either TeamViewer or x11vnc connections. The same applies to gnome desktop sharing and I guess others also. There are attempts to resolve this, but even then there will likely always be some remote access software being able to circumvent the local check.

# Warning about remote access (SSH etc)

In the past there have been ways to circumvent the local check (see issue [#51](https://github.com/mcdope/pam_usb/issues/51) and also the "[cup of tee](https://github.com/mcdope/pam_usb/issues/39)"). I'm confident that all known ways are fixed now.
Expand Down
35 changes: 33 additions & 2 deletions doc/TROUBLESHOOTING
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ But if it does: please create an issue which should contain the output of `w` an
Getting 'Pad checking failed!' when trying to authenticate
--------------

This error means that either the machine/host specific pad file on the device, or - more likely - the user specific pad file in your homedir is not in sync anymore.
This error means that either the machine/host specific pad file on the device, or - more likely - the user specific pad file in your homedir is not in sync anymore. It can also be caused if you use the same device on two computers and both share the same username (guess why I know :facepalm:).

It can happen if you remove the authentication device without unmounting it before, manually mess with the pad files (like copying from a previous device) or your system crashed before file buffers were written to the media and similar.

Expand All @@ -70,6 +70,37 @@ To resolve this you can use `pamusb-conf --reset-pads=<USERNAME>`, which will re
Agent configuration / commands don't work like expected
--------------

You have restarted the agent service after your config changes, right? RIIIIIIGHT? Seriously, you need to restart it for changes to be picked up.

The agent will log all executed commands, as well as their exitcode; stdout and stderr (since v0.8.3). You can view this log either via systemd, or - easier - by `tail`'ing `/var/log/auth.log`.

You can use this to a) verify your config is picked up like expected and b) configured commands do what you want. For some programs, esp. ones expecting to be run within a graphical environment, you will have to provide environment values via `<env>` tags in the agent configuration. Usually the log will provide you with some good clues. But feel free to open a support issue if you need help.
You can use this to a) verify your config is picked up like expected and b) configured commands do what you want. For some programs, esp. ones expecting to be run within a graphical environment, you will have to provide environment values via `<env>` tags in the agent configuration. Usually the log will provide you with some good clues. But feel free to open a support issue if you need help.


pam_usb not working in login manager when the device wasn't plugged before login manager started / always asked for password
--------------

Are you using `lightdm` by any chance?

Some login managers auto-select the first user they have in their list. This starts the pam chain and pam_usb will see "device is not plugged" and deny the request. At that point then pam_unix (or whatever your next module is) kicks in and asks for the password. This is intended behavior in pam_usb - the actual issue here is the login manager assuming which user wants to login.

Even if you now plug the device, from pam_usb POV the request is failed/finished and it wont care anymore. You will have to press [ESC] to abort the current authentication request and click/select the user again (if not auto-selected).

It's planned to implement a workaround for this in #221, but no ETA for that.


My media isn't accepted after I unplugged it before
--------------

Is that media NTFS formatted? NTFS really doesn't like unplugging while being mounted. It becomes flagged as "dirty" and you will have to run `chkdsk /R /F /V` on it.

It isn't NTFS? That's a bug most likely, please report it as issue.

SELinux and pam_usb
--------------

If you have SELinux enabled you will likely get errors with pam_usb. At least on Fedora 40 you need to allow some things that are by default denied.

There is now a profile available for Fedora 40 that you can install to allow pam_usb to work like intended. To install it download both files from `selinux/<yourDistribution>` to some directory, open a shell in that directory and then run `semodule login.pp`. Replace "login" with the actual profile you want to install, but so far there is only one for login. It may work on other distributions or releases, too but this is untested.

In case it doesn't work for you, see the discussion at https://github.com/mcdope/pam_usb/discussions/241 to find out how to create your own profile.
2 changes: 1 addition & 1 deletion doc/pamusb-conf.1
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ Add a device
.TP
.B
\fB--add-user\fP, \fB-u\fP
Add a user
Add a user (you can call this multiple times, to add multiple devices for a single user)
.TP
.B
\fB--yes\fP, \fB-y\fP
Expand Down
7 changes: 7 additions & 0 deletions fedora/SPECS/pam_usb.spec
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,13 @@ rm -rf %{buildroot}/usr/share/pam-configs
%doc %attr(0644,root,root) /usr/share/doc/pam_usb/TROUBLESHOOTING

%changelog
* Thu Jul 26 2024 Tobias Bäumer <[email protected]> - 0.8.5
- [Feature] Support multiple devices per user
- [Enhancement] Misc. memory and string handling stuff
- [Enhancement] Deny if pads can't be updated
- [Enhancement] SELinux! There is now a profile for Fedora 40 (not installed automatically!) and a doc on how to create your own (see Wiki)
- [Bugfix] LC_ALL usage

* Thu Jan 04 2024 Tobias Bäumer <[email protected]> - 0.8.4
- [Bugfix] loginctl usage was not sh compatible
- [Bugfix] Misc. fixes related to memory handling
Expand Down
2 changes: 1 addition & 1 deletion src/version.h
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,6 @@
#ifndef PUSB_VERSION_H_
# define PUSB_VERSION_H_

# define PUSB_VERSION "0.8.4"
# define PUSB_VERSION "0.8.5"

#endif /* !PUSB_VERSION_H_ */
2 changes: 1 addition & 1 deletion tools/pamusb-conf
Original file line number Diff line number Diff line change
Expand Up @@ -386,7 +386,7 @@ def resetPads():
sys.exit(0)

def usage():
print('Version 0.8.4')
print('Version 0.8.5')
print('Usage: %s [--help] [--verbose] [--yes] [--config=path] [--reset-pads=username] [--add-user=name | --add-device=name [[--device=number] [--volume=number]]' % os.path.basename(__file__))
sys.exit(1)

Expand Down
Loading