pam_usbng 0.2

pam_usbng is an USB authentication module for PAM.
pam_usbng is an USB authentication module for PAM.

Easy and secure authentication through ordinary USB storage devices

With a couple of security-related concepts in mind, pam_usbng allows users to easily setup an USB storage device for serving as basis for system-wide authentication, using PAM.

Easy setup of rescue devices

If the main device gets lost or stolen, you'd be happy to have an additional preconfigured rescue device for your account. Since the authentication information on devices can't be easily copied and reused, pam_usbng provides a simple and efficient way to create so called rescue devices, serving as fallback.

The software automatically recognizes when a rescue device has been used for authentication and may perform several actions: For example, immediately lock the old (main) device, limit possible authentications and much more.

Multi-user/Multi-token capability

pam_usbng is capable of handling a large amount of authentication fingerprints of users on only one device, while providing support for multiple devices for multiple users as well.

1- or 2-factor authentication

You can easily tell pam_usbng to additionally check for a specific passphrase or PIN number, which doesn't correlate in any form with the passwords of normal system accounts (as compared to doing the same directly via PAM with an additional module).

Normal storage media interoperationality

When dedicating an USB device as authentication token, you will still be able to use almost the whole space for normal data storage. This even works on Windows systems, for these commonly don't really like multi-partitioned flash-devices.

Event-based scripting interface

pam_usbng introduces a new event-scripting interfaces. When certain events occur (e.g. when the USB authentication device has been plugged in, or when an authentication has failed), you can easily define hooks which execute every script you like upon event triggering.

USB device verification (physical dependency)

The USB authentication device is checked against some certain values directly stored in the hardware, like vendor-name and serial-number. These values can not get easily modified (at least if do don't work at the NSA) and therefore provide a basis for physical device dependency.

This means that, if the whole content of the authentication data on your device is copied exactly byte by byte to another device, authentication will still not succeed. This helps preventing thieves to steal your data and replicating the device.

Smart layout of authentication fingerprints

Everything which is stored on the authentication device will be completely useless to attackers and thieves. Neither usernames nor passwords, timestamps and other valuable information are stored on the devices themselves.

Built-in fully transparent one-time password engine

The authentication information on the device is only valid for exactly one login. Every time an authentication succeeds, pam_usbng will perform a password-regeneration procedure which will calculate a new password for the next authentication and prepare the device appropriately.

Untraceable data hiding on rescue devices

Rescue devices offer one more security mechanism: It is mathematically not possible to determine if the device holds any authentication information at all. Any thieve will not be able to determine if the data on the device may possibly serve as authentication data, or if it's just complete garbage.

Filesystem & HAL independence

Neither any filesystem drivers nor HAL-routines are essential in order to run pam_usbng.

Focus on secure implementation

The whole implementation process had security as highest priority. Nevertheless, I can't promise that there would be no bugs. If you find a bug, I'd be pleased if you tell me.

last updated on:
July 24th, 2008, 20:05 GMT
license type:
GPL (GNU General Public License) 
developed by:
Erik Sonnleitner
ROOT \ Security
Download Button

In a hurry? Add it to your Download Basket!

user rating 18



Rate it!

Add your review!