pam_panic/man/man8/pam_panic.8

'\" t
.\"     Title: pam_panic
.\"    Author: [see the "AUTHORS" section]
.\"      Date: 2018-03-26
.\"    Manual: Linux-PAM Panic Manual
.\"    Source: Linux-PAM Panic Manual
.\"  Language: English
.\"
.TH "PAM_PANIC" "8" "2018-03-26" "PAM Panic Manual" "PAM Panic Manual"
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------


.SH "NAME"
pam_panic \- PAM module for access control using removable media (with panic function)


.SH "SYNOPSIS"
.HP \w'\fBpam_panic\&.so\fR\ 'u
\fBpam_panic\&.so\fR [allow=\fIUUID(GPT)\fR] [reject=\fIUUID(GPT)\fR] [reboot] [poweroff] [serious=\fIUUID\fR]


.SH "DESCRIPTION"
.PP
The pam_panic PAM module protects sensitive data and provides a panic function for emergency situations\&.
.PP
There are two removable media which work as keys: the auth key and the panic key\&. The auth key will let you pass to the password prompt whereas the panic key, if provided, will securely erase the LUKS header, rendering the data unreadable\&.

.SH "OPTIONS"
.PP
\fBallow=\fR\fB\fIUUID(GPT)\fR\fR (required)
.RS 4
The UUID of the device to be used for authentication (the auth key)\&.
.PD 0
.PP
.PD 1
The device must have a GPT-formatted device with at least one partition on it\&.
The UUID of a GPT-formatted device looks like "12345678-9ABC-DEF0-1234-56789ABCDEF0"\&. 
.PP
See \fBHOW TO DETERMINE MY UUIDS\fR for details\&.
.RE
.PP

\fBreject=\fR\fB\fIUUID(GPT)\fR\fR (required)
.RS 4
The UUID of the device to be used in emergencies. The presence of this device will trigger \fBreboot\fR, \fBpoweroff\fR and/or the panic function, depending on whether \fBreboot\fB, \fBpoweroff\fB, and/or \fBserious\fB are specified.
.PD 0
.PP
.PD 1
The device must have a GPT-formatted device with at least one partition on it\&.
The UUID of a GPT-formatted device looks like "12345678-9ABC-DEF0-1234-56789ABCDEF0"\&. 
.PP
See \fBHOW TO DETERMINE MY UUIDS\fR for details\&.
.RE
.PP

\fBreboot\fR (recommended)
.RS 4
Indicates that the system should reboot upon encountering the device specified with \fBreject\fR\&.
.PP
If \fBpoweroff\fR is also specified, \fBreboot\fR will be ignored\&.
.RE
.PP

\fBpoweroff\fR
.RS 4
Indicates that the system should shut down upon encountering the device specified with \fBreject\fR\&.
This option is discouraged for security reasons\&.
.RE
.PP

\fBserious=\fR\fB\fIUUID\fR\fR
.RS 4
The UUID of the device containing the LUKS header to erase upon encountering the device specified with \fBreject\fR\&.
.PP
NOTE: You should make a backup of the LUKS header before using this function\&.
.RE
.PP


.SH "USAGE"
.PP
To activate the module you have to configure PAM\&. See \fBpam\&.conf(5)\fR for details\&.
.PP
In general, you will want to add the following to the top of a PAM configuration file:
.PD 0
.RS 4
auth       requisite    pam_panic\&.so auth=<UUID> reject=<UUID> reboot serious=<UUID>
.PP
account    requisite    pam_panic\&.so
.RE
.PD 1


.SH "HOW TO DETERMINE MY UUIDS"
.PP
You will find your UUIDs in \fI/dev/disk/by-partuuid\fR\&.
You might want to execute "\fBls -l /dev/disk/by-partuuid/\fR" in your favourite shell to find out which UUID is which device\&.


.SH "RETURN VALUES"
.PP
PAM_SUCCESS
.RS 4
Access was granted\&.
.RE
.PP
PAM_IGNORE
.RS 4
An error has occured\&. The module will be ignored.\&.
.RE
.PP
PAM_MAXTRIES
.RS 4
The removable media was not detected\&.
.RE


.SH "FILES"
.PP
/lib/*/security/pam_panic\&.so
.RS 4
This PAM module\&.
.RE


.SH "BUGS"
.PP
Please report bugs and send pull requests to <https://github\&.com/Bandie/pam_panic>\&.


.SH "SEE ALSO"
.PP
\fBcryptsetup\fR(8), \fBpam\fR(8), \fBpam\&.conf\fR(5)


.SH "AUTHORS"
.PD 0
.PP
pam_panic was written by Bandie <bandie@chaospott\&.de>\&.
.PP
This man page has been revised by Jordy Dickinson <jordy\&.dickinson@icloud\&.com>
Creating gz with Make 2018-03-28 02:34:52 +00:00			`'\" t`
			`.\" Title: pam_panic`
			`.\" Author: [see the "AUTHORS" section]`
			`.\" Date: 2018-03-26`
			`.\" Manual: Linux-PAM Panic Manual`
			`.\" Source: Linux-PAM Panic Manual`
			`.\" Language: English`
			`.\"`
			`.TH "PAM_PANIC" "8" "2018-03-26" "PAM Panic Manual" "PAM Panic Manual"`
			`.ie \n(.g .ds Aq \(aq`
			`.el .ds Aq '`
			`.\" -----------------------------------------------------------------`
			`.\" * set default formatting`
			`.\" -----------------------------------------------------------------`
			`.\" disable hyphenation`
			`.nh`
			`.\" disable justification (adjust text to left margin only)`
			`.ad l`
			`.\" -----------------------------------------------------------------`
			`.\" * MAIN CONTENT STARTS HERE *`
			`.\" -----------------------------------------------------------------`


			`.SH "NAME"`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`pam_panic \- PAM module for access control using removable media (with panic function)`
Creating gz with Make 2018-03-28 02:34:52 +00:00

			`.SH "SYNOPSIS"`
			`.HP \w'\fBpam_panic\&.so\fR\ 'u`
			`\fBpam_panic\&.so\fR [allow=\fIUUID(GPT)\fR] [reject=\fIUUID(GPT)\fR] [reboot] [poweroff] [serious=\fIUUID\fR]`


			`.SH "DESCRIPTION"`
			`.PP`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`The pam_panic PAM module protects sensitive data and provides a panic function for emergency situations\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.PP`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`There are two removable media which work as keys: the auth key and the panic key\&. The auth key will let you pass to the password prompt whereas the panic key, if provided, will securely erase the LUKS header, rendering the data unreadable\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00
			`.SH "OPTIONS"`
			`.PP`
			`\fBallow=\fR\fB\fIUUID(GPT)\fR\fR (required)`
			`.RS 4`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`The UUID of the device to be used for authentication (the auth key)\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.PD 0`
			`.PP`
			`.PD 1`
man page: GPT formated -> GPT-formatted 2018-03-28 03:48:13 +00:00			`The device must have a GPT-formatted device with at least one partition on it\&.`
			`The UUID of a GPT-formatted device looks like "12345678-9ABC-DEF0-1234-56789ABCDEF0"\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.PP`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`See \fBHOW TO DETERMINE MY UUIDS\fR for details\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.RE`
			`.PP`

			`\fBreject=\fR\fB\fIUUID(GPT)\fR\fR (required)`
			`.RS 4`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`The UUID of the device to be used in emergencies. The presence of this device will trigger \fBreboot\fR, \fBpoweroff\fR and/or the panic function, depending on whether \fBreboot\fB, \fBpoweroff\fB, and/or \fBserious\fB are specified.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.PD 0`
			`.PP`
			`.PD 1`
man page: GPT formated -> GPT-formatted 2018-03-28 03:48:13 +00:00			`The device must have a GPT-formatted device with at least one partition on it\&.`
			`The UUID of a GPT-formatted device looks like "12345678-9ABC-DEF0-1234-56789ABCDEF0"\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.PP`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`See \fBHOW TO DETERMINE MY UUIDS\fR for details\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.RE`
			`.PP`

			`\fBreboot\fR (recommended)`
			`.RS 4`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`Indicates that the system should reboot upon encountering the device specified with \fBreject\fR\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.PP`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`If \fBpoweroff\fR is also specified, \fBreboot\fR will be ignored\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.RE`
			`.PP`

			`\fBpoweroff\fR`
			`.RS 4`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`Indicates that the system should shut down upon encountering the device specified with \fBreject\fR\&.`
			`This option is discouraged for security reasons\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.RE`
			`.PP`

			`\fBserious=\fR\fB\fIUUID\fR\fR`
			`.RS 4`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`The UUID of the device containing the LUKS header to erase upon encountering the device specified with \fBreject\fR\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.PP`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`NOTE: You should make a backup of the LUKS header before using this function\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.RE`
			`.PP`


Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`.SH "USAGE"`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.PP`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`To activate the module you have to configure PAM\&. See \fBpam\&.conf(5)\fR for details\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.PP`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`In general, you will want to add the following to the top of a PAM configuration file:`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.PD 0`
			`.RS 4`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`auth requisite pam_panic\&.so auth=<UUID> reject=<UUID> reboot serious=<UUID>`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.PP`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`account requisite pam_panic\&.so`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.RE`
			`.PD 1`


			`.SH "HOW TO DETERMINE MY UUIDS"`
			`.PP`
			`You will find your UUIDs in \fI/dev/disk/by-partuuid\fR\&.`
			`You might want to execute "\fBls -l /dev/disk/by-partuuid/\fR" in your favourite shell to find out which UUID is which device\&.`


			`.SH "RETURN VALUES"`
			`.PP`
			`PAM_SUCCESS`
			`.RS 4`
			`Access was granted\&.`
			`.RE`
			`.PP`
			`PAM_IGNORE`
			`.RS 4`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`An error has occured\&. The module will be ignored.\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.RE`
			`.PP`
			`PAM_MAXTRIES`
			`.RS 4`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`The removable media was not detected\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.RE`


			`.SH "FILES"`
			`.PP`
			`/lib/*/security/pam_panic\&.so`
			`.RS 4`
man page: kernel module -> PAM module 2018-03-28 03:38:47 +00:00			`This PAM module\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.RE`


			`.SH "BUGS"`
			`.PP`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`Please report bugs and send pull requests to <https://github\&.com/Bandie/pam_panic>\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00

			`.SH "SEE ALSO"`
			`.PP`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`\fBcryptsetup\fR(8), \fBpam\fR(8), \fBpam\&.conf\fR(5)`
Creating gz with Make 2018-03-28 02:34:52 +00:00

			`.SH "AUTHORS"`
			`.PD 0`
			`.PP`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`pam_panic was written by Bandie <bandie@chaospott\&.de>\&.`
Creating gz with Make 2018-03-28 02:34:52 +00:00			`.PP`
Stylistic revisions of man page 2018-03-28 03:07:39 +00:00			`This man page has been revised by Jordy Dickinson <jordy\&.dickinson@icloud\&.com>`