'\" t .\" Title: pam_panic .\" Author: [see the "AUTHORS" section] .\" Date: 2018-03-26 .\" Manual: Linux-PAM Panic Manual .\" Source: Linux-PAM Panic Manual .\" Language: English .\" .TH "PAM_PANIC" "8" "2018-03-26" "PAM Panic Manual" "PAM Panic Manual" .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" pam_panic \- PAM module for access control using removable media (with panic function) .SH "SYNOPSIS" .HP \w'\fBpam_panic\&.so\fR\ 'u \fBpam_panic\&.so\fR [allow=\fIUUID(GPT)\fR] [reject=\fIUUID(GPT)\fR] [reboot] [poweroff] [serious=\fIUUID\fR] .SH "DESCRIPTION" .PP The pam_panic PAM module protects sensitive data and provides a panic function for emergency situations\&. .PP There are two removable media which work as keys: the auth key and the panic key\&. The auth key will let you pass to the password prompt whereas the panic key, if provided, will securely erase the LUKS header, rendering the data unreadable\&. .SH "OPTIONS" .PP \fBallow=\fR\fB\fIUUID(GPT)\fR\fR (required) .RS 4 The UUID of the device to be used for authentication (the auth key)\&. .PD 0 .PP .PD 1 The device must have a GPT-formatted device with at least one partition on it\&. The UUID of a GPT-formatted device looks like "12345678-9ABC-DEF0-1234-56789ABCDEF0"\&. .PP See \fBHOW TO DETERMINE MY UUIDS\fR for details\&. .RE .PP \fBreject=\fR\fB\fIUUID(GPT)\fR\fR (required) .RS 4 The UUID of the device to be used in emergencies. The presence of this device will trigger \fBreboot\fR, \fBpoweroff\fR and/or the panic function, depending on whether \fBreboot\fB, \fBpoweroff\fB, and/or \fBserious\fB are specified. .PD 0 .PP .PD 1 The device must have a GPT-formatted device with at least one partition on it\&. The UUID of a GPT-formatted device looks like "12345678-9ABC-DEF0-1234-56789ABCDEF0"\&. .PP See \fBHOW TO DETERMINE MY UUIDS\fR for details\&. .RE .PP \fBreboot\fR (recommended) .RS 4 Indicates that the system should reboot upon encountering the device specified with \fBreject\fR\&. .PP If \fBpoweroff\fR is also specified, \fBreboot\fR will be ignored\&. .RE .PP \fBpoweroff\fR .RS 4 Indicates that the system should shut down upon encountering the device specified with \fBreject\fR\&. This option is discouraged for security reasons\&. .RE .PP \fBserious=\fR\fB\fIUUID\fR\fR .RS 4 The UUID of the device containing the LUKS header to erase upon encountering the device specified with \fBreject\fR\&. .PP NOTE: You should make a backup of the LUKS header before using this function\&. .RE .PP .SH "USAGE" .PP To activate the module you have to configure PAM\&. See \fBpam\&.conf(5)\fR for details\&. .PP In general, you will want to add the following to the top of a PAM configuration file: .PD 0 .RS 4 auth requisite pam_panic\&.so auth= reject= reboot serious= .PP account requisite pam_panic\&.so .RE .PD 1 .SH "HOW TO DETERMINE MY UUIDS" .PP You will find your UUIDs in \fI/dev/disk/by-partuuid\fR\&. You might want to execute "\fBls -l /dev/disk/by-partuuid/\fR" in your favourite shell to find out which UUID is which device\&. .SH "RETURN VALUES" .PP PAM_SUCCESS .RS 4 Access was granted\&. .RE .PP PAM_IGNORE .RS 4 An error has occured\&. The module will be ignored.\&. .RE .PP PAM_MAXTRIES .RS 4 The removable media was not detected\&. .RE .SH "FILES" .PP /lib/*/security/pam_panic\&.so .RS 4 This PAM module\&. .RE .SH "BUGS" .PP Please report bugs and send pull requests to \&. .SH "SEE ALSO" .PP \fBcryptsetup\fR(8), \fBpam\fR(8), \fBpam\&.conf\fR(5) .SH "AUTHORS" .PD 0 .PP pam_panic was written by Bandie \&. .PP This man page has been revised by Jordy Dickinson