167 lines
4.5 KiB
Groff
167 lines
4.5 KiB
Groff
'\" t
|
|
.\" Title: pam_panic
|
|
.\" Author: [see the "AUTHORS" section]
|
|
.\" Date: 2018-03-26
|
|
.\" Manual: Linux-PAM Panic Manual
|
|
.\" Source: Linux-PAM Panic Manual
|
|
.\" Language: English
|
|
.\"
|
|
.TH "PAM_PANIC" "8" "2018-03-26" "PAM Panic Manual" "PAM Panic Manual"
|
|
.ie \n(.g .ds Aq \(aq
|
|
.el .ds Aq '
|
|
.\" -----------------------------------------------------------------
|
|
.\" * set default formatting
|
|
.\" -----------------------------------------------------------------
|
|
.\" disable hyphenation
|
|
.nh
|
|
.\" disable justification (adjust text to left margin only)
|
|
.ad l
|
|
.\" -----------------------------------------------------------------
|
|
.\" * MAIN CONTENT STARTS HERE *
|
|
.\" -----------------------------------------------------------------
|
|
|
|
|
|
.SH "NAME"
|
|
pam_panic \- PAM module for access control using removable media. With panic function
|
|
|
|
|
|
.SH "SYNOPSIS"
|
|
.HP \w'\fBpam_panic\&.so\fR\ 'u
|
|
\fBpam_panic\&.so\fR [allow=\fIUUID(GPT)\fR] [reject=\fIUUID(GPT)\fR] [reboot] [poweroff] [serious=\fIUUID\fR]
|
|
|
|
|
|
.SH "DESCRIPTION"
|
|
.PP
|
|
The pam_panic PAM module shall protect people who have value data on their computer\&. It provides a panic function\&.
|
|
.PP
|
|
There are two removable media which work as keys: One is the auth key and one is the panic key\&.
|
|
The auth key will let you pass to the password prompt\&.
|
|
The panic key will call the panic function which, if configured, executes "\fBcryptsetup luksErase [UUID]\fR"\&. This will destroy the luksHeader safely\&.
|
|
It means that your data will not be readable to anyone anymore\&.
|
|
|
|
.SH "OPTIONS"
|
|
.PP
|
|
\fBallow=\fR\fB\fIUUID(GPT)\fR\fR (required)
|
|
.RS 4
|
|
This device UUID is used for authentication (auth key)\&.
|
|
.PD 0
|
|
.PP
|
|
.PD 1
|
|
It is required to have a GPT formated device with at least one partition on it\&.
|
|
The UUID of a GPT formated device looks like "12345678-9ABC-DEF0-1234-56789ABCDEF0"\&.
|
|
.PP
|
|
See more in the section \fBHOW TO DETERMINE MY UUIDS\fR\&.
|
|
.RE
|
|
.PP
|
|
|
|
\fBreject=\fR\fB\fIUUID(GPT)\fR\fR (required)
|
|
.RS 4
|
|
This device UUID will cause calling \fBreboot\fR, \fBpoweroff\fR and/or the panic function \fBserious\fR if stated before (panic key)\&.
|
|
.PD 0
|
|
.PP
|
|
.PD 1
|
|
It is required to have a GPT formated device with at least one partition on it\&.
|
|
The UUID of a GPT formated device looks like "12345678-9ABC-DEF0-1234-56789ABCDEF0"\&.
|
|
.PP
|
|
See more in the section \fBHOW TO DETERMINE MY UUIDS\fR\&.
|
|
.RE
|
|
.PP
|
|
|
|
\fBreboot\fR (recommended)
|
|
.RS 4
|
|
Stating this argument will cause a reboot after the device stated in \fBreject=UUID(GPT)\fR has been inserted\&.
|
|
You might want that option\&.
|
|
.PP
|
|
If \fBpoweroff\fR is also stated the argument \fBreboot\fR will be ignored\&.
|
|
.RE
|
|
.PP
|
|
|
|
\fBpoweroff\fR
|
|
.RS 4
|
|
Stating this argument will cause a shutdown after the device stated in \fBreject=UUID(GPT)\fR has been inserted\&.
|
|
For security reasons you should abstrain from this option\&.
|
|
.RE
|
|
.PP
|
|
|
|
\fBserious=\fR\fB\fIUUID\fR\fR
|
|
.RS 4
|
|
The device UUID of which the luksHeaders will be erased if the device stated in \fBreject=UUID(GPT)\fR has been inserted\&.
|
|
.PP
|
|
(You should make a luksHeader backup before using this function\&.)
|
|
.RE
|
|
.PP
|
|
|
|
|
|
.SH "HOW DO I USE IT"
|
|
.PP
|
|
To activate the module you have to change some file(s) in \fI/etc/pam.d/\fR\&.
|
|
There you'll see different services, programs and other config files which use the PAM modules\&.
|
|
Speaking of the general authentication configs, if you use Ubuntu "\fIcommon-auth\fR" might be interesting for you\&.
|
|
For other distributions you might want to look into the distribution's wiki\&.
|
|
.PP
|
|
Put the following lines on top of the config file:
|
|
.PD 0
|
|
.RS 4
|
|
auth requisite pam_panic.so auth=<UUID> reject=<UUID> reboot serious=<UUID>
|
|
.PP
|
|
account requisite pam_panic.so
|
|
.RE
|
|
.PD 1
|
|
|
|
|
|
.SH "HOW TO DETERMINE MY UUIDS"
|
|
.PP
|
|
You will find your UUIDs in \fI/dev/disk/by-partuuid\fR\&.
|
|
You might want to execute "\fBls -l /dev/disk/by-partuuid/\fR" in your favourite shell to find out which UUID is which device\&.
|
|
|
|
|
|
.SH "RETURN VALUES"
|
|
.PP
|
|
PAM_SUCCESS
|
|
.RS 4
|
|
Access was granted\&.
|
|
.RE
|
|
.PP
|
|
PAM_IGNORE
|
|
.RS 4
|
|
An error has occured\&. This module will been ignored.\&.
|
|
.RE
|
|
.PP
|
|
PAM_MAXTRIES
|
|
.RS 4
|
|
The removable media has not been detected\&.
|
|
.RE
|
|
|
|
|
|
.SH "FILES"
|
|
.PP
|
|
/lib/*/security/pam_panic\&.so
|
|
.RS 4
|
|
Shared object file which does all the work\&.
|
|
.RE
|
|
.PP
|
|
/usr/share/man/*/man8/pam_panic\&.8\&.gz
|
|
.RS 4
|
|
The man pages\&.
|
|
.RE
|
|
|
|
|
|
.SH "BUGS"
|
|
.PP
|
|
Please report bugs or do merge requests at https://github.com/Bandie/pam_panic
|
|
|
|
|
|
.SH "SEE ALSO"
|
|
.PP
|
|
\fBcryptsetup\fR(8),
|
|
\fBpam.d\fR(5),
|
|
\fBpam\fR(8)\&.
|
|
|
|
|
|
.SH "AUTHORS"
|
|
.PD 0
|
|
.PP
|
|
This pam_panic PAM module was developed by Bandie <bandie@chaospott\&.de>\&.
|
|
.PP
|
|
This man page has been revised by
|