153 lines
4.1 KiB
Groff
153 lines
4.1 KiB
Groff
'\" t
|
|
.\" Title: pam_panic
|
|
.\" Author: [see the "AUTHORS" section]
|
|
.\" Date: 2018-03-26
|
|
.\" Manual: Linux-PAM Panic Manual
|
|
.\" Source: Linux-PAM Panic Manual
|
|
.\" Language: English
|
|
.\"
|
|
.TH "PAM_PANIC" "8" "2018-03-26" "PAM Panic Manual" "PAM Panic Manual"
|
|
.ie \n(.g .ds Aq \(aq
|
|
.el .ds Aq '
|
|
.\" -----------------------------------------------------------------
|
|
.\" * set default formatting
|
|
.\" -----------------------------------------------------------------
|
|
.\" disable hyphenation
|
|
.nh
|
|
.\" disable justification (adjust text to left margin only)
|
|
.ad l
|
|
.\" -----------------------------------------------------------------
|
|
.\" * MAIN CONTENT STARTS HERE *
|
|
.\" -----------------------------------------------------------------
|
|
|
|
|
|
.SH "NAME"
|
|
pam_panic \- PAM module for access control using removable media (with panic function)
|
|
|
|
|
|
.SH "SYNOPSIS"
|
|
.HP \w'\fBpam_panic\&.so\fR\ 'u
|
|
\fBpam_panic\&.so\fR [allow=\fIUUID(GPT)\fR] [reject=\fIUUID(GPT)\fR] [reboot] [poweroff] [serious=\fIUUID\fR]
|
|
|
|
|
|
.SH "DESCRIPTION"
|
|
.PP
|
|
The pam_panic PAM module protects sensitive data and provides a panic function for emergency situations\&.
|
|
.PP
|
|
There are two removable media which work as keys: the auth key and the panic key\&. The auth key will let you pass to the password prompt whereas the panic key, if provided, will securely erase the LUKS header, rendering the data unreadable\&.
|
|
|
|
.SH "OPTIONS"
|
|
.PP
|
|
\fBallow=\fR\fB\fIUUID(GPT)\fR\fR (required)
|
|
.RS 4
|
|
The UUID of the device to be used for authentication (the auth key)\&.
|
|
.PD 0
|
|
.PP
|
|
.PD 1
|
|
The device must have a GPT-formatted device with at least one partition on it\&.
|
|
The UUID of a GPT-formatted device looks like "12345678-9ABC-DEF0-1234-56789ABCDEF0"\&.
|
|
.PP
|
|
See \fBHOW TO DETERMINE MY UUIDS\fR for details\&.
|
|
.RE
|
|
.PP
|
|
|
|
\fBreject=\fR\fB\fIUUID(GPT)\fR\fR (required)
|
|
.RS 4
|
|
The UUID of the device to be used in emergencies. The presence of this device will trigger \fBreboot\fR, \fBpoweroff\fR and/or the panic function, depending on whether \fBreboot\fR, \fBpoweroff\fR, and/or \fBserious\fR are specified.
|
|
.PD 0
|
|
.PP
|
|
.PD 1
|
|
The device must have a GPT-formatted device with at least one partition on it\&.
|
|
The UUID of a GPT-formatted device looks like "12345678-9ABC-DEF0-1234-56789ABCDEF0"\&.
|
|
.PP
|
|
See \fBHOW TO DETERMINE MY UUIDS\fR for details\&.
|
|
.RE
|
|
.PP
|
|
|
|
\fBreboot\fR (recommended)
|
|
.RS 4
|
|
Indicates that the system should reboot upon encountering the device specified with \fBreject\fR\&.
|
|
.PP
|
|
If \fBpoweroff\fR is also specified, \fBreboot\fR will be ignored\&.
|
|
.RE
|
|
.PP
|
|
|
|
\fBpoweroff\fR
|
|
.RS 4
|
|
Indicates that the system should shut down upon encountering the device specified with \fBreject\fR\&.
|
|
This option is discouraged for security reasons\&.
|
|
.RE
|
|
.PP
|
|
|
|
\fBserious=\fR\fB\fIUUID\fR\fR
|
|
.RS 4
|
|
The UUID of the device containing the LUKS header to erase upon encountering the device specified with \fBreject\fR\&.
|
|
.PP
|
|
NOTE: You should make a backup of the LUKS header before using this function\&.
|
|
.RE
|
|
.PP
|
|
|
|
|
|
.SH "USAGE"
|
|
.PP
|
|
To activate the module you have to configure PAM\&. See \fBpam\&.conf(5)\fR for details\&.
|
|
.PP
|
|
In general, you will want to add the following to the top of a PAM configuration file:
|
|
.PD 0
|
|
.RS 4
|
|
auth requisite pam_panic\&.so auth=<UUID> reject=<UUID> reboot serious=<UUID>
|
|
.PP
|
|
account requisite pam_panic\&.so
|
|
.RE
|
|
.PD 1
|
|
|
|
|
|
.SH "HOW TO DETERMINE MY UUIDS"
|
|
.PP
|
|
You will find your UUIDs in \fI/dev/disk/by-partuuid\fR\&.
|
|
You might want to execute "\fBls -l /dev/disk/by-partuuid/\fR" in your favourite shell to find out which UUID is which device\&.
|
|
|
|
|
|
.SH "RETURN VALUES"
|
|
.PP
|
|
PAM_SUCCESS
|
|
.RS 4
|
|
Access was granted\&.
|
|
.RE
|
|
.PP
|
|
PAM_IGNORE
|
|
.RS 4
|
|
An error has occured\&. The module will be ignored.\&.
|
|
.RE
|
|
.PP
|
|
PAM_MAXTRIES
|
|
.RS 4
|
|
The removable media was not detected\&.
|
|
.RE
|
|
|
|
|
|
.SH "FILES"
|
|
.PP
|
|
/lib/*/security/pam_panic\&.so
|
|
.RS 4
|
|
This PAM module\&.
|
|
.RE
|
|
|
|
|
|
.SH "BUGS"
|
|
.PP
|
|
Please report bugs and send pull requests to <https://github\&.com/Bandie/pam_panic>\&.
|
|
|
|
|
|
.SH "SEE ALSO"
|
|
.PP
|
|
\fBcryptsetup\fR(8), \fBpam\fR(8), \fBpam\&.conf\fR(5)
|
|
|
|
|
|
.SH "AUTHORS"
|
|
.PD 0
|
|
.PP
|
|
pam_panic was written by Bandie <bandie@chaospott\&.de>\&.
|
|
.PP
|
|
This man page has been revised by Jordy Dickinson <jordy\&.dickinson@icloud\&.com>
|