diff --git a/Configuration.md b/Configuration.md new file mode 100644 index 0000000..2ce59b4 --- /dev/null +++ b/Configuration.md @@ -0,0 +1,39 @@ +# Configuration + +## What pam_panic flags exist? + +### Authentication type flags +- `password` + - Sets the "ask for password" mode active. + - You should set your password using `pam_panic_pw`, running as root. +- `allow=` and `reject=` + - `allow`: Sets the removable media with the specified partition UUID as authentication media. + - `reject`: Sets the removable media with the specified partition UUID as panic media. + - Note: You need **both** to have it working. + +### Panic flags +- `serious=` + - Assuming you have an [encrypted LUKS partition](https://wiki.archlinux.org/index.php/Dm-crypt), this will shred the luksHeader rendering the data within this LUKS container unreadable. +- `poweroff` + - Powers the device off. It would happen after `serious=`. +- `reboot` + - Reboots the device. It would happen after `serious=`. + + +## Partition UUID?! +You can determine the partition UUID through `ls -l /dev/disk/by-partuuid/`. This is the device directory where pam_panic is going to look for the partition UUID. +Note, your devices you are using for the `auth=` and `reject=` flags must formated with a GUID Partition Table (GPT). + + +## Configuration examples +To configure the module, add the following to the appropriate PAM configuration file(s): (see pam.conf(5) for details on these files) +Using the removable media: +``` +auth requisite /usr/local/lib/security/pam_panic.so auth= reject= reboot serious= +account requisite /usr/local/lib/security/pam_panic.so +``` +Using the two passwords: +``` +auth requisite /usr/local/lib/security/pam_panic.so password reboot serious= +account requisite /usr/local/lib/security/pam_panic.so +```