RSS feed

Re: combine pam-usb and pam-ldapd ?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: combine pam-usb and pam-ldapd ?

Am 12.12.2011 06:12, schrieb Hatem Nassrat:

On Sun, Dec 11, 2011 at 10:04 PM, Tim White <
<weirdit [at]>> wrote:

    On 12/12/11 06:38, Arthur de Jong wrote:

            I would really want to have users authenticated by a private
            key on a
            usb stick, with/without a password.


    Correctly setup, PAM is designed to be modular. So you can for
    example, use libnss to provide all the passwd/group information, and
    then use pam_usb to attempt to authenticate, and then failback to
    libpam_ldapd on failure. Do some reading into pam (man pam, man
    pam.conf) and

I believe what he is trying to do is to store the public keys in ldap
somehow. I think a quicker approach maybe to  use autofs with pam-usb
rather than pam-ldap.

It took me a while to figure out what you are wanting to do, somehow
adding to the ldap schema to add a public key to each user as well as
modifying the pam side to lookup the key and do what pam-usb does. This
does seem like a lot of work though ...

Thanks for the fast replies, Hatem, Tim and Arthur !

Yes, what i want is central user management on the server and easy and secure authentication on clients.

We would create users on the server and issue usb-sticks with keys to employees. The stick contains a secret that together with the secret on the server allows the identification, authentication and login without any user intervention (or alternatively with a password to unlock the key).

pam-usb seems to store one-time pads on the usb-stick, but anything that allows to identify the user in a secure way should suffice.

With the sticks the user can unlock any machine on the network, which then mounts their ~home. Basically its like a smartcard solution, just without smartcard.

Is that possible with existing tools ?


Hatem Nassrat
Chief Technical Officer
T:  (902) 431-4847 ext. 112
F:  (902) 431-4848

GenieKnows Inc. <>
Yellowee <>

The opinions expressed are those of the individual and not the company.
Internet communications are not secure and therefore GenieKnows Inc.
("the company") does not accept liability for any claims arising as a
result of the use of this medium for transmissions by or to the company.
This email and any files transmitted with it are confidential. If you
are not the intended recipient, you are hereby notified that any
disclosure, distribution or copying of this communication is strictly
prohibited. Whilst we take every reasonable precaution to screen out
computer viruses from emails, attachments to the email may contain such
viruses. We cannot accept liability for loss or damage resulting from
such viruses. GenieKnows Inc. registered office: 1567 Argyle Street,
Halifax, Nova Scotia, B3J 2B2, Canada.

To unsubscribe send an email to or see