# pam_usb and konsole

## arek.k

I use pam_usb for autorization based on the key (on pendrive). I use it for whole system, so: 

```
# cat /etc/pam.d/system-auth

#%PAM-1.0

auth       required     pam_env.so

auth       sufficient   pam_usb.so fs=reiserfs debug=0 check_device=-1 check_if_mounted=-1 force_device=/dev/sdb log_file=/var/log/pam_usb.log

auth       sufficient   pam_unix.so likeauth nullok

auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so
```

Everytihng (I use) works fine - kdm, log in on the text console, xterm (su for example) - everything ... except konsole (terminal emulator for kde). In pam_usb log file I have something like this:

```
# cat /var/log/pam_usb.log

[pam.c:138] Searching the utmp entry for tty pts/1...

[pam.c:148] Cannot retrieve the utmp entry

[pam.c:193] Authentication denied: remote user
```

Does somebody understand enything of it? What I do wrong, because konsole should work (cooperate) with pam_usb (I mean passwordless su). In addition, sometimes konsole work with pam_usb.

The stansard log (from authorization) should looks like this (listing for xterm in kde - su command): 

```

# cat /var/log/pam_usb.log

[pam.c:138] Searching the utmp entry for tty pts/2...

[pam.c:152] Authentication request from pts/2 (:0.0)

[device.c:371] Forcing device /dev/sdb

[device.c:346] Creating temporary mount point...

[device.c:354] Scheduling [/tmp/pam_usbsSFlpH] for dropping

[device.c:358] Using /tmp/pam_usbsSFlpH as mount point

[device.c:237] Trying to mount /dev/sdb on /tmp/pam_usbsSFlpH using reiserfs

[device.c:242] mount failed: Urz±dzenie lub zasoby zajête

[device.c:249] Unable to mount /dev/sdb, tried with 1 fs

[device.c:376] Device forcing failed, back to guess mode

[device.c:406] Found a valid device (/dev/sda1)

[device.c:358] Using /tmp/pam_usbsSFlpH as mount point

[device.c:237] Trying to mount /dev/sda1 on /tmp/pam_usbsSFlpH using reiserfs

[device.c:242] mount failed: Urz±dzenie lub zasoby zajête

[device.c:249] Unable to mount /dev/sda1, tried with 1 fs

[device.c:409] invalid device /dev/sda1

[device.c:406] Found a valid device (/dev/sda2)

[device.c:358] Using /tmp/pam_usbsSFlpH as mount point

[device.c:237] Trying to mount /dev/sda2 on /tmp/pam_usbsSFlpH using reiserfs

[device.c:242] mount failed: Urz±dzenie lub zasoby zajête

[device.c:249] Unable to mount /dev/sda2, tried with 1 fs

[device.c:409] invalid device /dev/sda2

[device.c:406] Found a valid device (/dev/sda3)

[device.c:358] Using /tmp/pam_usbsSFlpH as mount point

[device.c:237] Trying to mount /dev/sda3 on /tmp/pam_usbsSFlpH using reiserfs

[device.c:242] mount failed: Z³y argument

[device.c:249] Unable to mount /dev/sda3, tried with 1 fs

[device.c:409] invalid device /dev/sda3

[device.c:406] Found a valid device (/dev/sda4)

[device.c:358] Using /tmp/pam_usbsSFlpH as mount point

[device.c:237] Trying to mount /dev/sda4 on /tmp/pam_usbsSFlpH using reiserfs

[device.c:242] mount failed: Urz±dzenie lub zasoby zajête

[device.c:249] Unable to mount /dev/sda4, tried with 1 fs

[device.c:409] invalid device /dev/sda4

[device.c:406] Found a valid device (/dev/sdb)

[device.c:358] Using /tmp/pam_usbsSFlpH as mount point

[device.c:237] Trying to mount /dev/sdb on /tmp/pam_usbsSFlpH using reiserfs

[device.c:242] mount failed: Urz±dzenie lub zasoby zajête

[device.c:249] Unable to mount /dev/sdb, tried with 1 fs

[device.c:409] invalid device /dev/sdb

[device.c:406] Found a valid device (/dev/sdb1)

[device.c:358] Using /tmp/pam_usbsSFlpH as mount point

[device.c:237] Trying to mount /dev/sdb1 on /tmp/pam_usbsSFlpH using reiserfs

[device.c:242] mount failed: Urz±dzenie lub zasoby zajête

[device.c:249] Unable to mount /dev/sdb1, tried with 1 fs

[device.c:409] invalid device /dev/sdb1

[device.c:406] Found a valid device (/dev/sdb2)

[device.c:358] Using /tmp/pam_usbsSFlpH as mount point

[device.c:237] Trying to mount /dev/sdb2 on /tmp/pam_usbsSFlpH using reiserfs

[device.c:253] Device mounted, trying to open private key

[device.c:181] Opening /tmp/pam_usbsSFlpH/.auth/root.ibm

[device.c:261] Private key opened

[auth.c:207] Private key imported

[auth.c:218] Public key imported

[device.c:455] Dropping [/tmp/pam_usbsSFlpH]

[dsa.c:77] Checking DSA key pair...

[dsa.c:87] Signing pseudo random data [1 time(s)]...

[dsa.c:94] Valid signature

[dsa.c:87] Signing pseudo random data [2 time(s)]...

[dsa.c:94] Valid signature

[dsa.c:87] Signing pseudo random data [3 time(s)]...

[dsa.c:94] Valid signature

[pam.c:207] Access granted
```

Of course errors about inability of mounting device is ok (device have been mounted by ivman).

----------

## hermanng

Just a guess: Do you have kdelibs emerged with USE-flag utempter ? You might want to try that (this will need "emerge sys-libs/libutempter"). This should allow non-priviledged programs (like konsole) to write utmp.

----------

## arek.k

I have emerged kde-base/kdelibs with USE="utempter": 

```
# eix kdelibs

[I] kde-base/kdelibs

...

Installed versions:  3.5.5-r10(3.5)(18:43:37 2007-06-17)(acl alsa arts -avahi cups -debug -doc -elibc_FreeBSD -fam -jpeg2k -kdeenablefinal -kdehiddenvisibility -kerberos kernel_linux -legacyssl -linguas_he -lua -openexr spell ssl tiff utempter -xinerama -zeroconf)

...
```

and (of course) sys-libs/libutempter: 

```
# eix libutempter

[I] sys-libs/libutempter

...

Installed versions:  1.1.5(10:59:19 2007-06-02)

...
```

Maybe I'll try to recompile this packages, or compile kdelibs without libutempter.

----------

## hermanng

Hmm, in the past there were some problems with konsole and utempter (konsole didn't call utempter  and didn't write utmp  entries). A quick look in the pam_usb source shows, that the check for a user to be acknowledged as local relies on a utmp entry for its tty/pty. 

One thing you should check before re-emerging is konsolerc. You might want to add an entry

```
AddToUtmp=true
```

Searching a bit further on the web, I found some brandnew update notification from fedora http://article.gmane.org/gmane.linux.redhat.fedora.testers/49288 that has a hint about making konsole setgid utmp (fedora uses a slightly different group name). That would give konsole at least permission to write an utmp entry.

EDITED: I did a  USE="utempter" emerge kdelibs.  It helped here, konsole is now writing utmp entries.

----------

## arek.k

 *hermanng wrote:*   

> Hmm, in the past there were some problems with konsole and utempter (konsole didn't call utempter  and didn't write utmp  entries). A quick look in the pam_usb source shows, that the check for a user to be acknowledged as local relies on a utmp entry for its tty/pty. 
> 
> One thing you should check before re-emerging is konsolerc. You might want to add an entry
> 
> ```
> ...

 

I added it to my konsolerc, but it still not work.

KDE recognizes (?) my user as a remote user (instead of local), but I'm local loged in.

 *hermanng wrote:*   

> EDITED: I did a  USE="utempter" emerge kdelibs.  It helped here, konsole is now writing utmp entries.

 

I recompiled kdelibs without, and width utempter use flag, but it not change anything.

There isn't only konsole problem. The same I have with all kde programs. For example in KDE Control Center, when I want to switch to "administrator mode" I must past a password. In this case I have the same error in /var/log/pam_usb.log, as I have for the konsole.

There is no problem with kdm, but it works with root privileges I think.

The kdelibs is a right track I think, but I still have no idea, where is the problem.

Does your konsole (and all kde programs) work right with pam_usb? Maybe you tell me what version of kdelibs, and libutempter are you using? Which use flag do you have set for kdelibs?

(I hope, you understand, what I've written, because my English is not good  :Embarassed: .)

EDIT:

Some way to solve this problem is to add the folowing line: 

```
auth       sufficient   pam_usb.so allow_remote=1
```

 to the system-auth

It isn't the way (solution) I want, because it should work without this line.

@hermanng, can you tell me which version of pam_usb are you using? What is the content (?) of your /etc/pam.d/system-auth (can you show me your file)?

Maybe it's a configuration problem?

----------

## hermanng

Sorry, perhaps I wasn't too clear about that. Personally I do *not* use pam_usb (I do not own an appropriate device). What I wrote, was out of my knowledge of pam (I work professionally with pam, also wrote some pam_module) and some tests, that I did in my environment. 

Writing an utmp entry (with a tty/pty) is a necessary requirement for pam_usb to acknowledge a local user - this I understood from checking the pam_usb source. That means pam_usb won't work with an application like KDE control center, that does not own a tty/pty or is not able to write an utmp entry.

From that, it is clear, that adding "allow_remote=1" to the pam_usb entry in /etc/pam.d/system-auth solves your problem by bypassing the check for the utmp entry. I think your configuration is ok, and what you experience, is not a bug, but the features of pam_usb   :Wink: 

This said, I only tested, if konsole writes an utmp entry (so as to fulfill a necessary requirement for working wih pam_usb).

You can check this in your environment by calling konsole, issueing a "tty" command and check with "who -a" if you see the pty, the system told you, eg.

```
tornado # tty

/dev/pts/12

tornado ~# who -a

...

...

root     - pts/12       Jun 22 12:03   .          3488 (:0)

tornado ~#
```

As for the versions I use, these are all the latest

```
tornado ~ # eix -c kdelibs

[I] kde-base/kdelibs (3.5.7(3.5)@06/14/07): KDE libraries needed by all KDE programs.

tornado ~ # eix -c libutempter

[I] sys-libs/libutempter (1.1.5@05/11/07): Library that allows non-privileged apps to write utmp (login) info, which need root access

tornado ~ #
```

One more thing you could try, is the advice from fedora, I mentioned in my last post, i.e. making konsole setguid utmp by 

```
tornado ~#chgrp utmp /usr/kde/3.5/bin/konsole

tornado ~#chmod g+s /usr/kde/3.5/bin/konsole
```

A way to work as root with control center or other graphical KDE apps (that don't own a tty) would be to call the from the command line with

```
tornado % kdesu kcontrol
```

or whatever the application name is.

EDITED: oh just forgot the USE flags, I use for kdelibs

```
tornado ~ # emerge -pv kdelibs

[ebuild   R   ] kde-base/kdelibs-3.5.7  USE="acl alsa arts cups doc kdeenablefinal lua tiff utempter xinerama -avahi -branding -debug -fam -jpeg2k -kdehiddenvisibility -kerberos -legacyssl -openexr -spell" 0 kB
```

----------

## arek.k

 *hermanng wrote:*   

> One more thing you could try, is the advice from fedora, I mentioned in my last post, i.e. making konsole setguid utmp by 
> 
> ```
> tornado ~#chgrp utmp /usr/kde/3.5/bin/konsole
> 
> ...

 

I tried it, but it not works. Maybe there are some differences in fedoras configuration.

For now I will remain allow_remote=1.

 *hermanng wrote:*   

> A way to work as root with control center or other graphical KDE apps (that don't own a tty) would be to call the from the command line with
> 
> ```
> tornado % kdesu kcontrol
> ```
> ...

 

If I use allow_remote=1, the kde control center let gets passwordless root privilege.

I asked this questions, because suse let get root privileges (in kde - konsole, kde control center etc.), without allow_remote=1 in system-auth (for suse the name of this file is common-auth), and the konsole (or any kde applications) owner, privileges etc. are: 

```
# ls -l /opt/kde3/bin/ | grep konsole

-rwxr-xr-x 1 root root       6735 maj 18 16:32 konsole
```

There must be some way to make it in gentoo, like it is in suse. Maybe there are some differences in source code of pam_usb for suse, but I'm not a programmer, so I can't compare a source codes. For now I don't have the pam_usb for suse source code.

Thanks for help. Maybe you tell me some more, is using allow_remote=1 is dangerous? Can I use it?

----------

## hermanng

 *arek.k wrote:*   

> 
> 
> If I use 
> 
> ```
> ...

 

Yes, as I tried to explain, allow_remote=1 will help you with your problems, because the problematic utmp check in pam_usb will not be executed. If your machine is behind a firewall, there is probably no security risk with that, but if it works without that, the better. I don't have suse's pam_usb source either, but I'm quite sure, that they did  some adaptions. SUSE has some quite capable developers for pam.

Ok, just to state it again: if your machine is behind a firewall, I think you could live with  allow_remote=1. Anyway, you've sparked my interest in pam_usb enough, to do some more code inspection, may be I even get suse's source (I have an opensuse 10.2 running in a virtual machine)

----------

## hermanng

After reading the pam_usb source (version 0.4.1) a little more carefully, I'm surprised about your problems. pam_usb should work out of the box - without the use of libutempter. So allow_remote=1 should not be needed. Also, in this version (0.4.1) that I inspected, allow_remote seem to be gone completely, although the changelog says nothing about that.

The code that checks, if a user is local, is flexible enough to work with control center, konsole etc. So which pam_usb version do you use ? Perhaps you should upgrade to (unstable) 0.4.1.

----------

## arek.k

I use pam_usb-0.3.2. On suse it was pam_usb-0.3.3-1. So, maybe you are right, and I should try version 0.4.1.

I will emerge it, and let you know what is the effect.

EDIT:

I have installed pam_usb-0.4.1 and you was right, there were many changes in 0.4.1 version with reference to 0.3.2.

I think the same situation was with 0.3.3 varsion (on suse).

Now I must learn 0.4.1 version, because the configuration is .completely different. Fortunately, the pam_usb documentation is pretty good (I hope).

Thanks for help again.

----------

