0

I want to be able to login through USB or some external authentication method. i.e Turn desktop on, prompted with Login screen I plug in the USB and it logins me in. Upon removing the USB it locks the screen. simply plugging it in to unlock the screen again. Is there any application available for this? or Maybe for a Smartcard?

user640310
  • 1
  • This is like a movie script ! I don't know if such thing is possible but sure you can carry a booatable usb with persistent mode of X Gb space which will contain whole OS as well as your Data ! – minigeek Jan 29 '17 at 10:07

1 Answers1

0

Best approach

Look for a PAM module that will suite your needs. That's the best way to go about what you're trying to do!

If you can't find something in the repos, you could try scripting it. By combining udev, encryption, xdotool, unused space at the beginning of a USB drive, and tests to see if you're on the lockscreen, you can make it happen.

General How-To:

  • Create a secure password for your account
  • Encrypt (I use gpg and symmetric encyption) this password with a keyfile that you'll store some place safe on your computer
  • Use a hex editor to find unused space on your USB stick before the first partition that is at least as large as your encrypted password.
  • Write the encrypted password to space not utilized on your USB stick before the first partition (dd comes in handy here). Be really careful if you write to space that is used for filesystem management, you could "trash" your data!
  • If you're not confident in your ability to perform the last two steps without data loss, you could just save the encrypted file to your USB like any other file
  • Install the commandline program, xdotool
  • Write a udev rule to call a script on the insertion of a specific device
  • Write a script (that will be called by udev in the rule you just wrote)
    • checks the lock screen state
    • if locked, pulls the encrypted password off the USB (use dd for this)
    • decrypt the password with the key on the computer
    • use xdotool to send the password to the password input field followed by a return key stroke to login/unlock the system.
  • Write a udev rule to watch for removal of your USB stick. When it's removed, send command to lock the screen

By encrypting the password before copying it to the USB stick, you ensure that if you lose your USB stick, your password is not in plain text. If someone were to get the decryption key for you password off of your system, it's useless without the encrypted password which is stored on your USB.

Check out an answer I wrote to a different question where I provide more detailed instructions. That post could probably benefit from some updating, and if I have time to do that in the near future, I will.

This could easily be tweaked to check inserted USBs against a centrally managed master list on a server. Of course password storage might have to be managed a bit differently.

b_laoshi
  • 4,660
  • 4
  • 25
  • 46