Authenticate on linux by plugging your USB stick!
Demo: https://www.youtube.com/watch?v=W7L9FrIDYgU
Note: for now, only a debian/ubuntu package is provided.
Download the debian package and install it:
$ sudo dpkg -i hermes_1.8_amd64.deb
$ sudo apt-get -f install
I recommend having 2 partitions on your usb stick: a very small one (hermes needs 266 bytes as of now, so allocate 2048 bytes to be safe), and another partition for your data.
Let's assume that the partition for hermes is /dev/sdb1
, and your
user is foo
.
To make your usb stick an hermes device, run:
$ sudo hermes write /dev/sdb1 foo
You can see what hermes
can do with hermes help
. (Although for
now, it can only run the write command seen above.)
You can now do exactly as in the video. When you need to login, plug in the usb stick, hit enter with an empty password, and you should be logged in!
If you're not on debian, here are the steps to manually install hermes.
Download the following (equivalent to your distribution) dependencies: gcc, sbcl, wget, buildapp, libpam0g-dev, libfixposix-dev.
Then run:
# Build hermes
$ git clone https://github.com/ralt/hermes
$ cd hermes/
$ make
# Install the built files
$ sudo make install
# Configure your system
$ sudo pam-auth-update # Select "Hermes"
$ sudo addgroup hermes
If you're using systemd, you can then run the following:
$ sudo systemctl enable hermes
$ sudo systemctl start hermes
If you're not using systemd, please look at the
debian/services/hermes.service
file and reproduce the equivalent for
your init system.
From then on, you can follow the steps in Preparing the usb stick.
A string of 128 characters is put on the both usb stick and in the user's home directory. When connection time comes, the tokens are checked to see if they match. If they do, the user can be connected.
Every time there is a successful login, the token is regenerated, for security reasons.
- better error handling. Right now it's fprintf(stderr) or perror() everywhere, randomly. Make it consistent.
The hermes write <device> <user>
command will generate a 128-bytes
token, and write it to both /etc/hermes/<user>
and the device. On
the device, it will first write 5 bytes to recognize an hermes device.
When login is needed, the PAM module will send the user to the
/var/run/hermes.sock UNIX socket. The hermes-daemon service will then
look in /dev/sd* for a hermes device (starts with bytes 82, 111, 98,
105, 110). If none exists, it sends "false" to the UNIX socket. If one
exists, it compares with the token in /etc/hermes/<user>
, and sends
either "true" or "false" back to the UNIX socket. The PAM module just
has to get the boolean result back and it can return it.
The project is provided under the MIT license.