I would like to have different passwords for my account(s): When (e.g.) a certain USB stick is plugged in then an easy password is to be used. The idea is: If I leave my computer then I take the stick with me and the easy passwords shall be disabled then.
My general idea is:
- Detect the stick with udev, maybe detect certain data on it (with a script run by udev) and react accordingly (e.g. create a file which is deleted when the stick is plugged out). This should be easy.
- Have PAM check for the existence of this file and select the password database accordingly.
The main question is probably (i.e. if I understand the structure of the problem correctly): Can pam_unix2
be configured to use another shadow file? I just had a look at the man page for pam_unix2
and it seems that this is not possible because this module lets glibc NSS make this decision.
Best Answer
Both pam_unix and pam_unix2 use libc to look up the password hash, and Glibc has the locations
/etc/nsswitch.conf
and/etc/shadow
hard-coded. It wouldn't even be as simple as recompilingpam_unix
orpam_unix2
: both go through the normal NSS mechanism to verify passwords, they only use their knowledge of/etc/passwd
,/etc/shadow
and NIS for password changes.However, you can use the
pam_pwdfile
module. I've never used it, but the description looks like exactly what you're after.Alternatively, you could use the
pam_userdb
, which checks a password in a database in Berkeley DB format with a file name passed as an argument.Now, to detect the presence of the USB stick, you need another PAM module.
pam_listfile
looks right for the job. Arrange an udev rule that mounts your USB key, and only that USB key, in a particular location, say/media/authentication-key
; create a fileusers.txt
containing the list of user names that are allowed to use a shorter password. If you want a more complex test in the PAM stack, you can use `pam_exec.Here's a stack that assumes that
/etc/shadow
contains your strong passwords and/etc/passwd.weak
contains your weak passwords. Warning: untested, and I'm not fluent in PAM, so review it carefully.