How to use pam_usb (Fork) on Linux to log in with a USB flash drive instead of a password

pam_usb It is a PAM module that uses ordinary USB flash drives, SD cards, MMC, etc. to provide hardware authentication for Linux.

To use this function, just connect the USB memory stick or memory card to the computer, and you can log in without a password. This USB authentication is also valid when running terminal commands that require a super user-for example, you will not be prompted for a password when using sudo.

pam_usb can be used with any application that supports PAM, such as login managers (GDM, Lightdm, etc.) and su/sudo.

For authentication, pam_usb uses the serial number, model and vendor of the USB flash drive/memory card, and the optional One Time Pads (One-time password).When “Push to Talk” is enabled (it is enabled by default, but you can disable it), the public user board files are stored in a hidden folder on the USB/memory card, which is called .pamusb, And the private key is stored in a hidden folder with the same name and stored in the user’s home directory.

The original developer of the tool seems to have Throw it away, Has not received any new submissions since April 2016, and has not had any new releases since 2011. Since then, some improvements have been made in various repositories.In order to continue to improve pam_usb, the tool Bifurcation, But also includes previous work done in other storage libraries (including improvements to the UDisk2 port).

pam_usb function:

  • No password (memory card/USB) authentication.Just connect the USB memory stick/memory card that has been configured with pam_usb to log in
  • Supports USB flash drives, SD cards, MMC, etc.
  • The device automatically detects. pam_usb does not need to install a USB flash drive; it can use UDisk to locate the USB device and directly access its data
  • No need to reformat the USB flash drive
  • USB serial number, model and vendor verification
  • Support one-time password (OTP) authentication
  • Can be used as a two-way authentication, at the same time a USB memory stick and password are required to log in to the Linux system
  • You can use the same memory card/USB stick on multiple computers

pam_usb comes with 3 tools: pamusb-agent Can be used to trigger actions when the device is authenticated or deleted (for example, if the device is deleted, you can use a command to lock the screen), pamusb-conf This makes it easier to set up pam_usb, and pamusb-check Used to integrate pam_usb’s authentication engine into a script or application.

pam_usb currently does not support adding multiple devices for each user. Currently, pamusb-conf No device will be added for the configured user.You can track this issue Here.

It is worth noting that pam_usb is only used for login, not for unlocking the GNOME key ring or decrypting dedicated folders. The GNOME keyring does not seem to support unlocking by any means other than passwords. Therefore, even if you are automatically logged in when using pam_usb and a paired USB flash drive is connected, the GNOME key ring unlock dialog will still be displayed, asking you to enter the password to unlock it.This The same thing For example, when fingerprint authentication is used.

I tried it on GDM and LightDM. In both cases, I have to click on my username and press Enter to log in without having to enter the account password.

USB related: You can create a bootable USB drive by simply copying the ISO to USB using Ventoy (Linux and Windows)

Install and set up pam_usb (fork)

This pam_usb fork It has not been packaged in the official repositories of any Linux distribution.The older 0.5.0 version (using Python2 and Udisks1) is usable a little Linux distribution, but missing in most versions.

The pam_usb fork developers have packaged this pam_usb version as the latest Debian and Ubuntu versions (as well as Linux Mint, Pop!_OS and other Linux distributions based on Debian or Ubuntu), you can Download from here (You only need the libpam-usb package there).

The pam_usb fork library also has an Arch Linux/Manjaro PKGBUILD usable.

For other Linux distributions, you need Build from source.

If you want to install pam_usb (fork) from the Debian package provided by its developer, you will be prompted to select the device and user during the installation process:

libpam-usb settings

If this is not the case, or you want to do it manually later, you can set pam_usb like this. Insert the USB flash drive or memory card, and then run the following command to add the new device as an authentication method:

sudo pamusb-conf --add-device DEVICE_NAME

where is it DEVICE_NAME It can be anything you want.

Next, you need to add users to the pam_usb configuration using the following method:

sudo pamusb-conf --add-user USERNAME

where is it USERNAME It is the user who wants to enable USB/memory card based authentication.

User name and device information are saved in /etc/security/pam_usb.conf file.

Now, you can check the configuration using the following methods to see if everything is correct:

pamusb-check USERNAME

It is important to note that to use the DEB package provided by its developers, you do not need to configure anything else. However, if you installed pam_usb from the source code, you need to add pam_usb to the system authentication process as follows: Explain here.

For other pam_usb configuration options, see its Configure Wiki page.

If the USB stick/memory card is removed, please configure pam_usb to lock the screen (and unlock it after reinserting)

When inserting or removing a USB stick/memory card, pam_usb can execute commands with the help of pamusb-agent.

pam_usb Wiki has a example The configuration is used to lock the screen after removing the USB stick/memory card, and unlock the screen when reinserting it. This example is no longer applicable to Gnome (but should be replaced with other desktop environments, and should also be applicable to other desktop environments) gnome-screensaver-command with cinnamon-screensaver-command For the cinnamon tabletop, mate-screensaver-command Suitable for MATE desktop, etc.). [[Edit]]You can also use xdg-screensaver (a part of xdg-utils Parcel; for example xdg-screensaver lock Lock the screen, and xdg-screensaver reset Unlock).

On Linux distributions, if the USB stick/memory card is deleted, let pam_usb lock the screen and unlock it after reinserting the device, please use systematic (I only tested this configuration on Gnome with GDM3), I used the following configuration (/etc/security/pam_usb.conf):


<user id="USERNAME">


<!-- When the user "USERNAME" removes the usb device, lock the screen -->

<agent event="lock">



    <!-- Resume operations when the usb device is plugged back and authenticated -->

    <agent event="unlock">     





Two scripts are used to accomplish this task. /usr/local/bin/screensaver-lock To lock the screen, and /usr/local/bin/screensaver-unlock Unlock the screen. This is their content.



SESSION=`loginctl list-sessions | grep USERNAME | awk '{print $1}'`

if [ -n $SESSION ]; then

        loginctl lock-session $SESSION




SESSION=`loginctl list-sessions | grep USERNAME | awk '{print $1}'`

if [ -n $SESSION ]; then

        loginctl unlock-session $SESSION


Replace both USERNAME Use your username.

You might also like: KDE Connect / GSConnect: How to lock/unlock Linux desktop with Android device



Related Posts