#243: Prepare version 0.8.5 (#244)

mcdope · make update-other-docs · web-flow · commit 15b97a8aade2 · 2024-07-26T20:33:04.000+02:00
* #243: Update pamusb-conf manpage * #243: Update ChangeLog * [Docs] Update non-manpage "doc/" files Signed-off-by: McDope <tobiasbaeumer@gmail.com> * #243: Update debian/changelog * #243: Update fedora specs changelog * #243: Update misc version statements/tags * [Docs] Update non-manpage "doc/" files Signed-off-by: McDope <tobiasbaeumer@gmail.com> * #243: Arch git version --------- Signed-off-by: McDope <tobiasbaeumer@gmail.com> Co-authored-by: make update-other-docs <noemail@example.com>
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,10 @@
+* 0.8.5
+  [Feature] Support multiple devices per user
+  [Enhancement] Misc. memory and string handling stuff
+  [Enhancement] Deny if pads can't be updated
+  [Enhancement] SELinux! There is now a profile for Fedora 40 (not installed automatically!) and a doc on how to create your own (see Wiki)
+  [Bugfix] LC_ALL usage
+
 * 0.8.4
   [Bugfix] loginctl usage was not sh compatible
   [Bugfix] Misc. fixes related to memory handling
diff --git a/arch_linux/PKGBUILD_git b/arch_linux/PKGBUILD_git
@@ -2,7 +2,7 @@
 # Contributor: Pekka Helenius <fincer89 [at] hotmail [dot] com>
 
 pkgname=pam_usb-git
-pkgver=0.8.4_r549.gf015d91
+pkgver=0.8.5_r559.g4e4cfaa
 pkgrel=1
 pkgdesc='Hardware authentication for Linux using ordinary flash media (USB & Card based).'
 arch=($CARCH)
diff --git a/arch_linux/PKGBUILD_stable b/arch_linux/PKGBUILD_stable
@@ -2,7 +2,7 @@
 # Contributor: Pekka Helenius <fincer89 [at] hotmail [dot] com>
 
 pkgname=pam_usb
-pkgver=0.8.4
+pkgver=0.8.5
 pkgrel=1
 pkgdesc='Hardware authentication for Linux using ordinary flash media (USB & Card based).'
 arch=($CARCH)
diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,12 @@
+libpam-usb (0.8.5) unstable; urgency=medium
+  * [Feature] Support multiple devices per user
+  * [Enhancement] Misc. memory and string handling stuff
+  * [Enhancement] Deny if pads can't be updated
+  * [Enhancement] SELinux! Wiki now has a doc on how to create your own profile
+  * [Bugfix] LC_ALL usage
+
+ -- Tobias Bäumer <tobiasbaeumer@gmail.com>  Fri, 26 Jul 2024 21:00:00 +0200
+
 libpam-usb (0.8.4) unstable; urgency=medium
   * [Bugfix] loginctl usage was not sh compatible
   * [Bugfix] Misc. fixes related to memory handling
diff --git a/doc/CONFIGURATION b/doc/CONFIGURATION
@@ -8,6 +8,8 @@ The configuration file is formatted in XML and subdivided in 4 sections:
 * Users declaration and settings
 * Services declaration and settings
 
+Note that for changes to the agent / events config you need to restart the agent service for them to take effect. Other changes are picked up on next pam_usb usage.
+
 The syntax is the following:
 
 ```xml
@@ -104,8 +106,6 @@ The syntax is the following:
 Some cheap devices don't report a vendor and/or model. To use these devices you can use "Generic" for these values, then it won't be checked.
 Be aware that this reduces security if you have `one_time_pads` disabled since the device containing the volume won't be checked anymore (but these attributes could be faked with a custom firmware anyway).
 
-You can configure as many devices as you want, but each user can only be configured to use a single device (currently).
-
 ### Example:
 
 ```xml
@@ -127,6 +127,8 @@ You can configure as many devices as you want, but each user can only be configu
 | `device` | Element   | `id` of the device associated to the user | `MyDevice` |
 | `agent`  | Element   | Agent commands, for use with pamusb-agent |            |
 
+Note that one `<user>` can have multiple `<device>` (from v0.8.5 up).
+
 ### Agent
 
 The agent is to be run as system service. If you installed by using the debian package it will automatically be configured as
@@ -224,13 +226,17 @@ sudo pamusb-conf --add-device=<devicename>
 
 where `<devicename>` is a recognizable name for your device. This value is used internally in the configuration file as device `id` value and in output shown to users. (Note: because of it being used as an XML attribute value, it shouldn't contain ampersands etc.)
 
+You can do this for multiple devices obviously.
+
 3. Add necessary user configuration into `/etc/security/pam_usb.conf` by running:
 
 ```
 sudo pamusb-conf --add-user=<username>
 ```
 
-where `<username>` is a valid Unix user name.
+where `<username>` is a valid Unix user name. 
+
+If you added multiple devices you can repeat this command to choose an additional device for this user (from v0.8.5 up).
 
 4. Tweak `/etc/security/pam_usb.conf` manually as desired. Link devices and users, etc.
 
diff --git a/doc/QUICKSTART b/doc/QUICKSTART
@@ -30,7 +30,7 @@ Once you've connected your USB device to the computer, use pamusb-conf to add it
 
 Note that `MyDevice` can be any arbitrary name you'd like, but will be used as an XML attribute value so stay away from any special characters and stick to A-Z. 
 
-Also, you can add as many devices as you want. However, each user can currently only use a single device so additional devices can only be used for additional users.
+Also, you can add as many devices as you want. However, in versions prior to v0.8.5 each user can only use a single device. So additional devices can only be used for additional users. Starting from v0.8.5 a single user can have multiple devices assigned as well.
 
 Next, configure users you want to be able to authenticate with pam_usb:
 
diff --git a/doc/SECURITY b/doc/SECURITY
@@ -1,3 +1,11 @@
+# General note about security
+
+`pam_usb` is intended as an "user comfort" utility. While it can enhance security, if used as a second factor, it can also reduce it. 
+
+Make sure you are aware of how it works and what you combine it with (see other warnings). 
+
+Also I want to point it that this isn't audited. I've tried to raise funds for it but there was literally no interest in it seemingly...
+
 # Warning about XDMCP
 
 You should under no circumstances enable pamusb and XDMCP at the same time. Most graphical login managers are whitelisted and will not be checked for "remoteness" since issue #51 was fixed. This means if you enable XDMCP and have a usb device for an already configured user attached anyone connecting to your X-Server could login as that user!
@@ -6,6 +14,10 @@ I repeat, UNDER NO CIRCUMSTANCES ENABLE PAMUSB AND XDMCP AT THE SAME TIME! Don't
 
 Note: you shouldn't use XDMCP these days anyway... 
 
+# Warning about TeamViewer and x11vnc
+
+Currently the local-check doesn't detect either TeamViewer or x11vnc connections. The same applies to gnome desktop sharing and I guess others also. There are attempts to resolve this, but even then there will likely always be some remote access software being able to circumvent the local check.
+
 # Warning about remote access (SSH etc)
 
 In the past there have been ways to circumvent the local check (see issue [#51](https://github.com/mcdope/pam_usb/issues/51) and also the "[cup of tee](https://github.com/mcdope/pam_usb/issues/39)"). I'm confident that all known ways are fixed now. 
diff --git a/doc/TROUBLESHOOTING b/doc/TROUBLESHOOTING
@@ -59,7 +59,7 @@ But if it does: please create an issue which should contain the output of `w` an
 Getting 'Pad checking failed!' when trying to authenticate
 --------------
 
-This error means that either the machine/host specific pad file on the device, or - more likely - the user specific pad file in your homedir is not in sync anymore. 
+This error means that either the machine/host specific pad file on the device, or - more likely - the user specific pad file in your homedir is not in sync anymore. It can also be caused if you use the same device on two computers and both share the same username (guess why I know :facepalm:).
 
 It can happen if you remove the authentication device without unmounting it before, manually mess with the pad files (like copying from a previous device) or your system crashed before file buffers were written to the media and similar. 
 
@@ -70,6 +70,37 @@ To resolve this you can use `pamusb-conf --reset-pads=<USERNAME>`, which will re
 Agent configuration / commands don't work like expected
 --------------
 
+You have restarted the agent service after your config changes, right? RIIIIIIGHT? Seriously, you need to restart it for changes to be picked up.
+
 The agent will log all executed commands, as well as their exitcode; stdout and stderr (since v0.8.3). You can view this log either via systemd, or - easier - by `tail`'ing `/var/log/auth.log`.
 
-You can use this to a) verify your config is picked up like expected and b) configured commands do what you want. For some programs, esp. ones expecting to be run within a graphical environment, you will have to provide environment values via `<env>` tags in the agent configuration. Usually the log will provide you with some good clues. But feel free to open a support issue if you need help.
+You can use this to a) verify your config is picked up like expected and b) configured commands do what you want. For some programs, esp. ones expecting to be run within a graphical environment, you will have to provide environment values via `<env>` tags in the agent configuration. Usually the log will provide you with some good clues. But feel free to open a support issue if you need help.
+
+
+pam_usb not working in login manager when the device wasn't plugged before login manager started / always asked for password
+--------------
+
+Are you using `lightdm` by any chance? 
+
+Some login managers auto-select the first user they have in their list. This starts the pam chain and pam_usb will see "device is not plugged" and deny the request. At that point then pam_unix (or whatever your next module is) kicks in and asks for the password. This is intended behavior in pam_usb - the actual issue here is the login manager assuming which user wants to login. 
+
+Even if you now plug the device, from pam_usb POV the request is failed/finished and it wont care anymore. You will have to press [ESC] to abort the current authentication request and click/select the user again (if not auto-selected).
+
+It's planned to implement a workaround for this in #221, but no ETA for that.
+
+
+My media isn't accepted after I unplugged it before
+--------------
+
+Is that media NTFS formatted? NTFS really doesn't like unplugging while being mounted. It becomes flagged as "dirty" and you will have to run `chkdsk /R /F /V` on it.
+
+It isn't NTFS? That's a bug most likely, please report it as issue.
+
+SELinux and pam_usb
+--------------
+
+If you have SELinux enabled you will likely get errors with pam_usb. At least on Fedora 40 you need to allow some things that are by default denied. 
+
+There is now a profile available for Fedora 40 that you can install to allow pam_usb to work like intended. To install it download both files from `selinux/<yourDistribution>` to some directory, open a shell in that directory and then run `semodule login.pp`. Replace "login" with the actual profile you want to install, but so far there is only one for login. It may work on other distributions or releases, too but this is untested. 
+
+In case it doesn't work for you, see the discussion at https://github.com/mcdope/pam_usb/discussions/241 to find out how to create your own profile.
diff --git a/doc/pamusb-conf.1 b/doc/pamusb-conf.1
@@ -31,7 +31,7 @@ Add a device
 .TP
 .B
 \fB--add-user\fP, \fB-u\fP
-Add a user
+Add a user (you can call this multiple times, to add multiple devices for a single user)
 .TP
 .B
 \fB--yes\fP, \fB-y\fP
diff --git a/fedora/SPECS/pam_usb.spec b/fedora/SPECS/pam_usb.spec
@@ -56,6 +56,13 @@ rm -rf %{buildroot}/usr/share/pam-configs
 %doc %attr(0644,root,root) /usr/share/doc/pam_usb/TROUBLESHOOTING
 
 %changelog
+* Thu Jul 26 2024 Tobias Bäumer <tobiasbaeumer@gmail.com> - 0.8.5
+- [Feature] Support multiple devices per user
+- [Enhancement] Misc. memory and string handling stuff
+- [Enhancement] Deny if pads can't be updated
+- [Enhancement] SELinux! There is now a profile for Fedora 40 (not installed automatically!) and a doc on how to create your own (see Wiki)
+- [Bugfix] LC_ALL usage
+
 * Thu Jan 04 2024 Tobias Bäumer <tobiasbaeumer@gmail.com> - 0.8.4
 - [Bugfix] loginctl usage was not sh compatible
 - [Bugfix] Misc. fixes related to memory handling
diff --git a/src/version.h b/src/version.h
@@ -18,6 +18,6 @@
 #ifndef PUSB_VERSION_H_
 # define PUSB_VERSION_H_
 
-# define PUSB_VERSION "0.8.4"
+# define PUSB_VERSION "0.8.5"
 
 #endif /* !PUSB_VERSION_H_ */
diff --git a/tools/pamusb-conf b/tools/pamusb-conf
@@ -386,7 +386,7 @@ def resetPads():
 	sys.exit(0)
 
 def usage():
-	print('Version 0.8.4')
+	print('Version 0.8.5')
 	print('Usage: %s [--help] [--verbose] [--yes] [--config=path] [--reset-pads=username] [--add-user=name | --add-device=name [[--device=number] [--volume=number]]' % os.path.basename(__file__))
 	sys.exit(1)
 
