-
Notifications
You must be signed in to change notification settings - Fork 21
Troubleshooting
Don't panic!
Both pam_usb.so and pamusb-agent use the syslog facility to log authentication
attempts.
This can be useful for GUI-driven applications (for instance GDM) where you
don't get to see console output.
Messages are logged with the AUTH facility, they are usually written to
/var/log/auth.log but may vary
depending on the operating system you're using.
# tail -f /var/log/auth.log
pamusb-agent[25429]: Device "sandisk" has been inserted. Performing
verification...
pamusb-agent[25429]: Executing "/usr/bin/pamusb-check --quiet
--config=/etc/pamusb.conf --service=pamusb-agent scox"
pam_usb[25485]: Authentication request for user "scox" (pamusb-agent)
pam_usb[25485]: Device "sandisk" is connected (good).
pam_usb[25485]: Access granted.
pamusb-agent[25429]: Authentication succeeded. Unlocking user "scox"...
pamusb-agent[25429]: Unlocked.
Enabling debug messages may help you find out what's wrong.
To enable them, edit /etc/pamusb.conf and set the following option:
<defaults>
<option name="debug">true</option>
</defaults>You can enable debug messages only for a specific user, device or service.
<services>
<service id="sudo">
<option name="debug">true</option>
</service>
</services>This can happen if deny_remote is enabled, but unknown_pts_as_local is not. It is caused by non-login-shells (or processes launched from them) having no entry in utmp for their tty or them having no tty at all. See issue #8 (https://github.com/mcdope/pam_usb/issues/8) for more information.
To fix this make sure to enable not only deny_remote but also unknown_pts_as_local (this is the default).