====== Configuration ======

Configuration is done through the pamusb-conf tool, as explained in the
[[quickstart]] section. Most users don't have to manually change pamusb.conf, 
however if you want to change some default settings, this document explains the
syntax of the pamusb.conf configuration file.

===== Introduction =====

* The configuration file is formatted in XML and subdivided in 4 sections:
  - Default options, shared among every device, user and service
  - Devices declaration and settings
  - Users declaration and settings
  - Services declaration and settings

* The syntax is the following:
<configuration>
 <defaults>
 <!-- default options -->
 </defaults>

 <devices>
 <!-- devices definitions -->
 </devices>

 <users>
 <!-- users definitions -->
 </users>

 <services>
 <!-- services definitions -->
 </services>
</configuration>

* Location of the configuration file

By default, pam_usb.so and its tools will look for the configuration file
located in /etc/pamusb.conf, but you can tell it to use a different file by
using the -c option:

# /etc/pam.d/common-auth
auth    sufficient      pam_usb.so -c /some/other/path.conf
auth    required        pam_unix.so nullok_secure

You will also have to use the -c option when calling pam_usb's tools. For
instance, when calling pamusb-agent:
pamusb-agent -c /some/other/path.conf





===== Options =====

^ Name              ^ Type            ^ Default value       ^ Description  ^
| enable        | Boolean         | true                | Enable pam_usb        
|
| debug         | Boolean         | false               | Enable debug messages 
|
| quiet         | Boolean         | false               | Quiet mode (no verbose
output)                      |
| color_log     | Boolean         | true                | Enable colored output 
|
| one_time_pad  | Boolean         | true                | Enable the use of one
time pads                     |
| deny_remote   | Boolean         | true                | Deny access from
remote host (ssh)                  |
| probe_timeout | Time            | 10s                 | Time to wait for the
volume to be detected|
| pad_expiration| Time            | 1h                  | Time between pads
regeneration|
| hostname      | String          | Computer's hostname | Computer name. Must be
unique accross computers using the same device |                                

| system_pad_directory | String   | .pamusb             | Relative path to the
user's home used to store one time pads |
| device_pad_directory | String   | .pamusb             | Relative path to the
device used to store one time pads|

* Example:

<configuration>
<defaults>
  <!-- Disable colored output by default -->
  <option name="color_log">false</option>
  <!-- Enable debug output -->
  <option name="debug">true</option>
 </defaults>
 <users>
   <user id="root">
     <!-- Enable colored output for user "root" -->
     <option name="color_log">true</option>
   </user>
   <user id="scox">
     <!-- Disable debug output for user "scox" -->
     <option name="debug">false</option>
 </users>
 <devices>
   <device id="sandisk">
     <!-- Wait 15 seconds instead of the default 10 seconds for the "sandisk"
device to be detected -->
     <option name="probe_timeout">15</option>
 </devices>
 <services>
   <service id="su">
     <!-- Disable pam_usb for "su" ("su" will ask for a password as usual) -->
     <option name="enable">false<option>
   </service>
 </services>
</configuration>

===== Devices =====

^ Name            ^ Type      ^ Description                                    ^
Example              ^
| id          | Attribute | Arbitrary device name                          |
MyDevice             |
| vendor      | Element   | device's vendor name                           |
SanDisk Corp.        |
| model       | Element   | device's model name                            |
Cruzer Titanium      |
| serial      | Element   | serial number of the device                    |
SNDKXXXXXXXXXXXXXXXX |
| volume_uuid | Element   | UUID of the device's volume used to store pads |
6F6B-42FC            |


* Example:

<device id="MyDevice">
<vendor>SanDisk Corp.</vendor>
<model>Cruzer Titanium</model>
<serial>SNDKXXXXXXXXXXXXXXXX</serial>
<volume_uuid>6F6B-42FC</volume_uuid>
</device>



===== Users =====

^ Name            ^ Type      ^ Description                                 ^
Example     ^
| id          | Attribute | Login of the user                           | root  
|
| device      | Element   | id of the device associated to the user     |
MyDevice    |
| agent       | Element   | Agent commands, for use with pamusb-agent   | See
below   |

* Example:

<user id="scox">
<device>MyDevice</device>

<!-- When the user "scox" removes the usb device, lock the screen and pause
beep-media-player -->
<agent event="lock">gnome-screensaver-command --lock</agent>
<agent event="lock">beep-media-player --pause</agent>

<!-- Resume operations when the usb device is plugged back and authenticated -->
<agent event="unlock">gnome-screensaver-command --deactivate</agent>
<agent event="unlock">beep-media-player --play</agent>
</user>

===== Services =====

^ Name ^ Type      ^ Description         ^ Example ^
| id   | Attribute | Name of the service | su      |

<service id="su">
<!--
   Here you can put service specific options such as "enable", "debug" etc.
   See the options section of this document.
-->
</service>




===== Full example =====

This example demonstrates how to write a pam_usb configuration file and how to
combine and override options.

<configuration>
<!-- Default options -->
<defaults>
  <!-- Enable debug output by default-->
  <option name="debug">true</option> -->
  <!-- Disable one time pads by default -->
  <option name="one_time_pad">false</option> -->
</defaults>

<!-- Device settings -->
<devices>
  <device id="MyDevice">
    <!-- This part was generated by pamusb-conf -->
    <vendor>SanDisk Corp.</vendor>
    <model>Cruzer Titanium</model>
    <serial>SNDKXXXXXXXXXXXXXXXX</serial>
    <volume_uuid>6F6B-42FC</volume_uuid>

    <!--
      Override the debug option previously enabled by "defaults".
      Everytime a user associated to that device tries to authenticate,
debugging will be disabled.
      For other users using different devices, the debugging will still be
enabled.
    -->
    <option name="debug">disable</option>
  </device>
</devices>

<!-- User settings -->
<users>

  <!-- Authenticate user "root" with device "MyDevice". -->
  <user id="root">
    <device>MyDevice</device>

    <!--
      One time pads were disabled in the "defaults" section.
      Now we want to enable them for the user "root" so we override the option:
    -->
   <option name="one_time_pad">true</option>
  </user>

  <!-- Authenticate user "scox" with device "MyDevice". -->
  <user id="scox">
    <device>MyDevice</device>

    <!-- We want pam_usb to work in quiet mode when authenticating "scox", so we
override the "quiet" option -->
    <option name="quiet">true</option>

    <!-- Agent settings, used by pamusb-agent -->
    <agent event="lock">gnome-screensaver-command --lock</agent>
    <agent event="unlock">gnome-screensaver-command --deactivate</agent>
  </user>
</users>

<!-- Services settings (e.g. gdm, su, sudo...) -->
<services>

  <!-- Disable pam_usb for gdm (a password will be asked as usual) -->
  <service id="gdm">
    <option name="enable">false</option>
  </service>

  <!--
    We already disabled one time pads in the defaults section, but then
re-enabled them for the
    user "root" in the users section.

    Now we want to speed up console login for user root, so we simply override
again the one_time_pad option
    for the "login" (console) service.
  -->
  <service id="login">
    <option name="one_time_pad">false</option>
  </service>
</services>
</configuration>
</code>
