pam_cuecat by Steven Lawrance in Sept/2000 and Oct/2000 CueCat is a registered trademark of Digital Convergence, and I am in no way (as far as I know) connected with Digital Convergence or its partners. So please don't sue me ;). Besides, this module does NOT contain the decoding software; instead, this module relies upon the CueCat Linux kernel driver for the CueCat->ASCII translation. The name "CueCat" is only being used here to refer to the device that this PAM module can be used with and is not meant in any way as a misappropriation of trademark. In other words, this PAM module is NOT a CueCat. This code is licensed under the GNU General Public License. This module reads codes from /dev/scanners/cuecat, looks up the username:barcode_type:barcode line in /etc/cuecatpasswd, and returns whether or not this user has been authenticated. Parameters: debug Debugs the CueCat PAM module nowarn Disables warning messages noerr Disables error messages noprompt Disables the scan prompt onerr Either "succeed" or "fail" on an error; default=error sense Either "allow" or "deny" access on a match; default=allow passwd CueCat Passwd file, if not /etc/cuecatpasswd cuecat CueCat device, if not /dev/scanners/cuecat timeout Wait x seconds for CueCat input; default=10, 0=infinite (!) sync Disables asynchronous reads, which disables buffer clearing and the timeouts while allowing this module to work with sync-only CueCat kernel patches. This option is now the default in version 0.04 and was the default in 0.01 and 0.02. async Enables asynchronous reads, allowing buffer clearing as a security measure while enabling timeouts. This requires a CueCat kernel patch that supports the cuecat_poll function. If async is used on a non-async CueCat kernel patch, the driver locks up. Async was used as the only option in 0.03, but now must be explicitly enabled. NOTE: Version 0.04 of the CueCat PAM module in async mode (see above) will _only_ work correctly with a patched /usr/src/linux/drivers/char/cuecat_driver.c file. The 2.2.x kernel patch works with versions 0.2.0 and 0.2.1 of the CueCat kernel driver. These files were installed by RPM as /usr/doc/pam_cuecat-0.04/cuecat_driver-0.2.0-poll.patch and /usr/doc/pam_cuecat-0.04/cuecat_driver-0.2.1-poll-2.4.0-test10.patch (for Linux 2.4.0), and can be applied by running the following (assuming you installed the RPM; otherwise, modify the patch source directory accordingly): Linux 2.2.x: ------------ cd /usr/src/linux/drivers/char patch cuecat_driver.c < /usr/doc/pam_cuecat-0.04/cuecat_driver-0.2.0-poll.patch rm -f cuecat_driver.o Linux 2.4.x: ------------ cd /usr/src/linux/drivers/char patch cuecat_driver.c < /usr/doc/pam_cuecat-0.04/cuecat_driver-0.2.0-poll-2.4.0-test10.patch rm -f cuecat_driver.o Go into the kernel's top-level directory (/usr/src/linux), do `make modules`, and then copy modules/cuecat.o to the misc/ directory in your /lib/modules/linuxversion directory :). This patch adds async read capabilities and polling so that select can work properly. With this patch, this driver is able to flush any lingering scans before prompting for the user to scan while enforcing timeouts at the same time. In /etc/cuecatpasswd, each line specifies a username:barcode_type:barcode and thus a user can have one or more barcodes for a match to occur by having them on separate lines. To configure PAM, go into your /etc/pam.d directory and add pam_cuecat.so to the programs of your choice. Good ones are login and gdm, located respectively in /etc/pam.d/login and /etc/pam.d/gdm. Depending on what you want to do, the extra line could be approached from many different angles. For simplicity, this should work, added bellow or in place of the pam_pwdb.so line: auth required /lib/security/pam_cuecat.so async If you put this below, then, assuming a default RedHat configuration (though, you still need the CueCat kernel driver), users will be required to log in with both modules. NOTE: Replace the "async" parameter with "sync" if your CueCat kernel driver doesn't support asynchronous reading. Alternately, not specifying sync or async will use sync as the default as of 0.04. A future version will hopefully be able to automatically detect what the kernel driver supports as the default. DANGER! If some users such as root do not have a barcode in /etc/cuecatpasswd and if you have it set up to require a barcode with nothing to fall back on, then you won't be able to log in as those users! Alternately, you can have it prompt for the password but fall back on barcode scanning if the user doesn't want to enter the password or forgot what it was. This can be done by changing "required" in the "auth required pam_pwdb.so" line to "sufficient" and then put the cuecat auth line right below it. Thirdly, you could require a barcode in all cases. If you do that, PLEASE create barcode entries in /etc/cuecatpasswd BEFORE switching over to nothing but CueCat logins! Don't say I didn't warn you ;). Of course, if you get into a real jam, enter the following at the LILO prompt (it's the prompt that comes up when you boot your system but before the kernel loads): linux 1 The above will bypass PAM altogether and drop you into runlevel 1. If that doesn't work, probably because something else is messed up (shouldn't be from these instructions), then type this into the LILO prompt: linux init=/bin/sh You will need to mount your filesystems manually if you do the init=/bin/sh method, so please try the "linux 1" method first; it automatically sets you up :). I urge everyone to read the documentation for PAM :). Of course, how realistic is that ;)? The above instructions should be 'sufficient' (pun intended ;), though you might want to read up if you want to know what's going on inside of PAM. They also teach PAM configuration in the RHCE class ;). (shameless plug hehe)