Configuration

Doing it automatically

1. Run sudo pam_panic_config
2. Put the following in any module of /etc/pam.d you might want to use/need:

auth       include      pampanic
account    include      pampanic

It can be something like xscreensaver or system-local-login.

Doing it manually

What pam_panic flags exist?

Authentication type flags

• password
  • Sets the "ask for password" mode active.
  • You should set your password using pam_panic_pw, running as root.
• allow=<Partition UUID> and reject=<Partition UUID>
  • allow: Sets the removable media with the specified partition UUID as authentication media.
  • reject: Sets the removable media with the specified partition UUID as panic media.
  • Note: You need both to have it working.

Panic flags

• serious=<Partition UUID>
  • Assuming you have an encrypted LUKS partition, this will shred the luksHeader rendering the data within this LUKS container unreadable.
• poweroff
  • Powers the device off. It would happen after serious=<Partition UUID>.
• reboot
  • Reboots the device. It would happen after serious=<Partition UUID>.

Partition UUID?!

You can determine the partition UUID through ls -l /dev/disk/by-partuuid/. This is the device directory where pam_panic is going to look for the partition UUID.

Note: Your devices you are using for the auth=<Partition UUID> and reject=<Partition UUID> flags must be formated with a GUID Partition Table (GPT). See Preparation for the removable media flags to learn how to do this.

Configuration examples

To configure the module, add the following to the appropriate PAM configuration file(s): (see pam.conf(5) for details on these files) Using the removable media:

auth       requisite    /usr/local/lib/security/pam_panic.so auth=<UUID> reject=<UUID> reboot serious=<UUID>
account    requisite    /usr/local/lib/security/pam_panic.so

Using the two passwords:

auth       requisite    /usr/local/lib/security/pam_panic.so password reboot serious=<UUID>
account    requisite    /usr/local/lib/security/pam_panic.so