PAM RFID

Available translations: de

PAM RFID is a Linux Pluggable Authentication Module (PAM) for RFID authentication. It uses an EM4100 compatible RFID reader (e.g. RDM6300) in conjunction with the PyRfid library. With a little manual skill, the reader can be build in a small universal housing:

PAM RFID

Per default the password authentication is set as fallback in case no RFID reader is connected. Two-factor authentication is also possible. The module has to be configured by the pamrfid-conf program.

Hardware

PAM RFID requires some hardware:

  • EM4100 compatible 125kHz RFID reader (e.g. RDM6300)
  • At least one 125kHz RFID tag
  • USB-TTL converter
  • (optional) universal housing (75x55x25)

Connection of the RFID reader

RFID reader and the USB-TTL converter are connected like in the following image:

Connection of the reader

Installation

After adding the PM Code Works APT repository to the system package sources, the package can be installed using following command:

~# apt-get install libpam-rfid

Install missing dependencies:

~# apt-get install -f

Setup

Since PAM RFID communicates via USB and only root is allowed to do this, every user that wants to use PAM RFID must be granted access for using USB:

~# usermod -a -G dialout username

A reboot is now required. After that users can be added to PAM RFID.

~# reboot

PAM RFID consists of the Linux PAM module itself and a console-based configuration utility to add users. To enable RFID authentication for a user use e.g. the following command:

~# pamrfid-conf --add-user username

Remind to replace username by a real user. Using this command a RFID tag is enrolled twice. To test if added user can login with the tag use e.g. the following command:

~$ pamrfid-check --check-user username

During the test some information are printed on the console. If output in last line is "successful" everything works as it should and user is able to use RFID authentication in the future.

Credendentials of PAM RFID are stored in the file /etc/pamrfid.conf inside the section [users]. The structure of an entry is:

username = salt, salted-SHA256(RFID tag)

The other section [PyRfid] contains settings of the RFID reader.

Since PAM RFID is purely written in Python it can also be run on ARM-HF based Raspberry Pi.

How to write your own PAM module

How PAM works and how PAM modules are written and added to Linux see Linux PAM.