By using any type of USB storage device and PAM, we can create the authentication token:

1. To start with, we first need to install the packages required for PAM USB authentication. To do so, we run this command:

 $ sudo apt-get install pamusb-tools libpam-usb

2. Once the packages are installed, we have to configure the USB device to use PAM authentication. To do so, we can either use a command, or else we can edit the /etc/pamusb.conf file.

To use the command method, first connect the USB device, and after that execute this command:

    $ sudopamusb-conf --add-device usb-device  

In the preceding command, usb-device is the name given to the USB device we are using. This name can be anything you choose.

When the pamusb-conf command is used, it automatically discovers the USB device, which also includes multiple partitions. When the command completes its execution, it adds an XML code block to the /etc/pamusb.conf file, defining our USB device:

3. Next, we define our USB device:

    $ sudopamusb-conf --add-user user1

If the user already exists, it will be added to the PAM configuration.

The previous command adds the definition of the pam_usb user to the /etc/pamusb.conf file:

4. Now, we will configure PAM to add the pam_usb module in the system authentication process. For this, we will edit the /etc/pam.d/common-auth file and add this line:

This will make the system-wide PAM library aware of the pam_usb module.

The required option specifies that the correct password is necessary, while the sufficient option means that this can also authenticate the user. In the preceding configuration, we have used sufficient for the usb-device authentication, but required for the default password.

In case the USB device defined for user1 is not present in the system, the user will need to enter the correct password. To force the user to have both authentication routines in place before granting access to the system, change sufficient to required.

5. Now, we will try to switch to user1:

When asked for, connect usb-device. If the correct USB token device is connected, the login will complete, otherwise it will give an error.

6. If any errors appear, such as the one shown here, it could be possible that the path of the USB device was not added properly:

    Error: device /dev/sdb1 is not removable
    * Mount failed

In such a situation, add the USB device's full path to /etc/pmount.allow.

7. Now, run the command to check how the USB device partition has been listed in the filesystem:

    $ sudo fdisk -l

In our case, the partition has been listed as /dev/sdb1.

8. Now, add a line into the /etc/pmount.allow file to solve the error.
9. The configuration that we have done in /etc/pam.d/common-auth up to now means that if the USB device is not connected, the user will still be able to log in with the correct password. If we wish to force the user to also use the USB device for login, then change sufficient to required, as shown here:

10. If the user now tries to log in, they will have to enter the correct password as well as insert the USB device:

11. Now, remove the USB device and try to log in again with the correct password: