Seusb2: Unterschied zwischen den Versionen
(Description of the seusb2 package) |
K (→About) |
||
Zeile 3: | Zeile 3: | ||
== About == | == About == | ||
− | Security Enhanced USB 2 is the second approach to securing USB devices. The first | + | Security Enhanced USB 2 is the second approach to securing USB devices. (The first approach is based on usbmon and tries to detect changes in the firmware. It is not yet on this wiki.) |
This shell script package using udev is for authorizing USB input devices. Newly connected devices are disabled until a user (of the group seusb2) authorizes its use in a pop-up dialogue. In order to avoid lockouts authorization can also be done by pressing the power button. This feature requires acpid. | This shell script package using udev is for authorizing USB input devices. Newly connected devices are disabled until a user (of the group seusb2) authorizes its use in a pop-up dialogue. In order to avoid lockouts authorization can also be done by pressing the power button. This feature requires acpid. | ||
Zeile 13: | Zeile 13: | ||
The tarball and the binary Debian package is available here: [[Datei:seusb2_1.0.orig.tar.gz]] | The tarball and the binary Debian package is available here: [[Datei:seusb2_1.0.orig.tar.gz]] | ||
[[Datei:seusb2_1.0-1_all.deb]] | [[Datei:seusb2_1.0-1_all.deb]] | ||
− | + | ||
== Dependencies == | == Dependencies == | ||
Version vom 19. April 2017, 13:12 Uhr
Authorizing USB input devices
About
Security Enhanced USB 2 is the second approach to securing USB devices. (The first approach is based on usbmon and tries to detect changes in the firmware. It is not yet on this wiki.)
This shell script package using udev is for authorizing USB input devices. Newly connected devices are disabled until a user (of the group seusb2) authorizes its use in a pop-up dialogue. In order to avoid lockouts authorization can also be done by pressing the power button. This feature requires acpid.
WARNING: Most USB input devices, like keyboards or mouses, come without a distinguished serial number. So, authorization is based on vendor and product id, allowing attackers to spoof these data to match already authorized devices.
The source code is under LGPL3 and available on Github: https://github.com/codecivil/seusb2
The tarball and the binary Debian package is available here: Datei:Seusb2 1.0.orig.tar.gz Datei:Seusb2 1.0-1 all.deb
Dependencies
udev inotify-tools zenity bash (>= 3.2) adduser acpid
Installation
1. Download the Debian package above.
2. Install the dependencies sudo apt-get install udev inotify-tools zenity bash adduser acpid
3. Install the package sudo dpkg -i seusb2_1.0-1_all.deb (alternatively, download the tarball and build the package for yourself)
4. Add seusb2 users For every USERNAME you want to allow authorizing new USB input devices, do sudo usermod -aG seusb2 USERNAME
5. Login as a seusb2 user. If you are already logged in, logout first. *This will display the dialogues for existing USB input devices. If you do not authorize them now, they will be unavailable after next boot.*