Authorizing USB input devices
Security Enhanced USB 2 is the second approach to securing USB devices. (The first approach is based on usbmon and tries to detect changes in the firmware. It is not yet on this wiki.)
This shell script package using udev is for authorizing USB input devices. Newly connected devices are disabled until a user (of the group seusb2) authorizes its use in a pop-up dialogue. In order to avoid lockouts authorization can also be done by pressing the power button. This feature requires acpid.
WARNING: Most USB input devices, like keyboards or mouses, come without a distinguished serial number. So, authorization is based on vendor and product id, allowing attackers to spoof these data to match already authorized devices.
The source code is under LGPL3 and available on Github: https://github.com/codecivil/seusb2
udev inotify-tools zenity bash (>= 3.2) adduser acpid
1. Download the Debian package above.
2. Install the dependencies
sudo apt-get install udev inotify-tools zenity bash adduser acpid
3. Install the package
sudo dpkg -i seusb2_1.0-1_all.deb
(alternatively, download the tarball and build the package for yourself)
4. Add seusb2 users For every USERNAME you want to allow authorizing new USB input devices, do
sudo usermod -aG seusb2 USERNAME
5. Login as a seusb2 user. If you are already logged in, logout first. This will display the dialogues for existing USB input devices. If you do not authorize them now, they will be unavailable after next boot.