pam_usbkey.so is a linux Pluggable Authentications Module to implement login using usb keys as access tokens. It was written mostly as a learning exercise in how to write a PAM module, and the code is commented in the hope it will provide a template for others. It can be configured to allow passwordless login to certain user accounts if a USB key is plugged into the system (if you're crazy) or can be used as an extra requirement to login, or perhaps to 'su', used in combination with the usual password.
pam_usbkey.so is made available under the Gnu Public License version 3, and comes with no warranties or guarentees.
pam_usbkey.so can be configured in the standard /etc/pam.d configuration files against a specified user, tty or remote host. When the user, and tty or rhost match, the appropriate usb-drive can be used to either:
1) Allow login without a password
2) Disallow login, even with the correct password, if the appropriate USB device is not plugged into the system.
USB keys are identified by their serial number, which can be discovered by reading the 'serial' file in the appropriate device directory under /sys/bus/usb/devices/. The pam_usbkey source comes with a small shell-script that will print out the serial numbers of currently plugged-in USB keys. When a USB key is plugged into the system any user can read its serial number, so it's not a secret from users already on a system who are seeking privilege escalation. However in most use cases the account will still be protected by a password, and making use of the discovered serial number would either require creating a matching USB key and gaining physical access to the system to plug it in, or else fooling the system into thinking a key is plugged in when it isn't. Achieving this is left as an exercise for the attacker.