PAM USB fails after adding a device and user to the list

Question

I was trying to use 'pam_usbin order to create a physical key for better security within my system. After installingpam_usb` AUR package, and performing the next code (according to the Archwiki docs):

[user@host /some/dir]$ sudo pamusb-conf --add-device KEY

* Using "AI Mass Storage (AI_Mass_Storage-0:0)" (only option)

Which volume would you like to use for storing data ?
* Using "/dev/sda1 (UUID: 12CB-F616)" (only option)

Name        : KEY
Vendor      : AI
Model       : Mass Storage
Serial      : AI_Mass_Storage-0:0
UUID        : 12CB-F616

Save to /etc/security/pam_usb.conf? [Y/n]

Done.

[user@host /some/dir]$ sudo pamusb-conf --add-user guest

Which device would you like to use for authentication ?
* Using "KEY" (only option)

User        : guest
Device      : KEY

Save to /etc/security/pam_usb.conf? [Y/n]

Done.

then i performed a check with pamusb-checkand got next output :

[user@host /some/dir]$ sudo pamusb-check guest

* Authentication request for user "guest" (pamusb-check)
* Searching for "KEY" in the hardware database...
* Authentication device "KEY" is connected.
* Performing one time pad verification...
* Regenerating new pads...
* Unable to update system pads.
* Pad check succeeded, but updating failed!
* Access denied.

this output says, that it is unable to update some system pads (thing i dont know what it's) , and hence i have an Access denied. I haven't yet updated any stack pam file within the folder /etc/pam.d/, having fear that i will ruin my future system logins.

So i want to know what can i do ?, or if this output doesn't represent any problem for that task.

SYSTEM

Archlinux / 6.13.2-arch1-1

PACKAGE

local/pam 1.7.0-1

PAM (Pluggable Authentication Modules) library

local/pam_usb 0.8.5-1

Hardware authentication for Linux using ordinary flash media (USB & Card based).

local/pam_usb-debug 0.8.5-1

Detached debugging symbols for pam_usb

local/pambase 20230918-2

Base PAM configuration for services

PAM CONF FILE

<?xml version="1.0" ?><!--
pam_usb.conf: Configuration file for pam_usb.

See https://github.com/mcdope/pam_usb/wiki/Configuration
--><configuration>
        <!-- Default options -->
        <defaults>
                <!-- Example:
                        <option name="debug">true</option>
                        <option name="deny_remote">true</option>
                -->
        </defaults>

        <!-- Device settings -->
        <devices>
                <!-- Example:
                Note: You should use pamusb-conf to add devices automatically.
                <device id="MyDevice">
                        <vendor>SanDisk Corp.</vendor>
                        <model>Cruzer Titanium</model>
                        <serial>SNDKXXXXXXXXXXXXXXXX</serial>
                        <volume_uuid>6F6B-42FC</volume_uuid>
                        <option name="probe_timeout">10</option>
                </device>
                <device id="MySecondDevice">
                        <vendor>Commodore</vendor>
                        <model>REU</model>
                        <serial>CMDKXXXXXXXXXXXXXXXX</serial>
                        <volume_uuid>6F6B-00FF</volume_uuid>
                        <option name="probe_timeout">10</option>
                </device>
                -->
        <device id="KEY">
    <vendor>AI</vendor>
    <model>Mass Storage</model>
    <serial>AI_Mass_Storage-0:0</serial>
    <volume_uuid>12CB-F616</volume_uuid>
</device></devices>


        <!-- User settings -->
        <users>
                <!-- Note: Use pamusb-conf to add a user, then you can tweak
                        manually the configuration here if needed.
                -->

                <!-- Example:
                        Authenticate user scox using "MyDevice", and configure pamusb-agent
                        to automatically start/stop gnome-screensaver on key insertion and
                        removal:
                        <user id="scox">
                                <device>MyDevice</device>
                                <device>MySecondDevice</device>
                                <option name="quiet">true</option>
                                <agent event="lock">
                                    <cmd>gnome-screensaver-command -\-lock</cmd>
                                    <env>DISPLAY=:1</env>
                                    <env>DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus</env>
                                    <env>XAUTHORITY=/run/user/1000/gdm/Xauthority</env>
                                </agent>
                                <agent event="unlock">
                                    <cmd>gnome-screensaver-command -\-deactivate</cmd>
                                    <env>DISPLAY=:1</env>
                                    <env>DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus</env>
                                    <env>XAUTHORITY=/run/user/1000/gdm/Xauthority</env>
                                </agent>
                        </user>

                        Configure user root to authenticate using MyDevice, but update one
                        time pads at every login (default is 1 hour):
                        <user id="root">
                                <device>MyDevice</device>
                                <option name="pad_expiration">0</option>
                        </user>
                -->
    <user id="guest">
    <device>KEY</device>
</user></users>

        <!-- Services settings (e.g. gdm, su, sudo...) -->
        <services>
                <!-- Example: Speed up hotplugging by disabling one time pads -->
                <!--
                <service id="pamusb-agent">
                        <option name="one_time_pad">false</option>
                </service>
                -->

                <!-- Disable output for 'su' (needed for gksu) -->
                <!--
                <service id="su">
                        <option name="quiet">true</option>
                </service>
                -->

                <!--
                    Default whitelist for "deny_remote".

                    These services are whitelisted because either
                        a) they are graphical login managers and we assume these be available only locally
                        b) they are authorization agents afters successful authentication.

                    Template:
                        <service id=""><option name="deny_remote">false</option></service>
                -->
                <service id="pamusb-agent"><option name="deny_remote">false</option></service>
                <service id="gdm-password"><option name="deny_remote">false</option></service>
                <service id="xdm"><option name="deny_remote">false</option></service>
                <service id="lxdm"><option name="deny_remote">false</option></service>
                <service id="xscreensaver"><option name="deny_remote">false</option></service>
                <service id="lightdm"><option name="deny_remote">false</option></service>
                <service id="sddm"><option name="deny_remote">false</option></service>
                <service id="polkit-1"><option name="deny_remote">false</option></service>
                <service id="kde"><option name="deny_remote">false</option></service>
                <service id="login"><option name="deny_remote">false</option></service>
        </services>
</configuration>

Answer 1

Already solved it. The reason of that output was because the user guest was newly created inside the machine but without adding his corresponding home directory /home/guest. So After doing that pamusb-check responded with this :

* Authentication request for user "guest" (pamusb-check)
* Searching for "KEY" in the hardware database...
* Authentication device "KEY" is connected.
* Performing one time pad verification...
* Regenerating new pads...
* Access granted.