GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → skx → pam_pwnd

skx / pam_pwnd

Licence: BSD-2-Clause license
A PAM module to test passwords against previous leaks at haveibeenpwned.com

Programming Languages

c
50402 projects - #5 most used programming language
Makefile
30231 projects
shell
77523 projects

Labels

linuxsshsecuritypamsudohaveibeenpwnedpam-module

Projects that are alternatives of or similar to pam pwnd

fingerprint-gui
Use fingerprint readers with a Linux desktop environment
Stars: ✭ 47 (+42.42%)
Mutual labels:  pam, pam-module
pam panic
A PAM module that protects sensitive data and provides a panic function for emergency situations. Authentication through passwords or removable media.
Stars: ✭ 35 (+6.06%)
Mutual labels:  pam, pam-module
Howdy
🛡️ Windows Hello™ style facial authentication for Linux
Stars: ✭ 3,237 (+9709.09%)
Mutual labels:  pam, pam-module
Mis-Comandos-Linux
📋 Lista descrita de mis 💯 comandos favoritos ⭐ en GNU/Linux 💻
Stars: ✭ 28 (-15.15%)
Mutual labels:  sudo
pass-audit
A pass extension for auditing your password repository.
Stars: ✭ 71 (+115.15%)
Mutual labels:  haveibeenpwned
become-root
minimal tool for creating a new user namespace with multiple UIDs/GIDs mapped inside
Stars: ✭ 33 (+0%)
Mutual labels:  sudo
suex
execute commands as another user
Stars: ✭ 39 (+18.18%)
Mutual labels:  sudo
getroot
🛠️ Tool to bypass my school's security system to get sudo privileges on MacOS
Stars: ✭ 34 (+3.03%)
Mutual labels:  sudo
wp-haveibeenpwned
Checks if the password for each WordPress user account has been compromised via haveibeenpwned.com
Stars: ✭ 26 (-21.21%)
Mutual labels:  haveibeenpwned
hola
Windows Hello™ style facial authentication for Linux written in Rust
Stars: ✭ 54 (+63.64%)
Mutual labels:  pam
pam
Safe Rust API to the Linux Pluggable Authentication Modules (PAM)
Stars: ✭ 60 (+81.82%)
Mutual labels:  pam
please
please, a sudo clone
Stars: ✭ 40 (+21.21%)
Mutual labels:  sudo
Maltego-haveibeenpwned
Maltego integration of https://haveibeenpwned.com
Stars: ✭ 55 (+66.67%)
Mutual labels:  haveibeenpwned
paternoster
Paternoster allows you to run Ansible playbooks like ordinary Python or Bash scripts.
Stars: ✭ 121 (+266.67%)
Mutual labels:  sudo
ubuntu-vnc-xfce-g3
Headless Ubuntu/Xfce containers with VNC/noVNC (Generation 3)
Stars: ✭ 83 (+151.52%)
Mutual labels:  sudo
pam-touchid
Pluggable Authentication Module for TouchID enabled MacBooks
Stars: ✭ 32 (-3.03%)
Mutual labels:  pam-module
go-gtfo
gtfo, now with the speed of golang
Stars: ✭ 59 (+78.79%)
Mutual labels:  sudo
clarion
WebAuthn (U2F) helper for CLI operations (e.g. SSH Log in)
Stars: ✭ 78 (+136.36%)
Mutual labels:  pam
ansible-role-admin-users
Ansible role to manage admin users, authorized keys and sudo access.
Stars: ✭ 18 (-45.45%)
Mutual labels:  sudo
Hermes-Secure-Email-Gateway
Hermes Secure Email Gateway is a Free Open Source Ubuntu 18.04 or 20.04 Server based Email Gateway that provides Spam, Virus and Malware protection, full in-transit and at-rest email encryption as well as email archiving. It features the latest email authentication techniques such as SPF, DKIM and DMARC.
Stars: ✭ 35 (+6.06%)
Mutual labels:  haveibeenpwned
View All Similar Projects ➔

license Release

pam_pwnd

This repository contains a simple PAM module for testing whether a password being used for authentication has been listed in the have I been pwned database.

Note that in the documentation here we focus upon ensuring that a password used for sudo has not been compromised, but PAM-modules can be used for many purposes, from handling SSH-access, to permitting HTTP-based authentication. There is nothing sudo-specific about our code so this module can be useful in many contexts.

Sponsorship

The development of this module was sponsored by three individuals who made charitable donations. (Anonymous primarily because I didn't ask for permission to name them publicly.)

If you wish to "sponsor this" software, and be listed here, just email me a receipt of your donation. I support the RNLI, but feel free to pick whatever charity you wish.

The code is released under the BSD-license so you can fork it, improve it, use it, and enjoy it! Feel free to report bugs, or feature-suggestions on the issue-page.

Compilation

These are the dependencies I expect you would need for compiling the project:

  • For fetching a remote URI we use libcurl:
    • apt-get install libcurl4-gnutls-dev
  • For compiling PAM modules you'll need the appropriate development package:
    • apt-get install libpam0g-dev

Assuming you have the dependencies installed then compilation should only require a simple make:

$ make
gcc -fPIC -c pam_pwnd.c -lpam -lpam_misc -lpamc
gcc -fPIC -c pwn_chk.c  -lcurl
gcc -fPIC -c sha1.c
ld -x --shared -o pam_pwnd.so pam_pwnd.o pwn_chk.o sha1.o -lcurl -lpam -lpam_misc -lpamc

For completeness you can also run the basic test-cases included in the repository, but note that to do that you will require network-access:

$ make test
./pam_test
..

(This might be an issue if you run the tests as part of a build-process upon a CI/CD system which doesn't permit outgoing network access.)

Installation & Configuration

Once you have compiled the code you should copy the resulting file pam_pwnd.so to the appropriate PAM-directory upon your system. In my case that means running this command:

sudo install pam_pwnd.so  /lib/x86_64-linux-gnu/security/

The final step is to enable the module, by editing the appropriate PAM configuration file.

In my case I'm using SSH keys for authentication, and I'm only concerned with ensuring that no known-bad passwords are used with sudo. I append the following line to /etc/pamd.d/sudo:

auth   required   pam_pwnd.so  try_first_pass

The complete file, on an Ubuntu system, might then look like this:

  #%PAM-1.0
  session    required   pam_env.so readenv=1 user_readenv=0
  session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
  @include common-auth
  @include common-account
  @include common-session-noninteractive
  auth   required   pam_pwnd.so  try_first_pass

Upon the "stretch" release of Debian GNU/Linux the file has these contents:

  #%PAM-1.0

  @include common-auth
  @include common-account
  @include common-session-noninteractive
  auth   required   pam_pwnd.so  try_first_pass

Regardless of what your file looks like, once you've added the reference to pam_pwnd.so, you should then be ready to test the module hasn't broken your system by reseting the sudo cache, and re-authenticating:

 frodo ~ $ sudo -k
 frodo ~ $ sudo su -
 [sudo] password for skx:
 root@frodo:~#

Assuming nothing is broken you should:

  • Be prompted for your password.
    • Only once.
  • Receive your root-prompt.
  • See the results of the module logged to syslog.

If things are horribly broken, such that you get segfaults or failures from this module then you will probably be unable to run sudo to fix them, so for the duration of any installation you should ensure you have an open terminal/connection with root privileges.

The module will log its results to syslog, search for pam_pwnd to see them.

Security Notes

The code makes a single outgoing HTTP-request for each authentication request:

  • The outgoing request contains the first five characters of your hashed password.
    • i.e. If you password is "secret" it is first hashed to e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4.
    • Then an outgoing request is made with the characters e5e9f.

If the API-lookup request fails then we default to failing-open, allowing the authentication to proceed. (We assume other modules will actually validate the password, if we allowed a failure to invoke the API we'd deny all PAM-based operations in the event your DNS, networking, or similar things were broken.)

There are zero memory allocations in this module, which should ensure that we don't leak anything. Instead we generate a single temporary file to hold the results of our HTTP-response, and that temporary file is cleaned up after use.

Testing Notes

There is a simple test-driver included in this project which exercises some of the code, it is not designed to be a complete test-case, nor to perform exhaustive testing.

If you're planning to submit pull-requests that change the code you should ensure the tests pass even with your additions:

$ make test

Feedback

Bug reports welcome.

Steve

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].