- Rust 81.5%
- Shell 15.3%
- Dockerfile 3.2%
| src | ||
| utils | ||
| .dockerignore | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| .pre-commit-config.yaml | ||
| Cargo.lock | ||
| Cargo.toml | ||
| codecov.yml | ||
| Dockerfile | ||
| LICENSE | ||
| README.md | ||
| tarpaulin.toml | ||
pam_nfc
A nfc reader which stores the UID combined with the username in a storage.
So it can be used with PAM to authenticate with an nfc tag.
Don't worry, all UIDs are stored with bcrypt. ;)
Install
There are two ways to install it, you can build it yourself or you just
instal the compiled version from gitlab (which will be always the newest version).
The binary version can be downloaded
here.
Oh and don't forget to install libnfc, otherwise it won't work. :3
Install compiled version
It's really easy! For real, trust me. :3 \
# download the binary file
curl -L https://gitlab.com/kerkmann/pam_nfc/-/jobs/artifacts/main/raw/pam_nfc\?job\=release --output pam_nfc
# make file executable
chmod +x pam_nfc
# just copy the binary file to `/usr/local/bin/pam_nfc`
sudo cp pam_nfc /usr/local/bin/pam_nfc
That's it! As I said, it's really easy. :3
Build it yourself
You are not trusting the pre built binary? Thankfully, you can build it yourself: 3
# clone the project
git clone https://gitlab.com/kerkmann/pam_nfc
# change into the directory
cd pam_nfc
# compile it yourself
cargo build --release
# (optional) make the binary smaller
upx --best --lzma target/release/pam_nfc
# make file executable
chmod +x target/release/pam_nfc
# just copy the binary file to `/usr/local/bin/pam_nfc`
sudo cp target/release/pam_nfc /usr/local/bin/pam_nfc
Setting it up
To authenticate there are a few steps to do, first of all you need to add
an readed tag to the store.
After that you need to setup PAM so the authentication systems knows what
are to do.
Adding tags to a user
You can add an tag to a user, which will be used to login into that user.
# place your tag on the nfc reader
# add the scanned tag to the current user
sudo pam_nfc `whoami` add
But if you wanna use the sudo command by using the nfc reader, you need to add the tag to the root user.
# place your tag on the nfc reader
# add the scanned tag to the root user
sudo pam_nfc root add
And that's it! You can check if the script is working just by running the
verify command.
If the reader is reading the right tag, the return status should be successful. :)
# place your tag on the nfc reader
# check if the current user can authenticate with the tag
pam_nfc `whoami`
# check if the root user can authenticate with the tag
pam_nfc root
PAM Authenticaton
You can also add the pam_nfc tool to PAM, so you don't need to type in
your password anymore! :)
A small disclaimer what PAM is...
PAM stands for Pluggable Authenticaton Module it describes how a user can
authenticate himself.
There is a configuration file which handles the system authentication.
This configuration file should look like this:
1 auth required pam_env.so
2 auth requisite pam_faillock.so preauth
3 auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
4 auth [default=die] pam_faillock.so authfail
5 account required pam_unix.so
6 account required pam_faillock.so
7 password required pam_passwdqc.so config=/etc/security/passwdqc.conf
8 password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
9 session required pam_limits.so
10 session required pam_env.so
11 session required pam_unix.so
You only need to add one specific line to enable single sign on with the nfc tag,
or multi factor authentication. :O
See below and decide which one do you prefer. :3
Setup PAM for single sign on (no password required)
Between line 2 and 3 you only need to add this magic line of config
auth sufficient pam_exec.so quiet /usr/local/bin/pam_nfc.
After inserting it, it should look like this:
1 auth required pam_env.so
2 auth requisite pam_faillock.so preauth
3 auth sufficient pam_exec.so quiet /usr/local/bin/pam_nfc
4 auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
5 auth [default=die] pam_faillock.so authfail
6 account required pam_unix.so
7 account required pam_faillock.so
8 password required pam_passwdqc.so config=/etc/security/passwdqc.conf
9 password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
10 session required pam_limits.so
11 session required pam_env.so
12 session required pam_unix.so
The magic word is called sufficient which means
"if there wasn't any fault till there, the user is authenticated". :3
The next line will be skipped, no password required. :3
Setup PAM for multi factor authentication
Between line 4 and 5 you only need to add this magic line
auth required pam_exec.so quiet /usr/local/bin/pam_nfc.
After inserting it, it should look like this:
1 auth required pam_env.so
2 auth requisite pam_faillock.so preauth
3 auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
4 auth [default=die] pam_faillock.so authfail
5 auth required pam_exec.so quiet /usr/local/bin/pam_nfc
6 account required pam_unix.so
7 account required pam_faillock.so
8 password required pam_passwdqc.so config=/etc/security/passwdqc.conf
9 password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
10 session required pam_limits.so
11 session required pam_env.so
12 session required pam_unix.so
It seems very similiar to the single sign on config, but there is a small difference. ;)
The magic word is called "required", "required" means it's mandatory that this
check needs to be true.
The reason why I write it UNDER the pam_faillock/pam_unix is you can type in your
password (WITHOUT) pressing the enter key.
Just before you would press the enter key, you can place the tag on the reader,
hold it there and THEN you can press enter.
The idea behind this is to type in your password with both hands and then
(for example) place your tag on the reader, press enter and remove the tag again. ;)