Bandie/pam_panic
Bandie
/
pam_panic
1
0
Fork 0
Code Issues 5 Pull Requests Releases Wiki Activity

Removable media -> (auth|panic) key

This commit is contained in:
Bandie 2018-03-27 18:45:21 +02:00
parent c6678b5026
commit 11c0da1f9c
Signed by: Bandie
GPG Key ID: C1E133BC65A822DD
4 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -5,9 +5,9 @@
The pam\_panic PAM module shall protect people who have value data on their computer. It provides a panic function.
## How it works
There exist a good and a bad flash drive.
The good flash drive will let you pass to the password prompt.
The bad flash drive will execute a reboot, poweroff and/or erase the luksHeader which will make your luksContainer undecryptable to anyone.
There are two removable media which work as keys: One is the auth key and one is the panic key.
The auth key will let you pass to the password prompt.
The panic key will execute a reboot, poweroff and/or erase the luksHeader which will make your luksContainer undecryptable to anyone.
## Installation
You need gcc or something similar.

BIN
man/de/man8/pam_panic.8.gz
View File

Binary file not shown.

BIN
man/man8/pam_panic.8.gz
View File

Binary file not shown.

12
src/pam_panic.c
View File

@ -22,7 +22,7 @@ LICENSE : GNU-GPLv3
#ifdef POWEROFF
#ifdef CRYPTSETUP
#define ASK "Please enter your secret removable media to decrypt the firewall and access the mainframe. "
#define ASK "Please enter your secret key to decrypt the firewall and access the mainframe. "
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char *argv[])
@ -127,28 +127,28 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
free(serious_arg);
// Check if serious device exist
// Check if panic key exist
if(serious && access(serious_dev, F_OK) == -1){
pam_syslog(pamh, LOG_ALERT, "ALERT for argument \"serious\": Device doesn't exist.\n");
return (PAM_IGNORE);
}
// Prompt for removable media
// Prompt for (auth|panic) key
int8_t counter = 0;
while(access(allowed, F_OK) == -1 && access(rejected, F_OK) == -1){
pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &resp, ASK);
if(++counter >= 3){
pam_syslog(pamh, LOG_NOTICE, "Couldn't identify removable media. 3 tries.");
pam_syslog(pamh, LOG_NOTICE, "Couldn't identify any keys. 3 tries.");
return (PAM_MAXTRIES);
}
}
// Allowed removable media? OK!
// Auth key? OK!
if(access(allowed, F_OK) != -1)
return (PAM_SUCCESS);
// Rejected removable media? PANIC!!1
// Panic key? PANIC!!1
if(access(rejected, F_OK) != -1){
if(serious){