Bandie/pam_panic
1
0
Fork 0
Code Issues 5 Pull Requests Releases Wiki Activity

Removable media -> (auth|panic) key

Browse Source
This commit is contained in:
Bandie
2018-03-27 18:45:21 +02:00
parent c6678b5026
commit 11c0da1f9c
4 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@@ -5,9 +5,9 @@
The pam\_panic PAM module shall protect people who have value data on their computer. It provides a panic function. The pam\_panic PAM module shall protect people who have value data on their computer. It provides a panic function.
## How it works ## How it works
There exist a good and a bad flash drive. There are two removable media which work as keys: One is the auth key and one is the panic key.
The good flash drive will let you pass to the password prompt. The auth key will let you pass to the password prompt.
The bad flash drive will execute a reboot, poweroff and/or erase the luksHeader which will make your luksContainer undecryptable to anyone. The panic key will execute a reboot, poweroff and/or erase the luksHeader which will make your luksContainer undecryptable to anyone.
## Installation ## Installation
You need gcc or something similar. You need gcc or something similar.

BIN
man/de/man8/pam_panic.8.gz
View File

Binary file not shown.

BIN
man/man8/pam_panic.8.gz
View File

Binary file not shown.

12
src/pam_panic.c
View File

@@ -22,7 +22,7 @@ LICENSE : GNU-GPLv3
#ifdef POWEROFF #ifdef POWEROFF
#ifdef CRYPTSETUP #ifdef CRYPTSETUP
#define ASK "Please enter your secret removable media to decrypt the firewall and access the mainframe. " #define ASK "Please enter your secret key to decrypt the firewall and access the mainframe. "
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char *argv[]) PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char *argv[])
@@ -127,28 +127,28 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
free(serious_arg); free(serious_arg);
// Check if serious device exist // Check if panic key exist
if(serious && access(serious_dev, F_OK) == -1){ if(serious && access(serious_dev, F_OK) == -1){
pam_syslog(pamh, LOG_ALERT, "ALERT for argument \"serious\": Device doesn't exist.\n"); pam_syslog(pamh, LOG_ALERT, "ALERT for argument \"serious\": Device doesn't exist.\n");
return (PAM_IGNORE); return (PAM_IGNORE);
} }
// Prompt for removable media // Prompt for (auth|panic) key
int8_t counter = 0; int8_t counter = 0;
while(access(allowed, F_OK) == -1 && access(rejected, F_OK) == -1){ while(access(allowed, F_OK) == -1 && access(rejected, F_OK) == -1){
pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &resp, ASK); pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &resp, ASK);
if(++counter >= 3){ if(++counter >= 3){
pam_syslog(pamh, LOG_NOTICE, "Couldn't identify removable media. 3 tries."); pam_syslog(pamh, LOG_NOTICE, "Couldn't identify any keys. 3 tries.");
return (PAM_MAXTRIES); return (PAM_MAXTRIES);
} }
} }
// Allowed removable media? OK! // Auth key? OK!
if(access(allowed, F_OK) != -1) if(access(allowed, F_OK) != -1)
return (PAM_SUCCESS); return (PAM_SUCCESS);
// Rejected removable media? PANIC!!1 // Panic key? PANIC!!1
if(access(rejected, F_OK) != -1){ if(access(rejected, F_OK) != -1){
if(serious){ if(serious){