A PAM module that protects sensitive data and provides a panic function for emergency situations. Authentication through passwords or removable media.
Go to file
Bandie 9e892f2cb1
Merge pull request #45 from Bandie/master
Killing out Roff from the github-linguist statistics
2018-04-13 17:15:14 +02:00
m4 Convert the project to use the GNU Build System (aka Autotools) 2018-04-02 14:44:28 -04:00
src Make auth file readable to users. (Fixes #42) 2018-04-06 10:16:29 +02:00
.gitattributes Roff? Nah. Fix! 2018-04-13 17:09:39 +02:00
.gitignore Gzip man pages by default 2018-04-02 21:20:17 -04:00
.travis.yml Fix Travis-CI (hopefully) 2018-04-02 18:37:20 -04:00
AUTHORS Convert the project to use the GNU Build System (aka Autotools) 2018-04-02 14:44:28 -04:00
ChangeLog Convert the project to use the GNU Build System (aka Autotools) 2018-04-02 14:44:28 -04:00
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md 2018-04-04 03:03:01 +02:00
configure.ac Merge pull request #40 from Bandie/master Closes #38 2018-04-04 02:47:05 +02:00
COPYING Convert the project to use the GNU Build System (aka Autotools) 2018-04-02 14:44:28 -04:00
INSTALL Convert the project to use the GNU Build System (aka Autotools) 2018-04-02 14:44:28 -04:00
Makefile.am Fix problem with PPASSFILE having the literal '${prefix}' prefix 2018-04-02 17:40:56 -04:00
NEWS Convert the project to use the GNU Build System (aka Autotools) 2018-04-02 14:44:28 -04:00
README Convert the project to use the GNU Build System (aka Autotools) 2018-04-02 14:44:28 -04:00
README.md Update README.md 2018-04-08 23:14:07 +02:00

Build Status Codacy Badge

pam_panic

Purpose

pam_panic is a PAM module that protects sensitive data and provides a panic function for emergency situations.

How it works

You can choose from one of two options:

Using two removable media

There are two removable media which work as keys: the auth key and the panic key. The auth key will let you pass to the password prompt whereas the panic key, if provided, will securely erase the LUKS header, rendering the data unreadable.

Using two passwords previous your own password

There are two passwords you are able to set: the key password and the panic password. The key password will let you pass to the original password prompt whereas the panic password, if provided, will securely erase the LUKS header, rendering the data unreadable.

Installation

You will need GCC or similar, as well as the PAM headers. Some distributions package the PAM headers as libpam0g-dev.

To compile and install it, do the following within the project's root directory:

$ [ ! -e ./configure ] && autoreconf -i
$ ./configure
$ make
$ sudo make install

Note: the paths of the reboot, poweroff, and cryptsetup commands are passed to the module at compile-time.

Preparation

If you want to use removable media you'll need two GPT-formatted removable storage devices, and said devices must have at least one partition. Here's an example fdisk session, showing how this might be accomplished:

$ sudo fdisk /dev/sdc

Welcome to fdisk (util-linux 2.31.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help): g
Created a new GPT disklabel (GUID: AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA).

Command (m for help): n
Partition number (1-128, default 1): 
First sector (2048-15661022, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-15661022, default 15661022): 

Created a new partition 1 of type 'Linux filesystem' and of size 7.5 GiB.
Command (m for help): w

You'll find the UUID of your partition in /dev/disk/by-partuuid/. You can find out which device is which typing ls -l /dev/disk/by-partuuid/ in your favourite shell.

Configuration

To configure the module, add the following to the appropriate PAM configuration file(s): (see pam.conf(5) for details on these files)

Using the removable media:

auth       requisite    /usr/local/lib/security/pam_panic.so auth=<UUID> reject=<UUID> reboot serious=<UUID>
account    requisite    /usr/local/lib/security/pam_panic.so

Using the two passwords:

auth       requisite    /usr/local/lib/security/pam_panic.so password reboot serious=<UUID>
account    requisite    /usr/local/lib/security/pam_panic.so

To set your passwords run pam_panic_pw as root in your prefered shell.

More information

See man 8 pam_panic and man 1 pam_panic_pw for more information.

TODO

Addendum

Poisoning memory when issuing a reboot or shutdown

If you want to be sure to have your memory clear of all information when issuing a reboot/shutdown you might want to add the option page_poison=on and slub_debug=P to your kernel command line at boot. For GRUB2 you just append it on your GRUB_CMDLINE_LINUX entry in /etc/default/grub and then issue a rebuild of the GRUB2 config: grub-mkconfig -o /boot/grub/grub.cfg