This is a (very) simple implementation of a Challenge/Response style PAM authentication module that uses a Solitaire deck as a secret. I wrote this in order to learn how to write PAM modules. It's probably hideously insecure, so I dont reccomend anyone use it for anything other than having a laugh at it. Requires pam_python to be useful. You'll need to copy pam_solitaire.py to /lib/security and create the /etc/pam_solitaire directory. To init a deck, type: # python /lib/security/pam_solitaire.py /etc/pam_solitaire/{username}.deck You'll be prompted for a passphrase with which to order the deck, and a "dummy" challenge/response session. Solving this is purely optional, but you will need to roll your secret deck back to its init state if you do. Add this to your pam.d/{service}, after whatever auth module you use to validate passwords: auth required pam_python.so pam_solitaire.py 10 The number lets you specify the length of the challenge. Longer ones can take a long time to solve by hand, so the default is sensible. Note that if you are using this with ssh you will need to ensure ChallengeResponse or KbdInteractive auth is enabled in your /etc/ssh/sshd_config. An example session: $ ssh localhost Password: Challenge: SPLRJOTSXC Response: EBEZCFACOY Response authenticated. Linux manticore 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 22:02:19 UTC 2010 i686 GNU/Linux Ubuntu 10.04 LTS Note that the deck state is only written to disk if you answer the challenge correctly. This can make it easier to recover if you screw things up, but might be (even more) insecure. |
