pam_solitaire

This is a (very) simple implementation of a Challenge/Response style PAM authentication module that uses a Solitaire deck as a secret. 
I wrote this in order to learn how to write PAM modules. It's probably hideously insecure, so I dont reccomend anyone use it for anything other than having a laugh at it.

Requires pam_python to be useful.

You'll need to copy pam_solitaire.py to /lib/security and create the /etc/pam_solitaire directory.

To init a deck, type:

# python /lib/security/pam_solitaire.py /etc/pam_solitaire/{username}.deck

You'll be prompted for a passphrase with which to order the deck, and a "dummy" challenge/response session. 
Solving this is purely optional, but you will need to roll your secret deck back to its init state if you do.

Add this to your pam.d/{service}, after whatever auth module you use to validate passwords:
auth       required     pam_python.so pam_solitaire.py 10

The number lets you specify the length of the challenge. Longer ones can take a long time to solve by hand, so the default is sensible.

Note that if you are using this with ssh you will need to ensure ChallengeResponse or KbdInteractive auth is enabled in your /etc/ssh/sshd_config.

An example session:

$ ssh localhost
Password: 
Challenge: SPLRJOTSXC
Response: EBEZCFACOY
Response authenticated.
Linux manticore 2.6.32-22-generic #36-Ubuntu SMP Thu Jun 3 22:02:19 UTC 2010 i686 GNU/Linux
Ubuntu 10.04 LTS

Note that the deck state is only written to disk if you answer the challenge correctly.
This can make it easier to recover  if you screw things up, but might be (even more) insecure.

ċ
pam_solitaire.py
(6k)
Thomas Cartel,
Aug 17, 2010, 5:07 AM
Comments