nuvious/pam-duress

How to make it work on arch linux

DusanLesan opened this issue · 14 comments

I have trouble configuring duress on arch linux. First of all I am not even sure if using /etc/pam.d/system-auth is ok since there is no common-auth. The default content of system-auth is:

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=2 default=ignore]  pam_systemd_home.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

I have tried replacing

-auth      [success=2 default=ignore]  pam_systemd_home.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so

with

-auth      [success=3 default=ignore]  pam_systemd_home.so
auth       [success=2 default=bad]     pam_unix.so          try_first_pass nullok
auth       [success=1 default=ignore]  pam_duress.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so

When I run a test with regular password I get:

~ $ sudo pam_test $USER                                                                                                                                             [master]
[sudo] password for dusan:
Credentials accepted.
Not Authenticated

And when I use a pass I've set for a script I just get "sorry, try again" and pass prompt

My first guess is that the default=bad is the issue. According to the Pam Admin docs, bad is interpreted that if the module doesn't return a pass result it assumes the module failed and then treats the test of the stack is failed.

You probably want to try changing pam_unix's configuration line to default=ignore. When pam_unix gets a bad password it will not return a success status and be "ignored" it will then pass down to pam_duress which will go through the standard routine in the README. In any case let me know if the above resolves your issue. Happy to close out this issue with an update to the README for specifics for arch users.

The bad to ignore change did help. Now there are new issues.
sudo pam_test $USER
is giving me this when entering duress pass

[sudo] password for dusan:
Credentials accepted.
Not Authenticated

Also login is not working

What next could I try?

The bad to ignore change did help. Now there are new issues. sudo pam_test $USER is giving me this when entering duress pass

[sudo] password for dusan:
Credentials accepted.
Not Authenticated

Also login is not working

What next could I try?

I spent the weekend getting my own Arch setup going in a VM. I'll try poking at this more. Can you reply with a current copy of your system-auth? My initial impression of Arch's PAM setup is it's a bit more complex than Debian so this is a good exercise for me to help yah out with.

Hey, got a PR up for your review and implementation to confirm things. I got pam_duress working on my end in an Arch VM but want to confirm with your setup if it's convenient for you. Be sure you have proper permissions on your scripts (chmod -R 500 ~/.duress). Will consider the closure of this PR as the requirements to close out this issue.

PR: #30

Arch README Docs:
https://github.com/nuvious/pam-duress/blob/Issue-29-ArchDocs/docs/ArchLinux.md

Backup of my auth file is:

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=2 default=ignore]  pam_systemd_home.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

The module works for me when I sign in but I have big issues to do that

  • If I just power up my device and try to use my display manager (ly), the device will not reject my attempt nor login

  • If I power up, switch to some other TTY and try logging in into shell, I will need to wait a minute or two before I get prompted to sign in again (no bad login message). If I try for the second time, I see a prompt about last sign in for a second before I am dropped back into sign in prompt again.

  • The only way I found so far to sign in with duress pass, is to enter pass in my display manager on TTY2 and try to sign in, switch to TTT1 and enter pass into shell prompt. After a while, TTY2 will let me in sand start the GUI.

I will try it later on fresh VM

I have tried in a VM too but no luck. SSH is logging in without issues though
My bash history:

sudo pacman -Syu
sudo pacman -S base-devel openssl git neovim
mkdir Downloads
cd Downloads/
git clone https://github.com/nuvious/pam-duress
cd pam-duress/
make
sudo make install
make clean
sudo nvim /etc/pam.d/system-auth     # Here I have copy/pasted lines from the arch doc
mkdir -p ~/.duress
sudo mkdir -p /etc/duress.d
echo 'echo "Hello World"' > ~/.duress/hello.sh
duress_sign ~/.duress/hello.sh
chmod -R 500 ~/.duress
sudo pam_test $USER
reboot

I tried that as well after installing and activating syslog-ng and noticed the following in PAM's debug output:

image

pam_test may just be non-arch friendly and simpler tests such as ssh localhost may be more effective for now. Did you say you did try that? I considered having you do a su - username but you'd have to edit /etc/su to do that properly as a test.

I have tried to ssh into VM from host without issues. ssh localhost is working as well.
su - dusan is giving me authentication failure message
sudo su - dusan is working

I can try to change anything you want in the VM

No need. The common issue seems to be pam_test but functionally speaking your scripts seem to be executing with ssh or su. I deferred that investigation to Issue #30 to figure out if pam_test is even worth keeping around. If you can make another pass at the open PR for the Arch specific guide at your convenience and let me know if you have any recommendations to the documentation changes. Will still keep this issue is open until you've given the doc changes a thumbs up

I hoped to have login issue fixed before continuing. My use case for duress would be to provide alternative pass during login to fail automatic unlocking of keyrings and cryptsetup

I hoped to have login issue fixed before continuing. My use case for duress would be to provide alternative pass during login to fail automatic unlocking of keyrings and cryptsetup

Are you logging in via a gui manager like lightdm or something similar or just logging into the system via terminal login? Are you using Arch proper or a distro like Manjaro?

I am logging in from terminal on the VM with Arch installed with archinstall. I cannot login into it via terminal login. On the host (arch), I can login with big issues like in third point from this post: #29 (comment)

@nuvious I have figured out my issue. Completely my fault.
With alternative pass my encrypted drive failed to open (as expected), but I have not realized that my system is trying to mount unexisting device for 1.5 minute.
Sorry for inconvenience. This doc is valid and you can merge related PR

Thanks again @DusanLesan! Appreciate your interest in the project and got some good documentation out of it.