Skip to content

artpar/authme-pam

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

109 Commits
.vscode
.vscode
 
 
src
src
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
LICENSE.MIT
LICENSE.MIT
 
 
README.md
README.md
 
 
buildPam.sh
buildPam.sh
 
 
buildTest.sh
buildTest.sh
 
 

Repository files navigation

Intro

This PAM modules enabled you to use AuthMe to login your servers and protect them from password breaches.

To build, either use the build scripts or use these commands:

Requirements

curl-dev apt-get install libcurl4-openssl-dev

Build the PAM module

gcc -fPIC -lcurl -fno-stack-protector -c src/authme_pam.c

sudo ld -lcurl -x --shared -o /lib/security/authme_pam.so authme_pam.o

The first command builds the object file in the current directory and the second links it with PAM. Since it's a shared library, PAM can use it on the fly without having to restart.

Build Test

g++ -o pam_test src/authme_pam_test.c -lpam -lpam_misc

OR

gcc -o pam_test src/authme_pam_test.c -lpam -lpam_misc

The test program is valid C, so it could be compiled using gcc or g++.

Simple Usage

PAM module for Linux x64 (tested with ubuntu 14.04/16.04/16.10)

Couple of notes

Domain

The users on the system will me mapped to the domain. So if my linux account username is "user1" and authme pam is configured with domain "gmail.com", then swipe will go to user1@gmail.com

Root User

AuthMe will not proceed for root users. Have explicitly disabled it for username: root

ApiKey/ApiSecret

It is recommended to use new set of api keys for each installation. You can generate any number of keys from Authme

No Swipe/Failure

The flow will go to other auth(password) mechanism if swipe failed.

Steps to Install

  1. Copy authme_pam.so to /lib/security/authme_pam.so (create /lib/security if it doesn't already exists)

scp /lib/security/authme_pam.so root@<YOUR_MACHINE_IP>:/lib/security/authme_pam.so

  1. Enable AuthMe in PAM

nano /etc/pam.d/common-auth

Add this line

auth sufficient authme_pam.so apikey=<API-KEY> apisecret=<API-SECRET> baseurl=https://api.authme.authme.host domain=gmail.com
  1. Enable Challenge Response Authentication for SSH

nano /etc/ssh/sshd_config

Change line

ChallengeResponseAuthentication no

to

ChallengeResponseAuthentication yes

  1. Restart sshd

service ssh restart

Resources

I found these resources especially helpful:

O'Reilly Guides:

These guides give brief overviews about PAM and how to write modules. This is useful if you already have a little knowledge.

Others

Good example for simple authentication. I adapted this one in my simple PAM module.

2-factor authentication & writing PAM modules

Gives an example program that uses PAM. I adapted this for testing my PAM module.

Example PAM application

About

Authme PAM module and test application

authme.io

Topics

linux security authentication pam-module behavioral-profile second-factor

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 97.6%
  • Shell 2.4%