PAM module. If bad guys will force you to unlock, you can use this module to run some command before unlock using "secret" credits.
The difference with using pam_exec is that all authentication is done
internally and authtok
is not exposed.
$ make
$ sudo make install
First, before build, you must modify some vars.
You have to change user (empty it if you do not need to check user):
$ sed -ie 's/_USER_/YOUR_USER/' ./src/lib.rs
And you have to generate hash:
$ echo -n "YOUR_PASSWORD" | argon2 "YOUR_SALT" -id -t 1 -m 16 -p 4
$ sed -ie 's/_HASH_/YOUR_ENCODED_HASH/' ./src/lib.rs
Now build and install.
After that you have to modify pam.d config files. Add to the beginning of
screen lock configuration file and change USER
to your username:
auth sufficient /usr/local/lib/security/pam_party.so /usr/bin/mkdir -p /home/<USER>/Desktop/pam_party_test_dir
Now you can unlock using your "secret" credits. One more thing is that
your-command
should exit success or PAM_IGNORE will be returned.