Joachim Breitner

pam-dbus: authentication by bubbles

Published 2008-08-08 in sections English, Digital World, Openmoko.

Imagine you have a device, such as a linux phone, that allows login via ssh, e.g. when on a wireless network. You don’t want to set a password with the (limited) phone UI. On the other hand, you don’t want to allow passwordless root logins into your phone. But you do want the ability to login via ssh, after all that’s why you have bought a linux smartphone. This led me to the idea of a pam module and corresponding UI piece that asks the currently logged in user: „Hey, someone tries to login. Is that ok or not?“ This might also be useful for guest accounts on regular laptops. For more on that, see my last blog post.

So I hacked it together (actually twice, due to some unfortunate use of rm at some point), invested most of the time in learning more about the python garbage collector vs. callbacks, explicitly marked global variables and proper automake stuff. In the end I got, well, just what I wanted. A simple pam module, dubbed pam-dbus that sends a request via the dbus system bus and an autostart program (written in python for now, but I might re-implement it in C) that uses notification-daemon to get confirmation from the user.

You are welcome to try the sources and binary debian packages or have a look at the darcs repository for pam-dbus (with debian/ directory, repository browser). This will end up in Debian later, I guess.

Update: Erik Johansson pointed out that if you want to use this with ssh, you need to set UsePAM yes in /etc/ssh/ssd_config.

Comments

Works like a charm thanks..


Quick and dirty Installation
*install debs
*change /etc/pam.d/ssh
remove: @include common-auth
insert: auth required pam_dbus.so
*start "/usr/share/pam_dbus/pam-dbus-notify"

..


Things I wonder about:
0. You still get an password prompt, anyone know how to get rid of that?

1. You have to press "Deny" three times before it gives up. (for obvious reasons)

2- if you add this to sudo, you will be asked "someone tries to log in via sudo as erik", I'm guessing it's impossible to get sudo to report what you want to sudo to.
#1 Erik Johansson am 2008-08-08
Thanks for trying this out.

About 0: It seems I have set UsePAM yes in /etc/ssh/sshd_config, and it would not work without.

About 1: Really? No idea where that might come from.

About 2: Hmm, probably not, at least there is no good reason for sudo to pass that information to pam.
#2 Joachim Breitner (Homepage) am 2008-08-08
I just thought it might have been a good idea to have "PermitEmptyPassword Yes" in sshd_config. That gave me a permit/deny dialog without displaying a password prompt, but if I deny I still get a password prompt.


This happens:
1. ssh localhost
2. -> dbus notification is sent and you can deny or permit
3. deny
4. -> password:
5. just press enter
7. repeat from 2. until you have three password prompts
#3 Erik Johansson am 2008-08-09
Hi,

It works well but does nothing when remote user has his pubkey stored in the localhost.

sshd has
- pubkeyauthentication
- usepam
activated

is there a way to be notified when user connects even with pubkey ?
#4 Pencreach am 2009-01-30
Someone is actually using it? Great! :- )

But I don’t think you can do anything about this, as SSH pubkey authentications bypasses PAM (or at least the PAM auth phase). Maybe one could plug it into the session phase, but that’s somewhat abusive.
#5 Joachim Breitner (Homepage) am 2009-01-30

Have something to say? You can post a comment by sending an e-Mail to me at <mail@joachim-breitner.de>, and I will include it here.