{"id":24757510,"url":"https://github.com/epinter/linux-pam-pinauth","last_synced_at":"2025-11-09T23:04:45.407Z","repository":{"id":273135156,"uuid":"918793367","full_name":"epinter/linux-pam-pinauth","owner":"epinter","description":"PAM configuration for PIN authentication in GDM3 and SUDO","archived":false,"fork":false,"pushed_at":"2025-01-19T18:33:38.000Z","size":5,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-28T15:39:45.812Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/epinter.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-18T21:38:22.000Z","updated_at":"2025-01-19T18:33:40.000Z","dependencies_parsed_at":"2025-01-18T23:20:51.701Z","dependency_job_id":"5245c748-1e4e-4418-8fb1-cd8679cde096","html_url":"https://github.com/epinter/linux-pam-pinauth","commit_stats":null,"previous_names":["epinter/linux-pam-pinauth"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epinter%2Flinux-pam-pinauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epinter%2Flinux-pam-pinauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epinter%2Flinux-pam-pinauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epinter%2Flinux-pam-pinauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/epinter","download_url":"https://codeload.github.com/epinter/linux-pam-pinauth/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245078132,"owners_count":20557279,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-01-28T15:31:31.069Z","updated_at":"2025-11-09T23:04:45.377Z","avatar_url":"https://github.com/epinter.png","language":"Shell","readme":"# PAM configuration for PIN authentication in GDM3 and SUDO\n\nUse a PIN or a short password for sudo and gnome-shell lock screen (gdm3)\nwhile you still use your normal password for login. This project uses files from Debian,\nbut the changes can be adapted to work with other distributions.\n\n***Use at your own risk.***\n\n### Requirements\n\n- openssl or mkpasswd for password generation\n- libpam-script\n- libpam-pwdfile\n\n## About the packages\n\n### libpam-script\n\nThis library invokes shell scripts to control pam behaviour. Debian and Ubuntu has an old bug: after libpam-script is installed, every time you try to change a user password, even as root, the current password will be prompted. It's highly recommended to ***disable*** the default libpam-script configuration generated by the package.\n\nTo disable libpam-script and avoid the bug, execute `pam-auth-update` and disable `Support for authentication by external scripts`. This will remove the configuration that causes the problems, but you will still be able to use the module adding custom pam configuration.\n\n### libpam-pwdfile\n\nThis library permits authentication using an arbitrary file similar to passwd, to use it simply add a line to a pam config file.\n\n## Generate password file\n\nCreate the file with you PIN or short password:\n\n```\nsudo sh -c 'echo -New Password:;echo '${USER}':`openssl passwd -6` \u003e /etc/pinpwd; chmod 640 /etc/pinpwd'\n```\n\nAfter this command the file /etc/pinpwd should have format 'user:password', something like this:\n\n\u003e user:$6$xxxxxxxxx\n\n*The file should have mode 0640 and be owned by root:root.*\n\n## Copy the pam config\n\nCopy [pam/etc/pam.d/common-pinpwd](pam/etc/pam.d/common-pinpwd) to `/etc/pam.d/common-pinpwd`.\n\nThe file:\n\n\u003e /etc/pam.d/common-pinpwd\n\nShould have the content:\n\n```\nauth    sufficient  pam_pwdfile.so  pwdfile=/etc/pinpwd\n```\n\n## Copy the pam script\nCopy [scripts/pam/etc/pam.d/scripts/is-session-locked/pam_script_auth](scripts/pam/etc/pam.d/scripts/is-session-locked/pam_script_auth) to `/etc/pam.d/scripts/is-session-locked/pam_script_auth`.\n\n## Changes\n\nEdit the pam config files. You can see the diffs below, ***+ when the line is added, - when the line is removed***.\n\nSee [examples](examples) for the whole files, from Debian.\n\n### SUDO\n\nSudo uses two pam config files, sudo and sudo-i. Below are the changes (in diff format):\n\nThe file:\n\n\u003e /etc/pam.d/sudo\n\n\nShould be edited:\n\n```\n--- sudo.debiantrixie.orig\t2025-01-18 16:21:43.903519337 -0300\n+++ sudo\t2025-01-18 17:57:03.003824770 -0300\n@@ -3,6 +3,7 @@\n # Set up user limits from /etc/security/limits.conf.\n session    required   pam_limits.so\n\n+@include common-pinpwd\n @include common-auth\n @include common-account\n @include common-session-noninteractive\n```\n\n\u003cbr/\u003e\n\nThe file:\n\n\u003e /etc/pam.d/sudo-i\n\nShould be edited:\n\n```\n--- sudo-i.debiantrixie.orig\t2025-01-18 16:21:52.471519795 -0300\n+++ sudo-i\t2025-01-18 17:57:03.003824770 -0300\n@@ -3,6 +3,7 @@\n # Set up user limits from /etc/security/limits.conf.\n session    required   pam_limits.so\n\n+@include common-pinpwd\n @include common-auth\n @include common-account\n @include common-session\n```\n\n### GDM3\n\nThe parameter \"[success=ignore default=1]\" tells PAM to ignore the result of pam_script, it will be used just to jump the next line (default=1) from the included file, and go directly to common-auth if an error occurs (session not locked, login screen), or go to next line (pwdfile.so), if session is locked.\n\nThe file:\n\n\u003e /etc/pam.d/gdm-password\n\nShould be edited:\n\n```\n--- gdm-password.debiantrixie.orig\t2025-01-18 16:21:35.803518905 -0300\n+++ gdm-password\t2025-01-18 17:56:59.527824585 -0300\n@@ -1,6 +1,8 @@\n #%PAM-1.0\n auth    requisite       pam_nologin.so\n auth\trequired\tpam_succeed_if.so user != root quiet_success\n+auth    [success=ignore default=1]  pam_script.so dir=/etc/pam.d/scripts/is-session-locked\n+@include common-pinpwd\n @include common-auth\n auth    optional        pam_gnome_keyring.so\n @include common-account\n```\n\n### Optional: clear sudo credentials cache when lock screen\n\nThe script [scripts/home/bin/gdbus_monitor.sh](scripts/home/bin/gdbus_monitor.sh) clears the sudo cache when user locks the screen, it should start on login and keep running to monitor the lock screen event. Copy [scripts/home/bin/gdbus_monitor.sh](scripts/home/bin/gdbus_monitor.sh) to `~/bin/gdbus_monitor.sh`, and [scripts/home/.config/autostart/gdbus-monitor.desktop](scripts/home/.config/autostart/gdbus-monitor.desktop) to `~/.config/autostart/gdbus-monitor.desktop`.","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepinter%2Flinux-pam-pinauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fepinter%2Flinux-pam-pinauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepinter%2Flinux-pam-pinauth/lists"}