{"id":13508288,"url":"https://github.com/skx/pam_pwnd","last_synced_at":"2025-04-17T06:31:02.197Z","repository":{"id":150430365,"uuid":"149074958","full_name":"skx/pam_pwnd","owner":"skx","description":"A PAM module to test passwords against previous leaks at haveibeenpwned.com","archived":true,"fork":false,"pushed_at":"2019-08-25T07:33:34.000Z","size":33,"stargazers_count":34,"open_issues_count":2,"forks_count":3,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-02-26T13:46:33.851Z","etag":null,"topics":["haveibeenpwned","linux","pam","pam-module","security","ssh","sudo"],"latest_commit_sha":null,"homepage":"https://blog.steve.fi/tags/haveibeenpwned/","language":"C","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/skx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-09-17T05:48:38.000Z","updated_at":"2025-02-20T10:09:55.000Z","dependencies_parsed_at":"2023-04-24T17:25:46.814Z","dependency_job_id":null,"html_url":"https://github.com/skx/pam_pwnd","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skx%2Fpam_pwnd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skx%2Fpam_pwnd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skx%2Fpam_pwnd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/skx%2Fpam_pwnd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/skx","download_url":"https://codeload.github.com/skx/pam_pwnd/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249319594,"owners_count":21250578,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["haveibeenpwned","linux","pam","pam-module","security","ssh","sudo"],"created_at":"2024-08-01T02:00:50.891Z","updated_at":"2025-04-17T06:31:01.903Z","avatar_url":"https://github.com/skx.png","language":"C","funding_links":[],"categories":["C","security"],"sub_categories":[],"readme":"[![license](https://img.shields.io/github/license/skx/pam_pwnd.svg)](https://github.com/skx/pam_pwnd/blob/master/LICENSE)\n[![Release](https://img.shields.io/github/release/skx/pam_pwnd.svg)](https://github.com/skx/pam_pwnd/releases/latest)\n\n# pam_pwnd\n\nThis repository contains a simple PAM module for testing whether a\npassword being used for authentication has been listed in the\n[have I been pwned](https://haveibeenpwned.com/) database.\n\nNote that in the documentation here we focus upon ensuring that a password used for `sudo` has not been compromised, but PAM-modules can be used for many purposes, from handling SSH-access, to permitting HTTP-based authentication.  There is nothing `sudo`-specific about our code so this module can be useful in many contexts.\n\n\n## Sponsorship\n\nThe development of this module was sponsored by three individuals who made charitable donations.  (Anonymous primarily because I didn't ask for permission to name them publicly.)\n\nIf you wish to \"sponsor this\" software, and be listed here, just [email me](https://steve.kemp.fi/) a receipt of your donation.  I support the [RNLI](https://en.wikipedia.org/wiki/Royal_National_Lifeboat_Institution), but feel free to pick whatever charity you wish.\n\nThe code is released under the [BSD-license](LICENSE) so you can fork it, improve it, use it, and enjoy it!  Feel free to report bugs, or feature-suggestions on the [issue-page](https://github.com/skx/pam_pwnd/issues).\n\n\n\n## Compilation\n\nThese are the dependencies I expect you would need for compiling the project:\n\n* For fetching a remote URI we use `libcurl`:\n  * `apt-get install libcurl4-gnutls-dev`\n* For compiling PAM modules you'll need the appropriate development package:\n  * `apt-get install libpam0g-dev`\n\nAssuming you have the dependencies installed then compilation should only require a simple `make`:\n\n    $ make\n    gcc -fPIC -c pam_pwnd.c -lpam -lpam_misc -lpamc\n    gcc -fPIC -c pwn_chk.c  -lcurl\n    gcc -fPIC -c sha1.c\n    ld -x --shared -o pam_pwnd.so pam_pwnd.o pwn_chk.o sha1.o -lcurl -lpam -lpam_misc -lpamc\n\nFor completeness you can also run the basic test-cases included in the repository, but note that to do that you will require network-access:\n\n    $ make test\n    ./pam_test\n    ..\n\n(This might be an issue if you run the tests as part of a build-process upon a CI/CD system which doesn't permit outgoing network access.)\n\n\n\n## Installation \u0026 Configuration\n\n\nOnce you have compiled the code you should copy the resulting file `pam_pwnd.so` to the appropriate PAM-directory upon your system.  In my case that means running this command:\n\n    sudo install pam_pwnd.so  /lib/x86_64-linux-gnu/security/\n\nThe final step is to enable the module, by editing the appropriate PAM configuration file.\n\nIn my case I'm using SSH keys for authentication, and I'm only concerned with ensuring that no known-bad passwords are used with `sudo`.  I append the following line to `/etc/pamd.d/sudo`:\n\n    auth   required   pam_pwnd.so  try_first_pass\n\nThe complete file, on an Ubuntu system, might then look like this:\n\n      #%PAM-1.0\n      session    required   pam_env.so readenv=1 user_readenv=0\n      session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0\n      @include common-auth\n      @include common-account\n      @include common-session-noninteractive\n      auth   required   pam_pwnd.so  try_first_pass\n\nUpon the \"stretch\" release of Debian GNU/Linux the file has these contents:\n\n      #%PAM-1.0\n\n      @include common-auth\n      @include common-account\n      @include common-session-noninteractive\n      auth   required   pam_pwnd.so  try_first_pass\n\nRegardless of what your file looks like, once you've added the reference to `pam_pwnd.so`, you should then be ready to test the module hasn't broken your system by reseting the `sudo` cache, and re-authenticating:\n\n     frodo ~ $ sudo -k\n     frodo ~ $ sudo su -\n     [sudo] password for skx:\n     root@frodo:~#\n\nAssuming nothing is broken you should:\n\n* Be prompted for your password.\n  * Only once.\n* Receive your root-prompt.\n* See the results of the module logged to syslog.\n\nIf things are horribly broken, such that you get segfaults or failures from _this_ module then you will probably be unable to run `sudo` to fix them, so for the duration of any installation you should ensure you have an open terminal/connection with `root` privileges.\n\nThe module will log its results to syslog, search for `pam_pwnd` to see them.\n\n\n\n## Security Notes\n\nThe code makes a single outgoing HTTP-request for each authentication\nrequest:\n\n* The outgoing request contains the first five characters of your __hashed__ password.\n   * i.e. If you password is \"secret\" it is first hashed to `e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4`.\n   * Then an outgoing request is made with the characters `e5e9f`.\n\nIf the API-lookup request fails then we default to failing-open, allowing the authentication to proceed.   (We assume other modules will actually validate the password, if we allowed a failure to invoke the API we'd deny all PAM-based operations in the event your DNS, networking, or similar things were broken.)\n\nThere are zero memory allocations in this module, which should ensure that we don't leak anything.  Instead we generate a single temporary file to hold the results of our HTTP-response, and that temporary file is cleaned up after use.\n\n\n## Testing Notes\n\nThere is a simple test-driver included in this project which exercises some of\nthe code, it is not designed to be a complete test-case, nor to perform exhaustive testing.\n\nIf you're planning to submit pull-requests that change the code you should ensure the tests pass even with your additions:\n\n    $ make test\n\n\n## Feedback\n\nBug reports welcome.\n\n\nSteve\n--\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fskx%2Fpam_pwnd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fskx%2Fpam_pwnd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fskx%2Fpam_pwnd/lists"}