{"id":17667850,"url":"https://github.com/tozu/ba-2fa-linux-pam","last_synced_at":"2025-03-30T13:14:20.514Z","repository":{"id":138015967,"uuid":"162439022","full_name":"tozu/ba-2fa-linux-pam","owner":"tozu","description":"This Linux PAM is part of my bachelor thesis and adds an additional authentication factor to a login scheme (e.g. OS login)","archived":false,"fork":false,"pushed_at":"2018-12-20T14:47:12.000Z","size":9,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-05T14:48:12.540Z","etag":null,"topics":["authentication","bachelor-thesis","bluetooth","pam-authentication","pam-module"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tozu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-12-19T13:09:47.000Z","updated_at":"2018-12-20T14:51:19.000Z","dependencies_parsed_at":null,"dependency_job_id":"4105412c-7d7f-4bf7-936b-f52be80e85c7","html_url":"https://github.com/tozu/ba-2fa-linux-pam","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tozu%2Fba-2fa-linux-pam","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tozu%2Fba-2fa-linux-pam/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tozu%2Fba-2fa-linux-pam/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tozu%2Fba-2fa-linux-pam/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tozu","download_url":"https://codeload.github.com/tozu/ba-2fa-linux-pam/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246320200,"owners_count":20758410,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","bachelor-thesis","bluetooth","pam-authentication","pam-module"],"created_at":"2024-10-23T22:42:25.965Z","updated_at":"2025-03-30T13:14:20.494Z","avatar_url":"https://github.com/tozu.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 2FA BT Linux PAM client\n\nThis Linux PAM (abbrv. for **p**luggable **a**uthentication **m**odule) is part of my bachelor thesis (available [here](https://example.com\")).\n\nWhen in use this PAM may extend an authentication scheme by adding an addtional authentication factor ('something you have') by requesting a (previously configured) known Bluetooth device. The Bluetooth device must be proximate to the system running the [daemon](https://github.com/tozu/ba-2fa-daemon/) that queries for mentioned device. Depending on _security level_ further information, such as an One-time-password (OTP) or HMAC keyword must be submitted as well.\n\n## Installation\n\n### Requirements\n\nHave the following packages installed (e.g. via aptitude):\n\n    apt install gcc             // (or 'apt install build-essential' - GNU C Compiler)\n    apt install libcurl3-dev    // (cURL with OpenSSL)\n\n### Build PAM\n\n  1. Clone repository\n\n    git clone https://github.com/tozu/ba-2fa-linux-pam.git\n\n  2. Change into directory\n\n    user@system:~$ cd ba-2fa-linux-pam/\n\n  3. Adjust installation path of PAM in makefile (optional)\n\n    user@system:~$ nano makefile\n    ...\n    PAM_DST ?= /lib/security/pam-bt.so    (/lib/security/ is Debian default)\n\n  4. Build PAM\n\n    user@system:~$ make\n    user@system:~$ make install\n\n### Installation\n\nIn order to use the 2FA BT Linux PAM you have to modify the config file for the selected application in **/etc/pam.d/** (default location Debian-based distributions).\n\nIn the case of adding additional authentication factor to the Linux login scheme you have to edit the _common-auth_.\n\nThe general structure of PAM config files are the following:\n\n    type      control-flag      module-path     module-arguments\n\nThese are the available PAM _types_:\n\n    type            definition\n    --------------------------------------------------------------------------------\n    auth            Module determines if the user is allowed to access the service,\n                    if their passwords has expired, etc. E.g. requests or validates\n                    a password.\n                    \n    account         Module verifies that the acces of the user is allowed and who\n                    they claim to be, by a password or using biometrics.\n    \n    session         Module configures and manages user sessions, but it can also\n                    perform additional tasks that are needed to allow access.\n    \n    password        Module is used to change user passwords.\n\n\nThese are the available _control-flag_'s:\n\n    control-flag    definition\n    --------------------------------------------------------------------------------\n    required        If the module fails, PAM immediately returns a faillure result\n                    to to the application; no further modules in the stack are\n                    called.\n                    \n    requisite       If the module fails, PAM returns a failure result to the appli-\n                    cation but it will continue to call the next module in the\n                    stack.\n\n    sufficient      If the module succeeds, PAM returns a 'pass' result to the ap-\n                    plication and no futher modules in the stack are called.\n\n    optional        The pass/fail result of the module is ignored, which generally\n                    means that the module is being called to perform some operation,\n                    rather than participating in the pass/fail decision for the\n                    stack.\n\nThe _module-path_ is the location of the PAM (debian-default: /lib/security/)\n\nThe neccessary _module-arguments_ of the 2FA Linux PAM client that have to be supplied are the following:\n\n    {1} daemon-certificate\n    {2} ip address : port\n    {3} security level\n    {4} HMAC keyword (optional)\n\n\nA vaild configuration example for the 2FA BT Linux PAM is:\n\n    (type)  (control-flag)  (module-path)               (module-arguments)\n     auth    required       /lib/security/bt-pam.so     /cert/daemon-cert.pem 192.168.1.254:3456 2\n\nThe above depicted configuration would extend the **auth**entication scheme\nof an application (depending on which PAM config file in _/etc/pam.d/_ it has been added), using the 2FA BT Linux PAM **bt-pam`.`so**, located at **/lib/security/**.\n\nThis means, for example in the case this line has been added to **common-auth**, the login of the OS system would only succeed when **1st** the correct Bluetooth device is present/proximate as well as **2nd** the correct One-time-password (OTP) is submitted (to the daemon). This action is **required**, otherwise access is not granted.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftozu%2Fba-2fa-linux-pam","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftozu%2Fba-2fa-linux-pam","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftozu%2Fba-2fa-linux-pam/lists"}