https://github.com/nuvious/pam-duress Skip to content Sign up * Why GitHub? Features - + Mobile - + Actions - + Codespaces - + Packages - + Security - + Code review - + Issues - + Integrations - + GitHub Sponsors - + Customer stories- * Team * Enterprise * Explore + Explore GitHub - Learn and contribute + Topics - + Collections - + Trending - + Learning Lab - + Open source guides - Connect with others + The ReadME Project - + Events - + Community forum - + GitHub Education - + GitHub Stars program - * Marketplace * Pricing Plans - + Compare plans - + Contact Sales - + Education - [ ] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this user All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} nuvious / pam-duress * Notifications * Star 243 * Fork 5 A Pluggable Authentication Module (PAM) which allows the establishment of alternate passwords that can be used to perform actions to clear sensitive data, notify IT/Security staff, close off sensitive network connections, etc if a user is coerced into giving a threat actor a password. LGPL-3.0 License 243 stars 5 forks Star Notifications * Code * Issues 2 * Pull requests 2 * Actions * Projects 0 * Wiki * Security * Insights More * Code * Issues * Pull requests * Actions * Projects * Wiki * Security * Insights main Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags 2 branches 0 tags Code * Clone HTTPS GitHub CLI [https://github.com/n] Use Git or checkout with SVN using the web URL. [gh repo clone nuviou] Work fast with our official CLI. Learn more. * Open with GitHub Desktop * Download ZIP Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Go back Launching Xcode If nothing happens, download Xcode and try again. Go back Launching Visual Studio Code Your codespace will open once ready. There was a problem preparing your codespace, please try again. Latest commit @nuvious nuvious Did some linting and made some more adjustments to README.md ... b117da7 Aug 21, 2021 Did some linting and made some more adjustments to README.md b117da7 Git stats * 5 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time docs Initial code push of working prototype. Aug 21, 2021 src Did some linting and made some more adjustments to README.md Aug 21, 2021 .gitignore Initial github commit. Aug 21, 2021 CHANGELOG.md Did some linting and made some more adjustments to README.md Aug 21, 2021 LICENSE Initial code push of working prototype. Aug 21, 2021 Makefile Initial code push of working prototype. Aug 21, 2021 README.md Did some linting and made some more adjustments to README.md Aug 21, 2021 View code [ ] Intro Requirements Build Configuration PAM Configuration Order of Operations Normal Password Order of Operations Duress Password Testing Exmample Implementations README.md Intro The PAM Duress is a module designed to allow users to generate 'duress' passwords that when used in place of their normal password will execute abritrary scripts. This functionality could be used to allow someone pressed to give a password under coersion to provide a password that grants access but in the background runs scripts to clean up sensitive data, close connections to other networks to limit lateral movement, and/or to send off a notifcation or alert (potentially one with detailed information like location, visible wifi hotspots, a picture from the camera, a link to a stream from the microphone, etc). You could even spawn a process to remove the pam_duress module so the threat actor won't be able to see if the duress module was available. This is transparent to the person coersing the password from the user as the duress password will grant authentication and drop to the user's shell. Duress scripts can be generated on an individual user basis or generated globally. Users can also re-use global duress passwords to sign their own duress scripts (rare instance where this could actually be useful from a security perspective). Contributions to this project are more than welcome; refer to our guidance on making contributions here. Requirements # Ubuntu/Debian dependencies sudo apt-get install build-essential libpam0g-dev libssl-dev Build make sudo make install make clean # make uninstall Configuration Configuration of the duress module is split into two different configuration directories. After installation, you'll need to manually create both of them. mkdir -p ~/.duress # Local duress scripts/binaries. mkdir -p /etc/duress.d # Global Duress scripts/binaries. After creating the directories you can create scripts, compile binaries, etc and put them in these directories. To assign a password to execute a particular script you use the duress_sign to create a combination password hash and integrity hash for the script. $> duress_sign ~/.duress/delete_workspace.sh Password: Confirm: Reading /home/user/.duress/delete_workspace.sh, 33... Done 6B8B621EFB8050B83AAC734D56BF9165DC55D709CBAD530C6241E8A352587B3F $> chmod -R 500 ~/.duress $> ls -al ~/.duress/ drwxr-xr-x 2 user user 4096 Aug 20 15:15 . drwxr-xr-x 8 user user 4096 Aug 20 15:11 .. -r-x------ 1 user user 33 Aug 20 15:11 delete_workspace.sh -r-x------ 1 user user 32 Aug 20 21:49 delete_workspace.sh.sha256 NOTE: Scripts will only execute with permission masks of 500, 540, 550, 700 or 750 NOTE: User generated duress scripts are only run when they attempt to log in AND use a duress password that one of their scripts is signed with. If user Jill signs their scripts with the same password as a global script, when they use it the global scripts will run, followed by Jill's duress scripts, but Bob, Jane, or Dan's scripts will not be run even if they also re-used the same duress scripts. PAM Configuration Modify /etc/pam.d/common-auth from the following defaults: auth [success=1 default=ignore] pam_unix.so auth requisite pam_deny.so To the below: # Example /etc/pam.d/common-auth auth [success=2 default=ignore] pam_unix.so auth [success=1 default=ignore] pam_duress.o auth requisite pam_deny.so Order of Operations Normal Password * User enters their standard username and password. * pam_unix.o confirms them and returns PAM_SUCESS and skips 2 past pam_deny.o. Order of Operations Duress Password * The pam_unix.o module first checks standard username and password, but since the duress password is not the users actuall password it fails resulting in a default behavior of 'ignore' per the configuration. * PAM then applies the username/password to pam_duress.o which: + Enumerates files in /etc/duress.d/ + Checks for files that have matching .sha256 extensions + Hashes the provided password salted with the sha256 hash of the file and compares it with the one stored in the .sha256 extension file + If the hashes match, the script is executed via: o export PAMUSER=[USERNAME]; /bin/sh [FILE] o NOTE: PAMUSER is set so global duress scripts can specify the account flagging durress. + Process is repeated for all files in ~/.duress/ for the user attempting to log in. + Finally if ANY script is run, PAM_SUCCESS is return. Otherwise PAM_IGNORE is returned. * If PAM_SUCESS is returned PAM will skip 1 and move past pam_deny.o to continue the pam module processes, eventually dropping to an authenticated shell. Otherwise the default 'ignore' behavior is honored moving to pam_deny.o, resulting in a failed authentication. Simple Flow Diagram Testing It is easy to do a quick test to ensure the duress module is working properly. $> mkdir -p ~/.duress $> echo 'echo "Hello World"' > ~/.duress/hello.sh $> duress_sign ~/.duress/hello.sh Password: # Enter a duress password that is NOT your actual password. Confirm: $> chmod 500 ~/.duress/hello.sh $> chmod 400 ~/.duress/hello.sh.sha256 $> sudo pam_test $USER Credentials accepted. Password: # Enter the password you signed the hello.sh script with. Hello World # This output is from the duress script... Account is valid. # ...and we still got a valid authentication. Authenticated $> sudo pam_test $USER Credentials accepted. Password: # Now enter your actual password. Account is valid. # Note, Hello World doesn't print. Authenticated Exmample Implementations * Use Pushover to Notify IT You're Under Duress About A Pluggable Authentication Module (PAM) which allows the establishment of alternate passwords that can be used to perform actions to clear sensitive data, notify IT/Security staff, close off sensitive network connections, etc if a user is coerced into giving a threat actor a password. Resources Readme License LGPL-3.0 License Releases No releases published Packages 0 No packages published Languages * C 93.7% * Makefile 6.3% * (c) 2021 GitHub, Inc. * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.