This is a PAM module that presents the user with a QR code to scan to authenticate rather than entering a password. This is part of my honours project for my 4th year of Computer Science at the University of Strathclyde Glasgow.
Root user is not allowed to be logged into using pam-qr yet as it is in alpha and possibly insecure.
A pre-compiled binary, pam-qr.so, is available for use on Ubuntu 20.04 and is available in the latest release on Github.
- make
- gcc
- libpam0g-dev
- libcurl4-openssl-dev
- libjson-c-dev
- libqrencode-dev
- libpam0g
- libcurl4
- libjson-c4
- libqrencode4
- Install build dependencies (Ubuntu package names listed above).
- Download source code from releases or clone repo for latest dev version.
- If downloaded from releases, extract the compressed file.
- cd into
pam-qr
folder. - run
make pam_qr
to build. - the compiled binary will be in the
lib
folder.
- Install runtime dependencies.
- Copy the compiled binary from the lib folder to your distro's PAM module folder. In Ubuntu this is
/lib/x86_64-linux-gnu/security/
. - cd into that directory
- Change the owner and group owner of the file to root with
sudo chown root pam_qr.so
&sudo chgrp root pam_qr.so
. - Change the permissions to read & write for the owner and read for the group and everyone else with
sudo chmod 644 pam_qr.so
.
To get computerId to use in the pam config add the computer to the auth-server. It will return the ID you need to use.
- Open sshd_config (
/etc/ssh/sshd_config
in Ubuntu). - Set
PasswordAuthentication no
. - Set
ChallengeResponseAuthentication yes
. - Set
UsePAM yes
. - Save and exit sshd_config.
- Open sshd PAM config (
/etc/pam.d/sshd
in Ubuntu). - Add pam-qr to the PAM chain by adding the line following line above the standard Un*x authentication include.
auth sufficient pam_qr.so <computer id> <auth-server URL>
subbing in the computer ID which identifies it to the auth server and the url (including http:\\ or https:\\) of the auth server. - Save and exit the config file.
- Restart sshd with
sudo systemctl restart sshd
for systems using systemd. - Add user accounts for those whom will have authorisation to logon to the computer.