Make ~/.duress directory a toggleable feature.

nuvious / pam-duress

A Pluggable Authentication Module (PAM) which allows the establishment of alternate passwords that can be used to perform actions to clear sensitive data, notify IT/Security staff, close off sensitive network connections, etc if a user is coerced into giving a threat actor a password.

GNU Lesser General Public License v3.0

1.33k stars 39 forks source link

Make ~/.duress directory a toggleable feature. #15

Open nuvious opened 3 years ago

nuvious commented 3 years ago

Some admins may not trust their users to create duress scripts and want full control to only have the ones in /etc/duress.d run when duress password is used. Modify the module such that it reads in a configuration file /etc/duress.conf to see if the administrator wants to enable ~/.duress for users and create a group that controls which users have their ~/.duress files parsed during login.

Artoria2e5 commented 3 months ago

Looks like the pam.conf module arguments are simply passed into the pam_sm_* functions as argc and argv, starting with argv[0] as the first string -- or at least that seems to be how the builtin pam_access understands it.