Not working on Ubuntu 20.04

[cypherbits]

I'm testing it on a virtual machine. At the time of defining the module on the /etc/pam.d/common-auth file.

I tried to add it like this:

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_duress.so allow

And is not working.

Trying auth sufficient pam_duress.so just broke my logins.

BTW: I have eCryptfs installed too.

[Lqp1]

And is not working.

Can you explain a bit more what you did and what you got? You created a duress password but it does execute the script you asked when you login with it?

Also, what part of your disk is encrypted? and is your disk still encrypted when you login (is it full disk or per session?) ?

[cypherbits]

I'm experimenting on a virtual machine with Ubuntu 20.04.3. A new setup with LUKS enabled. Installed eCryptfs too, created a new user and enabled eCrypfs just for this new one. Installed pam_duress like the readme said, creating a new duress user and password for this second account. The module is configured to just make a file to test it and to authenticate with the duress password.

When I test this setup the duress password is not authenticating and the file script is not executing. But you can still login with the normal password.

This is how is configured:

# here are the per-package modules (the "Primary" block)
auth    [success=2 default=ignore]  pam_unix.so nullok_secure
auth    [success=1 default=ignore]  pam_duress.so allow
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional    pam_ecryptfs.so unwrap
auth    optional            pam_cap.so 
# end of pam-auth-update config

Tried replacing auth [success=1 default=ignore] pam_duress.so allow with auth sufficient pam_duress.so but breaks all login.

[cypherbits]

Seeing logs from when trying to login as duress password:

Oct  1 19:45:12 test-VirtualBox gdm-password]: PAM unable to resolve symbol: pam_sm_setcred
Oct  1 19:45:12 test-VirtualBox gdm-password]: PAM unable to resolve symbol: pam_sm_setcred
Oct  1 19:45:12 test-VirtualBox gdm-password]: pam_unix(gdm-password:auth): Couldn't open /etc/securetty: No existe el archivo o el directorio
Oct  1 19:45:13 test-VirtualBox gdm-password]: pam_unix(gdm-password:auth): conversation failed
Oct  1 19:45:13 test-VirtualBox gdm-password]: pam_unix(gdm-password:auth): auth could not identify password for [test]
Oct  1 19:45:13 test-VirtualBox gdm-password]: pam_duress(gdm-password:auth): conversation failed

More:

Oct 1 19:57:16 test-VirtualBox polkitd(authority=local): Unregistered Authentication Agent for unix-session:2 (system bus name :1.82, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale es_ES.UTF-8) (disconnected from bus)

[Lqp1]

I don't know if ecryptfs would change anything (I would say no), but just in case, maybe you could make a test with just a base ubuntu 20.04 in a first try? You can have full disk encryption for this first test of course, as I already tested (not on ubuntu though) and I works.

I don't have the setup to test it for now (docker is not enough for this test), but maybe you can use pamtester to help you debug? There is also a github fork if you prefer: https://github.com/vguerra/pamtester).

If I have some spare time I'll try in a VM also

[cypherbits]

Tried many forks and @hellresistor script but nothing is working.

There are two errors in the logs:

1. PAM unable to resolve symbol: pam_sm_setcred.
2. A mkstemps() function error.

For this second error I changed code to use 6 XXXXXX like documentation says, not 5.

//Old code
snprintf(dpath, sizeof dpath, "/tmp/action.XXXXX.%s", user);
ofd = mkstemps(dpath, strlen(user) + 1);

And this error is gone. Seems it is working "a little" now: if you configure the module as allow, it login but stays with a blank screen. Disallow will not let you login. But it is not executing the script either.

Error 1 I don't know where to look...

[hellresistor]

Friend My bad on my Script!!!! Now is Good to install! https://gist.github.com/e5a6d9cc3a138ac70603b6fdda7ea588.git

But I think have "find" your situation/problem. well seems we need do work on this ^^

But I can SURE I was put this pamduress working before!!! With the "break system" script :) I will reproduce on ubuntu 18...

[hellresistor]

And this error is gone. Seems it is working "a little" now: if you configure the module as allow, it login but stays with a blank screen. Disallow will not let you login. But it is not executing the script either.

Error 1 I don't know where to look...

@cypherbits Attention You are using the Scriptfile my script create (AnonPanic.sh)? (attention. that will destroy the system, need the reset button, It is a full RAM and CPU...) Try with a script.. creating a folder or something like that...

Can you share your /etc/pam.d/common-auth file ?

[Lqp1]

Good news guys! I tried on a fresh Ubuntu 20.04 VM, and I made it to work!

I needed the fix for mkstemps (did not see the log but it does not work without it anyway): thanks @cypherbits I needed to expose pam_sm_setcred as asked by the error, in the module (even if it does nothing).

After all that the simple config from the README is working :)

I'll update my master branch with that soon

EDIT: lqp1/master updated, it should work but ping me if you find regressions.

[hellresistor]

will test it NOW ;) well...

Oct 14 22:32:16 testubuntu20 login[1519]: pam_unix(login:auth): Couldn't open /etc/securetty: No such file or directory
Oct 14 22:32:22 testubuntu20 login[1519]: pam_unix(login:auth): Couldn't open /etc/securetty: No such file or directory
Oct 14 22:32:22 testubuntu20 login[1519]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=myuser
Oct 14 22:32:25 testubuntu20 login[1519]: FAILED LOGIN (1) on '/dev/tty1' FOR 'myuser', Authentication failure

with this config

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_duress.so allow
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so

Will not enter session, BUT the script Run!! (same as disallow)

Done little search and get this confirmed bug. https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1872443

Should use this solution temporarly. https://askubuntu.com/questions/1239503/20-04-etc-securetty-no-such-file-or-directory After use this and reboot.

Now getting this!

Oct 14 22:45:32 testubuntu20 login[1315]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=myuser
Oct 14 22:45:33 testubuntu20 login[1315]: pam_unix(login:session): session opened for user myuser by LOGIN(uid=0)
Oct 14 22:45:33 testubuntu20 systemd-logind[821]: New session 6 of user myuser.
Oct 14 22:45:33 testubuntu20 login[1315]: pam_unix(login:session): session closed for user myuser
Oct 14 22:45:33 testubuntu20 systemd-logind[821]: Session 6 logged out. Waiting for processes to exit.
Oct 14 22:45:33 testubuntu20 systemd-logind[821]: Removed session 6.

With allow. Still not enter in session.

With disalow Continue runing script to. and get.

Oct 14 22:49:22 testubuntu20 login[1541]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=myuser
Oct 14 22:49:26 testubuntu20 login[1541]: FAILED LOGIN (1) on '/dev/tty1' FOR 'myuser', Authentication failure

[Lqp1]

What distribution are you using? I successfully tested on 20.04 on my side. I also have the securetty error thing, but this does not prevent me to login, either with regular and duress passwords.

What I did:

• install 20.04
• install dependencies
• make && sudo make install
• changed /etc/pam.d/common-auth config
• create a simple /script.sh to create some files in / with the current timestamp
• ./adduser user tutu /script.sh
• reboot (just in case)
• logged in with user and regular password: no file
• logged out
• logged in with duress password: file exists and session is indeed opened
• make some tests with changing regular password then re-log in.

In your test I think the secretty thing is just noise. The second test is doing what you're asking: disallow asks pam_duress to deny logging with duress password, but execute the script.

But I don't understand why it does not logs you in with allow if you execute the script. Maybe you can add more logs in your pam_duress module, and reinstall it to see where it fails? or set pam to show more debug logs?

[cypherbits]

Many thanks for your work. I will test it (when I have some spare time) and tell you about it.

[hellresistor]

i will test during this weekend! Thank you a lot!!

Update: Well I am using Ubuntu 20.04 Server edition (just with ssh server) Well seems all keep working!! Just this situation happens! Working on console directly from vm, The session opens and closes on a "eyes blink" using allow param. Execute the script and exit session (no exist exit command on script..) But I will use dissalow to my needs.

[cypherbits]

Hi, anyone interested on working on this anymore? Tried again and not working... I think more and more people would want to install this.

[hellresistor]

Hi, anyone interested on working on this anymore? Tried again and not working... I think more and more people would want to install this.

Hi friend not working with this steps? https://gist.github.com/hellresistor/e5a6d9cc3a138ac70603b6fdda7ea588

Maybe package updates, sorry i am unable to help because i not have knowledgement on this language :(

[Lqp1]

Hello @cypherbits

Tried again and not working..

Which part of the readme is not working? Please make sure to use my fork when building the lib (it contains the patch I mentionned earlier in this thread)

[cypherbits]

Hello @cypherbits

Tried again and not working..

Which part of the readme is not working? Please make sure to use my fork when building the lib (it contains the patch I mentionned earlier in this thread)

It's not about building but actual pam configuration I think. Trying it now on Ubuntu 21.04 with eCryptfs enabled for that user.

[Lqp1]

It was working perfectly on 20.04 (see the exact steps in the comment above and in the readme). It should work also on 21 I think, but feel free to try and share what exactly is your conf and what was not working

[cypherbits]

I think the main problem could be that maybe this is not compatible with eCryptfs. I will try things when I have some free time.

[cypherbits]

Hi, I made some tests. It seems this is not compatible with eCryptfs, and is a logical thing since eCryptfs derives the encrypted key from the password and if the password is not "correct" it cannot decrypt anything and everything will fail. Maybe we could put something on the Readme.

On a vanilla/default session it works, if I configure the module with allow, it log in, but my script is not being executed. I will try some things again when I have time to test it.

[hellresistor]

Hi, I made some tests. It seems this is not compatible with eCryptfs, and is a logical thing since eCryptfs derives the encrypted key from the password and if the password is not "correct" it cannot decrypt anything and everything will fail. Maybe we could put something on the Readme.

On a vanilla/default session it works, if I configure the module with allow, it log in, but my script is not being executed. I will try some things again when I have time to test it.

Hi. Have you tried create pamduress user by command , but insert an Encrypted password instead the plaintext password? (just a shoot to the air)

[cypherbits]

Hi, just to let you know there seems to be a new pam-duress project: https://github.com/nuvious/pam-duress

[hellresistor]

Thank you 💯