aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarvin Borner2022-07-13 15:12:27 +0200
committerMarvin Borner2022-07-13 15:13:00 +0200
commit3e8f62c35fce80343b5359b45924f7bc3fc22d4f (patch)
treee80d8b8bed961e8381491ff52f50d4f0c34f5904
Initial commit
Diffstat
-rw-r--r--LICENSE13
-rw-r--r--README.md37
-rwxr-xr-xinstall.sh12
-rwxr-xr-xishome15
-rw-r--r--main.c49
5 files changed, 126 insertions, 0 deletions
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..1db77f4
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,13 @@
+ DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+ Version 2, December 2004
+
+ Copyright (C) 2022 Marvin Borner <develop@marvinborner.de>
+
+ Everyone is permitted to copy and distribute verbatim or modified
+ copies of this license document, and changing it is allowed as long
+ as the name is changed.
+
+ DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. You just DO WHAT THE FUCK YOU WANT TO.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..9eea2a4
--- /dev/null
+++ b/README.md
@@ -0,0 +1,37 @@
+# TrustHome
+
+TrustHome disables the password requirement for sudo/login while you’re
+using your home wifi.
+
+### DISLAIMER: I’m not responsible for any security breaches you may encounter while having this installed. This is merely a utility for my personal convenience and should never be used if you’re serious about security. You should ALWAYS use other security measures, such as full disk encryption, in addition.
+
+## Installation
+
+0. Make sure that you use `iwd` and have `pam` and `sudo` configured
+ correctly
+ - if you don’t use `iwd`, modifying `ishome` to fit your network
+ daemon shouldn’t be too hard
+1. Modify `ishome` according to your network’s specifications
+2. Verify whether the paths in `install.sh` work for you and your OS
+3. Run `sudo ./install.sh` - you might need to install `libpam` if you
+ get errors
+4. Modify your pam configuration accordingly. For example, my
+ `/etc/pam.d/sudo` file looks like this:
+
+<!-- -->
+
+ auth sufficient pam_trusthome.so
+ auth sufficient pam_fprintd.so
+ auth include system-auth
+ account include system-auth
+ session include system-auth
+
+using this configuration sudo will fall back to my fingerprint sensor if
+I’m not on my home network which will then fall back to normal password
+authentication if something failed. You may also want to edit files like
+`/etc/pam.d/login` in a similar way.
+
+## Ideas
+
+You could try modifying `ishome` so that you get authenticated
+automatically based on your GPS location or public IP address.
diff --git a/install.sh b/install.sh
new file mode 100755
index 0000000..5d40318
--- /dev/null
+++ b/install.sh
@@ -0,0 +1,12 @@
+#!/bin/env sh
+
+set -e
+
+gcc -fPIC -c main.c
+ld -x --shared -o /lib/security/pam_trusthome.so main.o
+chmod 755 /lib/security/pam_trusthome.so
+rm main.o
+
+cp ishome /etc/security/
+chown root:root /etc/security/ishome
+chmod 005 /etc/security/ishome
diff --git a/ishome b/ishome
new file mode 100755
index 0000000..f547039
--- /dev/null
+++ b/ishome
@@ -0,0 +1,15 @@
+#!/bin/env sh
+
+WIFIBSS="xx:xx:xx:xx:xx:xx"
+WIFISSID="HomeNet"
+
+set -e
+
+bss=$(iwctl station wlan0 show | grep "ConnectedBss" | awk '{print $2}')
+wifi=$(iwctl station wlan0 show | grep "Connected network" | awk '{print $3}')
+
+if [ "$bss" = "$WIFIBSS" ] && [ "$wifi" = "$WIFISSID" ]; then
+ exit 0
+else
+ exit 1
+fi
diff --git a/main.c b/main.c
new file mode 100644
index 0000000..60eeec5
--- /dev/null
+++ b/main.c
@@ -0,0 +1,49 @@
+#include <security/pam_modules.h>
+#include <security/pam_ext.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <sys/wait.h>
+
+PAM_EXTERN int pam_sm_authenticate(pam_handle_t *handle, int flags, int argc,
+ const char **argv)
+{
+ if (fork() == 0) {
+ execl("/etc/security/ishome", NULL);
+ } else {
+ int stat;
+ wait(&stat);
+ if (WIFEXITED(stat) && WEXITSTATUS(stat) == 0)
+ return PAM_SUCCESS;
+ }
+ return PAM_ABORT;
+}
+
+PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
+ const char **argv)
+{
+ return PAM_SUCCESS;
+}
+
+PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
+ const char **argv)
+{
+ return PAM_SUCCESS;
+}
+
+PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
+ const char **argv)
+{
+ return PAM_SUCCESS;
+}
+
+PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
+ const char **argv)
+{
+ return PAM_SUCCESS;
+}
+
+PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc,
+ const char **argv)
+{
+ return PAM_SUCCESS;
+}