💾 Archived View for axionfield.space › gemlog › 20230914-librem5-autoreboot-auth.gmi captured on 2023-09-28 at 15:58:04. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Usually, people using a Librem5 (or any mobile Linux phone) have a very weak
password for their account. That's because, well, you do not want to have to
type a 16 character PIN everytime you pick up your phone. So most of the time
people have a 6 or 8 digit pin.
The first line of defense is obviously to disable SSH, or require keys. But that
does not help against brute forcing the physical device. So I made a little
script that will keep track of auth failure, and will reboot the phone after 3
failed attempt.
As you are a privacy minded individual, you probably have disk encryption
enabled. So when the phone reboots, the attacker will be dropped into the LUKS
prompt, where you have, hopefully, a solid passphrase.
The script is simple, and can be placed in /usr/local/bin/on_auth_failure.sh
#!/bin/bash
F="/tmp/.auth_failure_counter"
case "$1" in
reset)
rm -f "$F"
exit 0
;;
*)
[ ! -f "$F" ] && echo -n 0 > "$F"
TRYN=$(cat "$F")
TRYN=$((TRYN+1))
if [ $TRYN == 3 ]; then
rm -f "$F"
systemctl reboot
else
echo -n "$TRYN" > "$F"
fi
;;
esac
exit 1
Make sure this is owned by root and read-only for everybody else:
# chown root:root /usr/local/bin/on_auth_failure.sh # chmod 755 /usr/local/bin/on_auth_failure.sh
At that point you should try. Call that script 3 times and the phone should
reboot. Calling it with reset should let you run it 3 more times. When
everything is fine, you can edit you pam file.
Don’t mess up here, or you won’t be able to sudo anymore. If you want to be
safe, open a new terminal/ssh session and drop into a root shell. If you really
break it, you can always boot the phone with jumpdrive and fix your mess
manually)
First, make a backup of the stock file:
cd /etc/pam.d sudo cp common-auth common-auth.orig
Then edit common-auth (as root) and make it look like:
## change success=1 to success=2 (skip 2 modules instead of one in case of success) auth [success=2 default=ignore] pam_unix.so nullok ## add the line below: auth optional pam_exec.so seteuid /usr/local/bin/on_auth_failure.sh auth requisite pam_deny.so ## add the line below: auth optional pam_exec.so seteuid /usr/local/bin/on_auth_failure.sh reset auth required pam_permit.so auth required pam_ecryptfs.so unwrap
Then run sudo pam-auth-update (not sure if this one is really required).
That’s it. Now if you fail auth 3 times, the phone will reboot and the drive
will be locked, needing your passphrase to decrypt it.