💾 Archived View for axionfield.space › gemlog › 20230914-librem5-autoreboot-auth.gmi captured on 2024-02-05 at 09:43:41. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-09-28)

-=-=-=-=-=-=-

Automatically reboot after 3 bad auth

Usually, people using a Librem5 (or any mobile Linux phone) have a very weak

password for their account. That's because, well, you do not want to have to

type a 16 character PIN everytime you pick up your phone. So most of the time

people have a 6 or 8 digit pin.

The first line of defense is obviously to disable SSH, or require keys. But that

does not help against brute forcing the physical device. So I made a little

script that will keep track of auth failure, and will reboot the phone after 3

failed attempt.

As you are a privacy minded individual, you probably have disk encryption

enabled. So when the phone reboots, the attacker will be dropped into the LUKS

prompt, where you have, hopefully, a solid passphrase.

The script

The script is simple, and can be placed in /usr/local/bin/on_auth_failure.sh

#!/bin/bash

F="/tmp/.auth_failure_counter"

case "$1" in
        reset)
                rm -f "$F"
                exit 0
                ;;
        *)
                [ ! -f "$F" ] && echo -n 0 > "$F"
                TRYN=$(cat "$F")
                TRYN=$((TRYN+1))
                if [ $TRYN == 3 ]; then
                        rm -f "$F"
                        systemctl reboot
                else
                        echo -n "$TRYN" > "$F"
                fi
                ;;
esac

exit 1

Make sure this is owned by root and read-only for everybody else:

# chown root:root /usr/local/bin/on_auth_failure.sh
# chmod 755 /usr/local/bin/on_auth_failure.sh

At that point you should try. Call that script 3 times and the phone should

reboot. Calling it with reset should let you run it 3 more times. When

everything is fine, you can edit you pam file.

Plug that into PAM

Don’t mess up here, or you won’t be able to sudo anymore. If you want to be

safe, open a new terminal/ssh session and drop into a root shell. If you really

break it, you can always boot the phone with jumpdrive and fix your mess

manually)

First, make a backup of the stock file:

cd /etc/pam.d
sudo cp common-auth common-auth.orig

Then edit common-auth (as root) and make it look like:

## change success=1 to success=2 (skip 2 modules instead of one in case of success)
auth    [success=2 default=ignore]      pam_unix.so nullok
## add the line below:
auth    optional                        pam_exec.so seteuid /usr/local/bin/on_auth_failure.sh
auth    requisite                       pam_deny.so
## add the line below:
auth    optional                        pam_exec.so seteuid /usr/local/bin/on_auth_failure.sh reset
auth    required                        pam_permit.so
auth    required                        pam_ecryptfs.so unwrap

Then run sudo pam-auth-update (not sure if this one is really required).

That’s it. Now if you fail auth 3 times, the phone will reboot and the drive

will be locked, needing your passphrase to decrypt it.