pam-duress VS WSL-Hello-sudo

On Linux, there’s pam-duress: https://github.com/nuvious/pam-duress

Multi-step timeout would be a good alternative, especially for mobile. For desktop, I have this awesome PAM set up to remove everything associated with my regular user account.

It's actually quite simple and readily available with PAM duress [0] (at least on Linux, I'm not sure about PAM on Mac). It was also discussed here already [1]. Still, you should consider that doing so might not work in your favor.

[0] https://github.com/nuvious/pam-duress

[1] https://news.ycombinator.com/item?id=28267975

# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 inherit pam toolchain-funcs VER_COMMIT="04e607f9ab674c8dbbf27ea8bb59158178a72f69" DESCRIPTION="A PAM module enabling special 'duress' passwords that will execute arbitrary scripts" HOMEPAGE="https://github.com/nuvious/pam-duress" SRC_URI="https://github.com/nuvious/${PN}/archive/${VER_COMMIT}.tar.gz -> ${P}.tar.gz" LICENSE="LGPL-3" SLOT="0" KEYWORDS="~amd64" IUSE="debug" DEPENDS="dev-libs/openssl sys-libs/pam" RDEPENDS="${DEPENDS}" S="${WORKDIR}/pam-duress-${VER_COMMIT}" src_prepare() { default sed -e "/^CC :=/s|:= .*|:= $(tc-getCC)|" -e "/^CFLAGS :=/s|-O2|${CFLAGS}|" \ -i Makefile || die } src_compile() { emake $(use debug && echo "debug") } src_install() { dobin bin/duress_sign dobin bin/pam_test dopammod bin/pam_duress.so einstalldocs }

Using https://github.com/xmidt-org/dms & https://github.com/nuvious/pam-duress to shred LUKS headers: https://www.buskill.in/luks-self-destruct/

maybe https://github.com/nuvious/pam-duress

This repo gives you one such tool. It triggers a script when a specific password is used, and can then hand over control to the usual unlocking process or not (as you asked for). The script is whatever you want: taking a pic, maybe transmit it over the internet, possibly including live video, audio and location, distress message, etc. The script can also erase the app, itself and the log entries, then unlocking as if nothing had happend. A downside is that, at least from the repo description and instructions, the Duress action triggers on specific user and password, not on anything but the correct combination. Still, you asked for specific user and password.

So far, I've only come across one solution for Linux, called PAM Duress. It executes a script when you log in, so you'd probably need to add some actions that make the files unavailable. I haven't used it myself, as I'm a Windows user.

Well, `sudo` is a *nix binary, so Linux and macOS are your most popular options here.

Fingerprint authentication for sudo was enabled by default on my Manjaro install after I enrolled a fingerprint so I guess popular Linux distributions configure it automatically. If yours doesn't, try the configuration methods on this page: https://wiki.archlinux.org/title/fprint or here: https://askubuntu.com/questions/1015416/use-fingerprint-auth... or consult your operating system's documentation.

The big difference is that you need "pam_fprintd.so" instead of "pam_tid". On Ubuntu (or derived, probably), running "sudo pam-auth-update" will allow you to configure fingerprint authentication without needing to manually edit system files.

Do note that if you use a more exotic window manager, any fancy visual sudo prompts may not know how to deal with such a system.

If you're on Windows and want WSL with Windows Hello, there's this tool: https://github.com/nullpo-head/WSL-Hello-sudo which is a PAM library that will call into Windows Hello from WSL. Windows Hello should in turn support your fingerprint reader or other biometric authentication system configured for your PC.

What kind of prompt is this? It looks like Windows Terminal running Bash, but are the icons PNGs (windows + home), or a specific type-face rendering emoji?

https://github.com/nullpo-head/WSL-Hello-sudo/blob/master/de...

Similarly for WSL2 using Windows Hello:

https://github.com/nullpo-head/WSL-Hello-sudo