-
persistent-touch-id-sudo
Configures PAM on macOS via a Launch Daemon so that Touch ID for sudo is always available and persists across OS upgrades
-
pam-duress
A Pluggable Authentication Module (PAM) which allows the establishment of alternate passwords that can be used to perform actions to clear sensitive data, notify IT/Security staff, close off sensitive network connections, etc if a user is coerced into giving a threat actor a password.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
WSL-Hello-sudo
Let's sudo by face recognition of Windows Hello on Windows Subsystem for Linux (WSL). It runs on both WSL 1 and WSL 2. This is a PAM module for Linux on WSL.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
I'm leery of configuring user code to automatically modify system files, especially security related ones. I think your tool should at least have an option to ask user confirmation, perhaps showing the expected file diff, before making its change. https://github.com/YuriyGuts/persistent-touch-id-sudo/issues...
System updates are not frequent. I prefer doing it manually, and just automating a notification that it needs to be redone. I added this to my `.bashrc`:
if ! grep -q "pam_tid.so" /etc/pam.d/sudo ; then
It's actually quite simple and readily available with PAM duress [0] (at least on Linux, I'm not sure about PAM on Mac). It was also discussed here already [1]. Still, you should consider that doing so might not work in your favor.
[0] https://github.com/nuvious/pam-duress
[1] https://news.ycombinator.com/item?id=28267975
You're right, once an adversary gains physical access (or even remote access as your main login account), all bets are off. This is the area where the traditional UNIX security model has failed to adapt at all: you need a password to install a random game from apt (a vetted and trusted source), but you don't need a password to install a cryptolocker, or exfiltrate personal data.
However I like having a password (or some other form of confirmation), just so that I can stop to think for a second, whether what I'm about to do is a good idea.
What's annoying is that I effectively need two different policies on workstations and on servers, since I still want to be able to escalate privileges from maintenance scripts[1].
[1]: https://github.com/rollcat/judo/issues/9
Shameless plug of my (silly) password generator:
Demo: http://www.jaruzel.com/apps/quickpass/
Source: https://github.com/MattOwenGB/QuickPass
Well, `sudo` is a *nix binary, so Linux and macOS are your most popular options here.
Fingerprint authentication for sudo was enabled by default on my Manjaro install after I enrolled a fingerprint so I guess popular Linux distributions configure it automatically. If yours doesn't, try the configuration methods on this page: https://wiki.archlinux.org/title/fprint or here: https://askubuntu.com/questions/1015416/use-fingerprint-auth... or consult your operating system's documentation.
The big difference is that you need "pam_fprintd.so" instead of "pam_tid". On Ubuntu (or derived, probably), running "sudo pam-auth-update" will allow you to configure fingerprint authentication without needing to manually edit system files.
Do note that if you use a more exotic window manager, any fancy visual sudo prompts may not know how to deal with such a system.
If you're on Windows and want WSL with Windows Hello, there's this tool: https://github.com/nullpo-head/WSL-Hello-sudo which is a PAM library that will call into Windows Hello from WSL. Windows Hello should in turn support your fingerprint reader or other biometric authentication system configured for your PC.
That's why I prefer using Yubikeys (using this setup: https://github.com/drduh/YubiKey-Guide) — and this method times out immediately (just press esc when the "insert card" dialog comes up).
Plus you can have multiple keys. Plus you can use them for gpg and ssh. Plus you can back them up. Plus you can print them on paper.
Would you like to have a look? https://github.com/rollcat/upmerge