You are not logged in.

#1 2019-05-28 21:17:12

drybalka
Member
Registered: 2019-05-27
Posts: 6

Unlocking with pin password (à la Windows)

I haven't found a similar topic anywhere on this forum and so I decided to write a simple guide of how to implement a pin-like password for a screensaver. I hope it will help someone, or at least be reference for myself when I will need to do it again.

I have a long main password and often hate typing it just to unlock my laptop, especially considering the fact that I have several keyboard layouts. Therefore, I prefer to have a short pin-like-4-digit password for my lock screen identical on all layouts, while still keeping a strong password for everything else. This can be achieved by installing a libpam_pwdfile package from AUR (https://github.com/tiwe-de/libpam-pwdfile). First, you need to generate a passwd file containing your credentials, and second tell your locking program to use it.

The password file basically looks like passwd(5): one line for each user with two or more colon-separated fields. First field contains the username, the second the crypt()ed password. It can be generated and saved to pin.passwd file, for example, using openssl:

echo "$USER:$(openssl passwd -1 1234)" > pin.passwd

where 1234 is your pin-like password.

The PAM file that controls unlocking depends on the screensaver, but is usually located in /etc/pam.d/ directory. For example, in the case of i3lock, in order to enable pin password add this line before all other to /etc/pam.d/i3lock:

auth sufficient pam_pwdfile.so pwdfile=/path/to/your/pin.passwd

This tells your screensaver to check the input with your pin password first, but still allows unlocking on your user password.

Offline

#2 2019-05-28 21:35:46

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 16,691

Re: Unlocking with pin password (à la Windows)

This seems like an extraordinary way to lower the bar where it comes to security.

What permissions are required of that file?
Have we learned nothing about the storing of passwords rather than hashes?


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#3 2019-05-28 21:58:37

drybalka
Member
Registered: 2019-05-27
Posts: 6

Re: Unlocking with pin password (à la Windows)

ewaller wrote:

This seems like an extraordinary way to lower the bar where it comes to security.

Well, it is, but only for unlocking. This does not influence login or sudo privileges.

ewaller wrote:

What permissions are required of that file?

I am not sure about the absolutely minimally required permissions, but for me it has the same permissions as /etc/pam.d/shadow, so I presume it can't be that much of a security concern.

ewaller wrote:

Have we learned nothing about the storing of passwords rather than hashes?

openssl passwd -1 password in fact generates a hash, that is then stored to pin.passwd, not the actual password. As I understand, pin.passwd has the same structure as /etc/pam.d/shadow.

Unfortunately, I cannot say anything about the security of libpam_pwdfile package itself, but so far I haven't found any other way, maybe using built-in PAM modules.

Last edited by drybalka (2019-05-28 22:10:54)

Offline

#4 2019-06-21 05:31:10

mkomo
Member
Registered: 2019-05-15
Posts: 2

Re: Unlocking with pin password (à la Windows)

Thanks for sharing, been meaning to implement something like this.

Offline

Board footer

Powered by FluxBB