libpam module not compiling

  • New SQRL for .Net Forum
    Guest:

    Just a note that we have a new forum to contain discussions relating to TechLiam's "SQRL for .Net" server-side middleware. You'll find it under "Server-Side Solutions."

    /Steve.

Feb 28, 2019
22
2
@kalaspuffar not sure if there is a better place to put this, if there is could someone move it and such please.

I tried to compile your libpam_sqrl module and was met with a bunch of errors. https://pastebin.com/TLFRzAT3

I did fix an error in the /src/google_qrcode.c, line 29 where it has bool instead of _Bool, as soon as I can reconnect to github I can put that change in there. Unfortunately, I don't know the language well enough to parse it, but if there is anything I can do to assist without messing up the code too much I will try. I would love to see this work so I can demo the concept to my friends and peers.
 

PHolder

Well-known member
May 19, 2018
956
128
Can you provide the link to the source of the code. I assume it's a project on Daniel's github, but I don't want to make assumptions. Also this discussion probably belongs elsewhere than under the Android app... for now, failing anywhere better, under the development topic.
 

Once set this cannot be

Active member
Jun 27, 2019
40
13
libpam / sqrl integration is something that I am VERY EAGER to see. Unfortunately, my coding skills and available time don't allow me presently to help or create. I think the SSH / OS_login / whatever_else_libpam_integration_allows would be beneficial to many and I eagerly await its arrival.
 

PHolder

Well-known member
May 19, 2018
956
128
I think it's early days for that code yet, cause I see some hard coding, such as:
Code:
displayQRCode("sqrl://192.168.6.11:8080/sqrl?nut=5hqZKuHyq5t6y2ifoW3wPw", true);
 
  • Like
Reactions: Sithmagic

kalaspuffar

Well-known member
May 19, 2018
270
91
Sweden
coderinsights.com
Hi everyone.

Yes, this is still a proof of concept and I've not had time to work on it the last weeks. I got a little discouraged when I wasn't able to show the QR code correctly through the login prompt for some odd reason.

I might take it up again soon but my focus is still on the Android and Wordpress implementations. If you want to pitch in the code is open for anyone to contribute, fork a.s.o.

Best regards
Daniel
 

Karl-Johan Karlsson

New member
Apr 27, 2019
1
1
I posted a "pull request" where I fixed a number of problems that you could see by only looking at the warnings from the compiler. Unfortunately I have not really tested the code due to the hard coded stuff.
 
  • Like
Reactions: kalaspuffar

Jeffa

Well-known member
May 20, 2018
143
58
Hi everyone.

Yes, this is still a proof of concept and I've not had time to work on it the last weeks. I got a little discouraged when I wasn't able to show the QR code correctly through the login prompt for some odd reason.

I might take it up again soon but my focus is still on the Android and Wordpress implementations. If you want to pitch in the code is open for anyone to contribute, fork a.s.o.

Best regards
Daniel
I had a go at a pam for sqrl some time ago. I had the same issues.

The issue I had was that OpenSsh does not deal with the Pam conversation process as Pam would like. OpenSSh considers pretty much any form of interaction as part of auth as insecure.
 
  • Like
Reactions: kalaspuffar

Tad Guski

New member
Jul 13, 2019
1
1
I had a go at a pam for sqrl some time ago. I had the same issues.

The issue I had was that OpenSsh does not deal with the Pam conversation process as Pam would like. OpenSSh considers pretty much any form of interaction as part of auth as insecure.
I work with RHEL servers in Azure. We login from a bastion server to an internal server using Microsoft's Active Directory. I did not configure it, but when I SSH to the machine, it displays a one time code which I then paste into a field on an MS device login page in a browser. Once logged in on the web page, I go back to the SSH login and hit enter and I'm logged in. I repeat the process if I use sudo. I have no idea if this is using pam or not though. I'll have to look. It feels like this same mechanism/approach could be used for a SQRL type login. It's definitely interactive.
 
  • Like
Reactions: kalaspuffar

kalaspuffar

Well-known member
May 19, 2018
270
91
Sweden
coderinsights.com
I work with RHEL servers in Azure. We login from a bastion server to an internal server using Microsoft's Active Directory. I did not configure it, but when I SSH to the machine, it displays a one time code which I then paste into a field on an MS device login page in a browser. Once logged in on the web page, I go back to the SSH login and hit enter and I'm logged in. I repeat the process if I use sudo. I have no idea if this is using pam or not though. I'll have to look. It feels like this same mechanism/approach could be used for a SQRL type login. It's definitely interactive.
Correct, that's not an issue. I got the whole flow working with SQRL. Just showing a URL or QRCode and then login with the app and be logged into my session. Same for sudo. Sudo works even better because then I could show the QRCode inline.
 

Jeffa

Well-known member
May 20, 2018
143
58
Correct, that's not an issue. I got the whole flow working with SQRL. Just showing a URL or QRCode and then login with the app and be logged into my session. Same for sudo. Sudo works even better because then I could show the QRCode inline.
Similar here, I based mine on the Google Authenticator pam, and displayed a link to a QR generator.

Did you just say you WERE able to display a QR at login though? Or did I miss understand?

I never thought to check sudo. I bet that is nice!
 

kalaspuffar

Well-known member
May 19, 2018
270
91
Sweden
coderinsights.com
Hi @Jeffa

I did the same as you, using the Google Authenticator and they had code for displaying QRCodes. Worked just fine as an executable but when trying to show it as a prompt in the login flow it came back as normal ASCII and not ANSI so could not use it there.

Later I've been thinking of trying to display QRCode on a small page using the same port as I use for the communication so I go around that issue. But I've been to busy lately to experiment more with it.

Best regards
Daniel