rchatterjee / pam-typopw Goto Github PK

View Code? Open in Web Editor NEW

7.0 3.0 2.0 16.62 MB

Typo tolerant password checking for OSX and Linux. [Windows is in the way]

License: MIT License

Makefile 1.59% C 39.28% Python 53.79% CMake 0.13% Shell 4.62% Jupyter Notebook 0.58%

password typo pam python mistakes

pam-typopw's People

Contributors

Stargazers

Watchers

Forkers

linearregression samscott89

pam-typopw's Issues

su fails to keep the session

su rahul creates a session and closes it immediately, not sure why.

[user@zenbook]$ su rahul
aDAPTIVE pASSWORD: 
[user@zenbook]$ [user@zenbook]$

Sep 28 09:08:41 rahul-zenbook su[11274]: Successful su for rahul by rahul
Sep 28 09:08:41 rahul-zenbook su[11274]: + /dev/pts/1 rahul:rahul
Sep 28 09:08:41 rahul-zenbook su[11274]: pam_unix(su:session): session opened for user rahul by rahul(uid=1000)
Sep 28 09:08:43 rahul-zenbook su[11274]: pam_unix(su:session): session closed for user rahul

Support for other keyboard layouts?

Does the adaptive typo-tolerance work for a non-US/non-standard layout? If so, is this detected automatically, or is there a configuration parameter to set somewhere? (The target use uses US/dvorak layout).

Have expiring cache entries

Assign expiry for each cache entries, so that the typos that are not used in a long time is removed from the cache. This will definitely make room for new typos, and also remove one potential guess from the attacker's plate. Also, during warmup forcefully some typos are inserted in the cache, all of which might not be relevant for the user, and the are unnecessarily increasing attack surface of some users (who rarely mistypes their password).

(Suggested by Tom.)

word2keypress

problem - the install script fails in installing word2keypress
"""
Installed /usr/local/lib/python2.7/dist-packages/adaptive_typo-1.0-py2.7.egg
Processing dependencies for adaptive-typo==1.0
Searching for word2keypress
Reading https://pypi.python.org/simple/word2keypress/
Best match: word2keypress 0.3
Downloading https://pypi.python.org/packages/36/5c/0b33769c91bca3cc59db091ff0c62deb088822900adc509bf29e9dce8cbd/word2keypress-0.3.tar.gz#md5=cb85ab3c2cf94ad6758fdbd26238f7bf
Processing word2keypress-0.3.tar.gz
Writing /tmp/easy_install-tFkpWR/word2keypress-0.3/setup.cfg
Running word2keypress-0.3/setup.py -q bdist_egg --dist-dir /tmp/easy_install-tFkpWR/word2keypress-0.3/egg-dist-tmp-Yg3X31
word2keypress/_keyboard.c:283:31: fatal error: numpy/arrayobject.h: No such file or directory
compilation terminated. """

solved it (for now) by downloading it manually via the website gui

failure of script

Sep 6 12:25:06 yuval-VirtualBox2 /usr/local/bin//pam_typotolerant.py[7254]: import('pkg_resources').run_script('adaptive-typo==1.0', 'pam_typotolerant.py')
Sep 6 12:25:06 yuval-VirtualBox2 /usr/local/bin//pam_typotolerant.py[7254]: File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 719, in run_script
Sep 6 12:25:06 yuval-VirtualBox2 /usr/local/bin//pam_typotolerant.py[7254]: self.require(requires)[0].run_script(script_name, ns)
Sep 6 12:25:06 yuval-VirtualBox2 /usr/local/bin//pam_typotolerant.py[7254]: File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 1496, in run_script
Sep 6 12:25:06 yuval-VirtualBox2 /usr/local/bin//pam_typotolerant.py[7254]: raise ResolutionError("No script named %r" % script_name)
Sep 6 12:25:06 yuval-VirtualBox2 /usr/local/bin//pam_typotolerant.py[7254]: ResolutionError: No script named 'pam_typotolerant.py'

Reveal less meta password info

The current stored data leaks the password length and the entropy estimate. The former is leaked when the user accidentally enters a blank password (since the hamming distance is therefore the entire password length).

Options seem to be:

Make this data more granular (change hamming distance computation to 0-2 or 3+ or something).
Show formally why this is unimportant.

The entropy estimate, for example, could potentially lead to a knapsack-like problem. Suppose a naive implementation simply assigns an entropy estimate to each character independently, then the letters of the password could be recovered by solving the knapsack of these per-character weights.

Update readme

Update README.md as per new install script.

'typtop' is overloaded with functionalities.

Split typtop into two modules typtopadmin (with root-only works) and typtop (for other funtionalities).
Add some more functionalities, such as installing or changing policies, etc.

Fix for python3.*

Fails miserably in python3. fix it!

su closes session immediately after opening with Typtop

This bug is found in Debian and Ubuntu machines. The su session mysteriously closes immediately after opening. Seems something wrong with pam_typtop or the configuration.

Log from /var/log/auth.log.

Feb 22 05:49:27 rahul-zenbook su[25438]: pam_typtop(su:auth): called typtop with correct pw
Feb 22 05:49:27 rahul-zenbook su[25438]: pam_typtop(su:auth): returning PAM_SUCCESS.
Feb 22 05:49:27 rahul-zenbook su[25438]: Successful su for rahul by rahul
Feb 22 05:49:27 rahul-zenbook su[25438]: + /dev/pts/7 rahul:rahul
Feb 22 05:49:27 rahul-zenbook su[25438]: pam_typtop(su:setcred): called pam_sm_setcred. flag=2
Feb 22 05:49:27 rahul-zenbook su[25438]: pam_unix(su:session): session opened for user rahul by rahul(uid=1000)
Feb 22 05:49:27 rahul-zenbook su[25438]: pam_unix(su:session): session closed for user rahul
Feb 22 05:49:27 rahul-zenbook su[25438]: pam_typtop(su:setcred): called pam_sm_setcred. flag=4

edit requirments

needs to add numpy for word2keypress

sh: 0: getcwd() failed

This problem accured mid-correction of a different problem, so might not be relevent

sudo apt-get install sqlite3
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
aDAPTIVE pASSWORD:
...
...
...