
A PAM module to test SSH/SUDO passwords against HaveIBeenPwnd - stevekemp
https://github.com/skx/pam_pwned
======
LinuxBender
So anyone that uses sudo on the box it is installed on will be sending a hash
of their password to an API? What warning will users receive before putting in
their pw?

~~~
stevekemp
Sending the first five characters of the SHA1-hash of their password - not the
complete thing. (Though I appreciate that if you care about potential privacy-
leaks that might not be much of a mitigating factor.)

I would assume that this module would be installed explicitly and deliberately
by a company, organization, or group, and that the people who did that would
inform their users.

(i.e. I don't expect this would be randomly installed on a machine
accidentally. Though if you use a shared-hosting/shell-provider you probably
have bigger concerns than a side-effect of this being present.)

~~~
LinuxBender
Fair enough :-) Would it be feasible to add something in the module that could
optionally send a string to the user to say that some portion of a hash of
their pw will be verified against that API?

I am thinking of the cases where a security org enables this on a jump box,
but only sends an email that gets lost among the myriad of other emails that
people do not read. It would be great if there was a banner that could be sent
to make privacy and compliance teams happier.

~~~
stevekemp
It wouldn't be impossible, but when I think of the automated-tools that would
drive sudo I'm wary of producing unexpected output by default.

I would guess that the kind of org that wanted this would probably be using
some kind of automation so they could issue the notification via /etc/issue,
/etc/issue.net, or similar central fashion.

Maybe I'm optimistic!

------
Ws32ok
Excellent. I was looking for sane example of a Pam module involving https.

