No longer works since modern distros have moved to using yescrypt hash alogorithm. We are working on new implementation.
suto is a Linux PAM authenticator which uses Android phone biometrics to verify user credentials for granting super-user access.
This repository is hosting the desktop module to be called by Linux PAM for authentication written in C++. Networking is done by Boost.Asio library.
This module makes UDP broadcasts. The clients can reply back by opening a TCP channel with it and exchange messages according our defined protocol. After auth, this module returns PAM_SUCCESS or PAM_AUTH_ERROR depending upon the result of authentication. For detailed info on our protocol see PROTOCOL.md
- Boost C++ v1.67.0 or later
- Cmake v3.13 or later
git clone https://github.com/anjanik012/suto.git
cd suto
cmake -B build/ -DCMAKE_INSTALL_PREFIX='/usr'
make -C build/ -j${nproc}
sudo make -C build/ installgit clone https://github.com/anjanik012/suto.git
cd suto
cmake -B build/ -DCMAKE_INSTALL_PREFIX='/usr' -Dlogging=1
make -C build/ -j${nproc}
sudo make -C build/ installAfter placing the module in the right place for Linux to call, we need to tell PAM applications to call our module before the system default module.
Applications save this setting to /etc/pam.d
Choose whichever application you want to auth with suto and open their config file
I'm choosing su.
Add a line
auth sufficient libpam_suto.so
Now whenever you run su our PAM module will be called for authentication.
To test this we have a python script in tests/
- Try adding a D-Bus daemon that keeps the connection alive with the device
- Use encrypted channels for communication
- Clear unnecessary logging
- Create a standalone executable which calls the module
- Android module is Work-in-Progress