8000
Skip to content

vvindetta/paw

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
crates
crates
 
 
modules
modules
 
 
password_hasher
password_hasher
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
screenshot.jpg
screenshot.jpg
 
 

Repository files navigation

Multi-factor for PAM. GNU+Linux auth with modules in any combination.

screenshot.jpg

PAW is designed to avoid exposing the main system password when operating in an unsafe environment. Use it instead with a combination such as a secondary-password + fingerprint. GrapheneOS-like authentication on your GNU/Linux system.

Roadmap:

  • minimum number of successfully passed modules option

Modules:

  • Password
  • Fingerprint
  • Faceid
  • NFC
  • Trusted Bluetooth/Wi-Fi networks

How to install

Install paw as a PAM module

  1. Find the PAM modules directory on your system. Common paths:

    • /usr/lib64/security (Fedora-based distros)
    • /usr/lib/security (many Debian/Ubuntu-based distros)

  2. Install pam_paw.so into that directory:

sudo install -m 0644 -o root -g root pam_paw.so /usr/lib64/security/pam_paw.so

Install paw submodules

  1. Create the paw directory inside the PAM security directory:
sudo mkdir /lib64/security/paw
  1. Place paw modules in it:
sudo install -m 0644 -o root -g root paw_fingerprint.so /usr/lib64/security/paw_fingerprint.so

sudo install -m 0644 -o root -g root paw_password.so /usr/lib64/security/paw_password.so

Config

Create /etc/paw.conf

sudo $EDITOR /etc/paw.conf

Format (one module per line):

path_to_paw_module attemps_number

Default attempts_number is 3 if omitted. Order in the config affects the execution sequence.

Config example:

/lib64/security/paw/paw_password.so
/lib64/security/paw/paw_fingerprint.so 5

Edit PAM Configuration

To enable paw in a real PAM service, edit the corresponding file in /etc/pam.d/.

Example for sudo:

Add this line to /etc/pam.d/sudo:

auth    sufficient    pam_paw.so

PAM has control flags for every module:

requisite

  • Like required, but if it fails: stop immediately and return failure.
  • If it succeeds: continues.

required

  • If it fails: authentication will fail, but PAM continues running the rest of the stack.
  • If it succeeds: continues.
  • Final result: any required failure makes the whole stack fail.

sufficient

  • If it succeeds: stop immediately and return success (if no prior required/requisite failed).
  • If it fails: ignore the failure and continue.

optional

  • Success/failure usually does not affect the result unless it is the only module in that stack.

Testing

  1. Install pamtester via your system package manager

  2. Create and edit /etc/pam.d/paw_testing:

auth    required    pam_paw.so
account required    pam_permit.so
  1. Run

pamtester paw_testing $USER authenticate

Build

  1. Install pam lib
# Debian / Ubuntu
sudo apt install -y libpam0g-dev

# Fedora
sudo dnf install -y pam-devel

# Arch
sudo pacman -S --needed pam
  1. Git clone

git clone https://codeberg.org/vvindetta/paw.git && cd paw

  1. Build

cargo build

The build will be available inside paw/target/debug

Main PAM module (controls submodules):

libhost.so -> pam_paw.so

Submodules:

libpaw_fingerprint.so -> paw_fingerprint.so

libpaw_password.so -> paw_password.so

About

Multi-factor for PAM. GNU+Linux auth with modules in any combination.

codeberg.org/vvindetta/paw

Topics

linux fingerprint-authentication pam-module multifactor-authentication

Resources

Readme

License

View license
Activity

Stars

4 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

1.0 Latest
Feb 14, 2026

Contributors

Languages
0