Created with Fabric.js 4.2.0 K D
Published on

NFC authentication in Linux

Linux Authentication with a NFC tag

What is this post about?

Hey Linux people. :3

You are interested on Linux, like to see a smarter/securer authentication, you are a cyborg?
Then this post is exactly the right one for you, go ahead! :)
This post will show an example how PAM (Pluggable Authentication Modules) can be used, a self written small tool to handle authentication with a NFC reader and some need to know things about nfc. :3

About me / what is a NFC tag

Foremost, I wanna explain who I am and what "my problem" was.
I'm a Cyborg since ~10 years, in my hand there is an NFC implant.
An NFC implant is just a small microchip with the size of a rice corn.
The special thing about that chip is, it has a unique ID, which I will use later on. :3
The idea behind that chip is it to authenticate me as a person.
For example, opening the door in my apartment.
Do you know companies with that secure and fancy round key opener?
That small plastic chip which holds against a terminal and opens the door?
That's exactly a NFC tag, a NFC tag can be a key ring, a card, or in my case an implanted chip.

What have you done?!

Like I said, I can open my front door just with my hand (the NFC chip in it), I was annoyed to type in my password every time I lock my screen or authenticate against sudo.
So I thought about the idea "hey why couldn't I not just use my NFC implant to authenticate myself?"...
After looking how Linux works with authentication, I saw it's quite easy?
Just editing a small python script and editing the PAM file?
And voilà, my first tool was done, but I wasn't really happy with my shitty python script. ^^"
After years of procrastination, I rewrote my python snippet into Rust.
And that's what I wanna share with all of you. :3
What the tool can is you can authenticate yourself just with a NFC tag.
Hold the tag against the reader, press enter after typing your sudo command or username and that's it!
No more annoying password typing.
And yes, for all people who are paranoid, you can use that as a two-factor authentication.
So you would need to type in your password AND authenticate with the NFC tag. :3
Fun fact: I had enough room in my laptop to built-in a NFC reader, just behind/under the keyboard. On my main working machine, I have a NFC reader sticked under my desk (which feels more natural to hold the hand against it).

How does the tool work?

The small tool (I call it pam_nfc) is quire simple. In the add process the scanned UID is hashed with bcrypt and stored with the username in /etc/shadow_nfc, the syntax is very similar to the /etc/shadow approach.
After adding a user, the verify process (which will be used every time you authenticate) will work as intended.
Just hold the tag against a NFC reader and run pam_nfc, the tool is checking if the scanned UID is in the /etc/shadow_nfc with the given user, if the UID is in there, the tool will return a success, otherwise it will return failed.
So this small tool just needs to be added to the PAM (Authentication system in Linux). The PAM is doing exactly that, it runs the script and checks the return status. :)

Where code?!

The entire code is open source and can be found under: https://gitlab.com/kerkmann/pam_nfc/
You can build-it yourself or just install the built binary. :) Also, the installation process and how to set up PAM to work with that tool is (hopefully well) documented in the repository.

Thanks for reading it

If you have read till there, thank you very much for your time! :)
I hope you like the idea behind that tool, and I would like to hear about your opinions.
I would also like it if you have some good ideas to improve the tool, all contributors and people are welcome! <3
Would you use such a tool?
Do you need help to set it up or have some questions?