Background: I have written a password generator that works as follows:
- Generate 130 random bits
- Interpret random bits as 26 elements of
GF(32)
- Use the elements as coefficients to construct a 25th degree polynomium
- Evaluate the polynomium for all 32 possible inputs
- Encode the result using a modified base32 encoding
This gives me strong passwords (130 bits of entropy) where a few typos while entering the password can be tolerated without compromising security.
So far I have integrated the error correction part of the algorithm with the ssh-add
command, this is working flawless. Now I'd like the same smooth usage for my login password.
Question: Is it possible to write a pam
module, which changes the password as entered by the user before it is seen by other modules? In particular I would like to ensure that ecryptfs
see the corrected password, such that the home directory can be mounted after my algorithm has corrected a typo in the password entered by the user?
There is no obvious way to do this as a separate module. But it can be done with a simple modification to the
pam_unix
module.Towards the end of
pam_sm_authenticate()
inmodules/pam_unix/pam_unix_auth.c
the following code is found:This can be modified to apply the error correction I need: