Can a pam module modify the password typed by the user before it is seen by other modules?

Question

Background: I have written a password generator that works as follows:

• Generate 130 random bits
• Interpret random bits as 26 elements of GF(32)
• Use the elements as coefficients to construct a 25th degree polynomium
• Evaluate the polynomium for all 32 possible inputs
• Encode the result using a modified base32 encoding

This gives me strong passwords (130 bits of entropy) where a few typos while entering the password can be tolerated without compromising security.

So far I have integrated the error correction part of the algorithm with the ssh-add command, this is working flawless. Now I'd like the same smooth usage for my login password.

Question: Is it possible to write a pam module, which changes the password as entered by the user before it is seen by other modules? In particular I would like to ensure that ecryptfs see the corrected password, such that the home directory can be mounted after my algorithm has corrected a typo in the password entered by the user?

Answer 1

There is no obvious way to do this as a separate module. But it can be done with a simple modification to the pam_unix module.

Towards the end of pam_sm_authenticate() in modules/pam_unix/pam_unix_auth.c the following code is found:

    /* verify the password of this user */
    retval = _unix_verify_password(pamh, name, p, ctrl);
    name = p = NULL;

This can be modified to apply the error correction I need:

    /* verify the password of this user */
    retval = _unix_verify_password(pamh, name, p, ctrl);
    if (retval == PAM_AUTH_ERR) {
        apply_error_correction(p);
        retval = _unix_verify_password(pamh, name, p, ctrl);
    }
    name = p = NULL;