PAM Authentication via LIRC
pam_lirc is a PAM authentication module that lets you type your password on a remote control supported by LIRC.
Example usage in PAM config file:
auth sufficient pam_lirc.so auth required pam_unix.so nullok_secure try_first_pass
Usually, you want this module as the first 'auth' module. Unintuitively, it will always fail, since it does not do the authentication itself. The only thing it does is read and set the password. The next 'auth' module should then be used with the 'try_first_pass' option, reading that password and doing the actual authentication.
pam_lirc is tested with 'su' and 'gdm' and probably works with most other services, too. It was mainly designed to be used with a HTPC login via gdm after booting.
Technical Details |
※ |
The module can either read input only from LIRC, or from the normal converse loop (usually keyboard input) plus IR input.
If you only read from one source, from LIRC, everything is clean and fine, since PAM is perfectly suited to do so.
However, the PAM interface is quite limited, so reading from two sources at once can only be achieved with some magic, unfortunately, since PAM assumes a monolithic, sequencial, single function to do the whole password input. Adding an additional loop requires two threads, and if one of the threads exists, there is no clean way of interrupting the other one.
So basically, this module uses a hack to stop the second thread, because PAM is too limited to allow for a clean way (if you know a clean way, I am very interested). But at least, it uses the same technique as other input modules, e.g. the Thinkpad Fingerprint PAM module: by default it artificially hits the return key via the 'uinput' interface. So the uinput kernel module must be loaded.
This module checks that it faces a local login, otherwise it passes control to the next PAM auth module (it would neither make sense to access local IR commands for remote login, no would it make sense to hit the local return key in that case).
This module will not work together with other input-extending modules like the mentioned Thinkpad Fingerprint module: only one such hack can work at the same time. For a clean way, we'd need PAM to define a way to run several threads in parallel natively with a well-defined interface to stop them.
Still: enjoy!
When transmitting valuable passwords via IR signals, close your window shutters to prevent eavesdropping. :-)
Display Manager |
※ |
'gdm' login was tested. You probably want to use the user=... option in order to force a user when LIRC was used in enter the password:
... auth sufficient pam_lirc.so user=mythtv ...
This will always set the user mythtv when a password is typed on the remote control, so you need no keyboard interaction at all.
Screensaver |
※ |
Next problem: we need to make the screensaver enter the PAM loop immediately instead of waiting for a key hit.
Bugs |
※ |
Report Problems |
※ |
Please be so kind to give me feedback on all bugs and quirks. Compilation issues, failures, crashes, missing features.
Changes |
※ |
- Version 2
-
- bug fix
- improved PAM conformity: should work with most services now, tested su, GDM, SLiM under Debian/Ubuntu
- bug fix
- For the 'hit_cr' hack: press two keys by default: 'a' and CR for login procedures requiring at least one character (e.g. for a user name), e.g. SLiM.
- bug fix
- The 'hit_cr' hack now supports Dvorak keyboards (and many others, hopefully) by pressing 'Keypad Enter' instead of 'Enter' and allowing to set the keycode if that is still not good (options key1=... and key2=...).
- bug fix
- Fixed memory leaks.
- feature
- Provided config file for iMON-PAD and mceusb remote controls, and wrote guidelines on how to write lirc config files.
- feature
- added user=... to set a fixed user when login in via LIRC (e.g. at GDM prompt)
- feature
- added debug option
- feature
- added syslog support (native and via PAM, depending on PAM version)
- Version 1
- initial release
